Cybersecurity blog header

Ransomware or how to lose the company in a few hours

ransomware attack

The ability of cybercriminals to compromise the security and structures of all types of companies is increasingly sophisticated and effective. Cybercrime moves today more than 10 billion dollars a year globally

In just over 120 minutes, a lifetime’s work could be ruined. Literally. Losing control of the company, the business, all the information and systems essential to sustain the organization. Attacks with ransomware, programs that hijack data and restrict access to corporate computer systems, have become one of the most lucrative businesses of this era. Groups such as Ryuk, Clop, Conti, Ragnar or the recently disappeared Maze are behind a phenomenon that, according to the consulting firm CyberSecurity Ventures, cost more than 10 billion dollars to companies from all types of sectors and origins. No joke. This is ransomware, or how to lose the company in a few hours.

Because this is, surely, the last great news related to this world as dark as unforgiving. The sophistication which cybercriminals behave. If until not long ago a ransomware attack could take days to deploy, over the past year, corporate hijackings were performed in two or five hours (see these assaults here: ransom two hoursransom five hours).

They are effective. A lot of. As much as diligent. The cliché that says bad guys don’t rest is also valid for the digital universe. Perhaps much more. Over the last few years, cybercriminals have created increasingly hierarchical and compartmentalized structures to force companies to pay. Structures that, in their operations, are assimilated to drug trafficking or organized crime organizations.

Each part of the structure will do its homework. All with a common goal: extortion. There are actors in the Dark Web who even claim to keep a 24/7 chat active to attend to their victims at any time and day of the week. A kind of Seven Eleven of cybercrime. Seeing is believing!

But how does ransomware work? The dynamics of the attacks are almost always the same. Cybercriminals and ransom that will wreak havoc change, but rarely the modus operandi. There are three steps that are repeated over and over again: landing, extraction, and hijacking.

Many routes of entry

First step will be to access the company’s systems. An email that deceives a worker, a malicious download file, a pendrive without any protection, a server with a dangerous back door… There are so many entry ways that any businessperson who reads this article should take note.

Once inside, it will be time for the extraction. Undermine as much information from the company as possible to compromise its viability. On the Dark Web it is not difficult to find pages of cyber criminals in which they boast of their exploits stealing data: 50 gigabytes from a network of hospitals, 40 from an automotive company, 15 from a ironworks industry…

The future of entire organizations, and by extension of hundreds of families, controlled by bad guys.

It is common for these attacks to reach the domain controller. The epitome of these crimes. From that server, the ransomware groups manage to get hold of all the company’s information. Absolutely all. The nightmare of any entrepreneur.

With his goal under his arm, it will be the turn of the denouement: unleash the ransomware. This malicious code will encrypt the systems and data of the company (the density of attack will depend on the level of cybersecurity of each organization), so the victim will lose any possibility of control of the hijacked part of the business.

Can you imagine the helplessness of coming to work one morning and finding that a crucial part of your life has been completely taken away from you? How to lose the company in a few hours? The most critical stage will then begin. A negotiation that can decide the future of many people.

Most frequent is the kidnappers activate a temporary counter fixing the ransom price: 25.000 euros if you pay before 48 hours, 50.000 if it exceeds that time… The amounts will vary depending on the volume of data stolen and the size of the company attacked.

Always under the threat of not returning that information or, what is worse, spreading it. This is what is known as double extortion. The reputational and strategic cost can lead to ruin. Can you imagine what it would mean for all product, customer, supplier or patent information to end up by competitors?

Doomed to closure

That’s why the vast majority of companies pay. Still, the damage can be irreversible. The National Cybersecurity Institute (INCIBE) maintains that 67% of cyber-attacked companies shut down after six months.

So is. An ransomware episode has a devastating potential. And, far from diminishing, the threats don’t stop growing. In the last quarter of 2020, the daily average of attacks tripled compared to the previous year. Malicious code like Ryuk is estimated to attack about 20 organizations per week.

Chance? Absolutely not. The pandemic have acellerated the digitalization needs of thounsand companies. A perfect breeding ground for cybercriminals. More victims and more vulnerabilities. If you add sophistication vector, the bad guys’ ability to deploy ransomware in just a few hours, equation is complete.

Los daños causados por un ataque con ransomware pueden ser irreversibles

There are no detailed figures on the economic impact of these Trojans, partly because most attacks don’t transcend, but approximations that have been made to date show a juicy cyber extortion industry. And yes, it is very likely that the figure of 10 billion dolars annually that we gave you at the beginning of this article is now history.

What is known is that the average cost of the ransom for a ransomware attack rose above 111.000 dolars in the first quarter of last year, an 33% increase from 2019. Cryptocurrencies are usually the most common payment method in a world that moves through darkness. A trip to hell that any company can face off.

At this point, the central question is undestanding how to avoid this path of thorns. Are there a way? Definitely. Are they effective? Of course. But it’s time to take the plunge. And statistics are not particularly flattering for companies: a Google report warns that 20% of Spanish SMEs have a family member or friend in charge of Systems Department.

Most of them lack cibersecurity advanced knowledge. Big mistake. Placing someone with no specific training in charge of this service is like putting a family doctor to operate on angioblastoma.

Doom will almost certainly be waiting for you around the corner.

Cybersecurity is becoming a more complex area that requires specific professionals. They are the ones who know how to deal with ransomware threats. And there is no magic recipe to contain an enemy that does not rest, but there is a roadmap with two commandments: prevent and prepare for the worst.

Hunting the hostile actor

First one is quickly synthesized. Hire Red Team services to discover vulnerabilities in the organization’s systems, raise awareness and train employees on the threats that can hide in any seemingly innocent email or have Threat-tunting services to determine if there is any hostile actor within the organization can help a lot on the road to prevention.

Of course, if you can’t contract these services, or if you’re a small business or individual, don’t even think about setting up your backup strategy on DropBox or a USB stick. If you do, don’t put your hands on your head afterward. Will have played with fire.

Second step is even easier to understanding: any day, yes, any day, it can be your turn. There are so many threats on the Internet and it’s so difficult to contain them. Then… let’s be prepared. How? Compartmentalizing networks and systems, preventing bad guys from moving free through your networks.

This is how you can minimize the damage if one day you suffer a ransomware attack.

If you are not clear on what is at stake, please listen to us. Read the post title again: Ransomware, or how to lose the company in a few hours. It’s not an hyperbole. Absolutely not. It is the pure and hard reality.

Discover our work and cybersecurity services at www.tarlogic.com