You have probably read or seen a news story involving Ransomware in recent years in Portugal.
Ransomware is one of the world's most urgent cyber threats: the malware hijacks files from people and companies, until a payment is made to get them back!
I will share with you some shocking facts, which give you an idea of the seriousness of the problem we face:
- The global costs associated with recovering from ransomware attacks in 2021 alone are estimated to have exceeded $20 billion;
- Ransomware attacks are growing 14% globally, year over year;
- Theincidence of ransomware attacks in Portugal increased 13% in in 2022 alone;
- And on the list that no country wants to top, Portugal is the 31st most affected by ransomware attacksworldwide!
But what is Ransomware?
Ransomware is malicious software, deployed by cybercriminals for the purpose of extortion. When a system is attacked, this software encrypts files or locks the victim's device...
...or even worse: add the theft of confidential company information!
Having hijacked the device, the hackers blackmail their victims and demand a certain amount of money in exchange for decrypting the locked files. Hard to understand?
In order not to end this article without knowing what the word ransomware means, we asked our commercial director to explain the concept as simply as possible:
There is one point that cannot be reminded enough: it is true that the cybercriminal demands a ransom in cash or cryptocurrencies but there is no guarantee that the payment will get your files back!
For this reason, and more than in any other period in history, it is important that people and companies are prepared to assume a preventive behavior in the face of the escalation of this threat.
How does ransomware infection occur?
Malicious software introduced to a device through a ransomware attack can give the cybercriminal access to multiple systems in an organization...
...and this "highway" can be opened in many different ways!
Typically, infections occur from messages sent via social networks or from emails with links or booby-trapped attachments, such as PDFs or Word-formatted documents.
This is the usual sequence of crime:
Remember that a simple email can contain an infected attachment or a malicious link, which directs the user to download a corrupted file. If the recipient does not identify the threat in time, the ransomware will be downloaded onto your device!
Take extra care when surfing the Internet: especially on the desktop, it is common to be attacked by pop-ups that automatically open on the screen, presenting fraudulent promotions or advertisements. Often these are part of a ransomware phishing scheme!
The difference between ransomware and other malicious software is that ransomware encrypts access to data and files on the attacked device. In this context, encrypting means making access possible only by using a decryption key.
It is at this stage that the cybercriminal establishes contact with the victim and demands a ransom, in exchange for the "key" that returns access to the encrypted data and files. How does the cybercriminal establish contact with the victim?
Remember that the ransom demand can come in many forms. But there are two most common within a ransomware attack:
- The message at the bottom of the victim's screen;
- The inclusion of text files in each encrypted directory
I cannot remind you enough that you should not pay the ransom amount after a ransomware attack. There are no guarantees that you will get your files back. And you will be giving strength to these organized crime networks!
Cases of ransomware end up pouring millions of euros into the criminals' accounts. To get a sense of scale, companies like the Lapsus$ Group are known worldwide for the amount of attacks they have conducted to date!
For all this, it is important that business owners are prepared to recognize this type of malicious software and prevent future damage. How? In the next chapter, we will look at the various types of ransomware that we know about.
Ransomware: What Types Exist?
Send an email to your employees with this information. The three main types of ransomware with a severity ranging from moderate to dangerous are:
scareware is a type of attack that uses harmfulsecurity software and attempts to provide fake technical assistance. If the computer is infected with some type of scareware, the user will receive pop-up messages informing him that a virus has been detected on the system...
...and that the way to eliminate it will be through a payment!
The pop-up's will continue to bombard the user until this software is deleted from the system. The problem is less common on Apple systems, although it also happens. This is what a scareware ransomware attack looks like:
Sometimes the cybercriminal opts for a more drastic strategy and seals the user's access to his own computer right from the start. This practice is what is known as screen-locking ransomware.
The case of the attack on the Expresso newspaper in Portugal was such an attack; but for further clarification let's look at another example:
- When starting thedevice, the user comes across an image with a stamp from the justice department of some country;
- This image informs the user of any illegal activity;
- And it warns the user that in order to regain access to his computer, a fine must be paid for this illegal activity!
This is a typical example of screen-locking ransomware. But remember: legal departments never contact citizens in this way. If they want to do so, they resort to appropriate legal avenues provided by law.
This type of attack blocks access to files on the victim's computer via encryption and demands a ransom to return that access. This is the most common form of ransomware attack.
There is no software capable of bringing back encrypted files, but sometimes some decryption codes are made public and absorbed by the major anti-virus programs on the market.
Since the word "encrypt" can sound complex, we asked our founder Nuno Diniz to explain how the encryption process works and what solutions exist after the damage is done:
Now that you recognize the main forms of ransomware, it's time to find out what kind of companies are on the cybercriminals' radar and what level of protection is best suited for your industry.
Who are the targets of ransomware?
When this type of cybercrime first emerged in the late 1980s, the victims were ordinary users - what we know in computer science as individual systems. But with practice, criminals realized that they could extend their attack radius to businesses...
...and the idea was so successful that it is to the companies that today they direct most of their attacks!
I will give you a practical idea of the serious problem that ransomware represents for companies today, especially in Portugal:
- In the year 2017, MalwareBytes did a worldwide survey that showed that 35% of small and medium-sized businesses had already suffered a ransomware attack;
- At the beginning of the pandemic, with the several cases of COVID-19 and the requirement for companies to go into telecommuting, there was a brutal 39% increase in the spread of ransomware in several business sectors!
