Numerous ramsomware incidents and recent security vulnerabilities like Log4j present us with seemingly insurmountable challenges. But are these obstacles really insurmountable?
At the end of last year, we wrote a blog post about the similarities between ransomware and the corona virus and the effects of hacker attacks. Here we talked about the most common cyber attacks, impact on social life, on supply chains and different industries.
In this article, we explain what ransomware is all about, how hackers work, what makes this type of encryption so dangerous, and how you can prepare for an emergency.
Cyber criminals today have a variety of ways to harm businesses. In addition to spying on computer systems and networks for (economic) espionage and the targeted overloading of services so that they can no longer be used, there are also attacks using so-called ransomware. These are attacks on the data of companies or organizations in which the computer systems are encrypted so that the victim can then be blackmailed. After successfully encrypting the data, the attackers contact the victim and demand a ransom. If the victim decides to pay the ransom, the extortionists will give them a tool to decrypt the data. Often the blackmailers copy some or all of a victim’s data and threaten to release sensitive or important information (e.g. financial data, construction plans, recipes or source code) in order to put additional pressure on the victim.
An attack with ransomware is usually a long-planned cyber attack that takes place in several phases.
- Scouting: Gathering information about the “victim”
- Gaining Access “Initial Access”
- Extension of rights or creation of additional users with privileged rights
- Use of acquired rights (encryption)
- ransom demand
Before the actual attack, the attackers must identify suitable companies as targets. In this phase, the structure of the company is analyzed. Information about locations and organizational structures can often be found on the company’s website. The business figures in the form of reports can also be viewed on the website or in the Federal Gazette. From this and from advertised job profiles, the attackers can draw conclusions about the expenditure (and the point in time) for security systems and the security systems actually used. Finally, the information collected is summarized and the expected effort of an attack is evaluated.
Based on the information obtained, the attackers choose from different attack options in order to gain access to the potential victim’s network. For this purpose, the attackers use, among other things, phishing emails or social engineering to obtain access data from employees, or they use known vulnerabilities in IT systems, such as the current security gap Log4j. With this approach, the attackers have valid user accounts with access authorizations, which are used to load additional software for attacking the infected systems.
In the third phase, the attackers try to extend the rights of their hijacked user accounts and/or create additional users with privileged rights, as well as scan the network for sensitive and important data.
Once the attackers have access and access to sensitive and important data or the entire network, you can start encrypting it. However, previously collected data is often copied from the internal network. This is done over a period of time so as not to arouse suspicion. Once the data has been completely copied, encryption begins.
The attackers then contact the victim and demand a ransom. In return, the victim receives a tool to decrypt the data and the captured data is not published.
Exactly these cases show again that the success of every company is largely dependent on functioning business processes. It is often only in phases of crisis that it becomes apparent how resilient our processes and structures really are. Preventive emergency planning is therefore the be-all and end-all due to the increasing number of ransomware incidents!
Emergency planning provides measures and instructions for action in order to be able to react in a structured manner in these crisis phases and to be able to quickly restore business operations. In this way, unnecessary costs can be avoided, specialist departments brought back into operation in a coordinated manner and damage to reputation avoided.
Jan Bartels, Information Security Consultant and Data Protection Officer at CONTECHNET Deutschland GmbH