Some industries are more affected than others, and you can find out if your industry is one of the cybercriminals' preferred targets in the following chart:
Corporations suffer the most from ransomware attacks. This type of organization depends on data to function and bill, and when faced with long periods without access to these databases....
...are easily tempted to answer ransom demands for absurd amounts of money, in exchange for (eventual) regaining access to the encrypted data!
Another aspect that you can see in the graph is that municipalities and health institutions are also preferred targets. This trend was verified in Portugal: CTT, EMEL, INEM, TAP and several public hospitals were some of the institutions attacked, during the last year alone!
But what to do in case of an attack?
We know that every situation has its own specifics, but there are six important steps you should follow if you are a victim of a ransomware attack:
- I cannot remind you enough: do not pay the ransom demanded by cybercriminals. This recommendation is so important that it has even been approved by the FBI;
- Keep stakeholders informed: employees, suppliers, customers, or board of directors. They can make the problem worse if they are not aware that they are being targeted;
- Stop data transmission from the attacked device: disconnect the computer from the network and any other equipment it may be connected to;
- Reset all your passwords on company devices that have not been infected - and that were not connected to the breached network at the time of the attack. Passwords may exist for other machines on the breached system;
- Identify the type of ransomware you were targeted by and share the occurrence with the security forces. Remember that, in Portugal, the Judicial Police already has a department dedicated to cybercrime;
- Contact your IT partnerto confirm if there is public information that allows your files to be decrypted. Your partner can (and should) restore and/or update programs, software and processes that may be corrupted or have vulnerabilities!
Naturally, after the harm has been done, you must think about how to ensure that the problem does not happen again. And for this there is only one word: prevention.
Our suggestion is that before any investment in computer security, you should ensure that all employees are knowledgeable about good security practices. The numbers speak for themselves:
- An HP Inc. study points to a increase of +238% in the volume of global cyberattacks during theduring the pandemic;
- Almost 85% of data-level security breaches involve tricking your employees; not hacking techniques in the system code!
Given the sharp increase in the number of cyber-attacks registered in recent months, Morebiz is holding a cybersecurity training course for all its clients. You can request yours for free at this link: informatica.morebiz.pt/interpol-alerta-quiz
If you entered this article because you suffered an attack and have urgency to solve it, don't read the next chapter. Our team created it just so you can learn more about the origin of ransomware.
The origins of ransomware
Embark on a journey into the past and learn about the major phases of ransomware evolution throughout history.
For the more curious, this type of cybercrime emerged in the late 1980s and became popularized as PC Cyborg or AIDS. The process was innovative, to say the least: after the computer was attacked and rebooted 90 times (!) the user was required to enter a license...
...and that license could only be obtained in exchange for sending $189 by traditional mail! Take a look at what this threat looked like in the early days of its existence:
Almost two decades later, a new evolution of the threat emerges - GpCode - which did nothing more than encryption to hijack victims' personal data...
...this was the basis of the system we now know as traditional ransomware!
It was at this point that we saw the emergence of a new type of malicious software: Winlock which, instead of encrypting files, blocked users' access to their computers. How exactly?
The answer is simple and will shock you: the malware took control of the screen, displayed pornographic images, and demanded a ransom from the victim from the victim via SMS for that lock (and those images) to disappear from the screen!
Five years later what became known as government ransomware appeared. As in a traditional attack, the victim was unable to access his computer - and a message with symbols of government institutions was displayed on his screen.
The cybercriminal would then impersonate a state agency, inform the user that there was a conviction for committing a crime, and inform the user that a fine between $100 and $3,000 was required. The result?
The user, unfamiliar with this practice, was at a loss as to how to act and ended up paying the ransom - often because of the social embarrassment he felt in front of family and friends who watched his computer in this situation.
And here we come to the era of the notorious CryptoLocker: a type of ransomware that encrypts files on a remote server. This strain was so powerful that it took a global government task-force to take it out!
A year after its emergence, this type of malware and other similar families have appeared, on a large scale, on mobile devices as well. How?
The fraudulent malware was sent by malicious apps and asked the user to restart their phone in safe mode to delete the infected app and thus regain access to their device.
Finally comes KeRanger which was the first ransomware for Apple systems. With them, devices are attacked silently for about three days until the malware manifests itself and encrypts the system files.
Typically, the attack was carried out by downloading software called Transmission - a legitimate software for downloading Bittorrent files - whose original version had been replaced by a corrupted one carrying the malware.
Meanwhile Apple has released an update that can prevent the infection. Nowadays, this kind of ransomware is no longer a problem for users. Anyway, if you are using a very old version and your system is affected, this is where the files are hosted:
Of course there have been numerous strains of ransomware that have not been covered in this article. But the scandal of the attack on North American newspapers with the Ryukvirus about four years ago deserves a prominent place in our timeline. Why?
It perfectly symbolizes the change in strategy, on the part of cybercriminals, who have started attacking more and more institutions critical to the functioning of society.
In this case, the problem reached such a scale that Times employees even had to hand-carry the pages from the newsroom to the printers. This was the look of the warning that newspapers received after being attacked:
There are thousands of different strains coming from the four corners of the planet. There are reports of viruses from Iran; others of malware from Russia. But the truth is that from all over the world arrive - and will continue to arrive - threats to the smooth running of your company.
The advice from an organization like ours, which has been operating in this area for over 16 years, is prevention and training all employees in good cybersecurity practices. Sounds cliché? yes, but that is the most common difference between companies that have been attacked and those that have never suffered an attack!
Remember: our company can help you with the IT protection of your business critical data and equipment. It's simple: schedule a free 30-minute meeting with one of our experts now!