Ransomware: how to deal with hackers?

They attack networks and systems and ask you to pay to be able to recover everything they have locked up in “the safe”. But experts say handing over the ‘cheque’ is the last option

“In medieval times, in castles, invaders searched where mice entered to find holes and attack. Hackers do the same. They look for holes.” And these are often easy to find. The increasing spread of ransomware attacks (experts say there is not an increase, but rather “greater publicity” of these) is proof of this. Weaknesses in the networks and systems of several companies allowed hackers to enter, encrypt, destroy, block access and demand ransoms to restore everything as it was.

Porfírio Trincheiras, cybersecurity specialist at AtelierLógico, explains to CNN Portugal that after covid-19, “what was already a path of digitization, is now an accelerated path of digitization” and, therefore, “the crime that exists in society is moving to the Internet”.

“It’s like when someone kidnaps a person and demands a ransom. In ransomware, it’s exactly the same thing, except it’s not people, it’s data. As the digitization progresses, the number of digital crimes ends up increasing. transfer to the digital society”said.

The digital society that often gets in the way without knowing how. The weaknesses of the systems, in the time of covid, have multiplied. There are more and more people online, working from home, often on family-shared computers, who unknowingly end up giving hackers a doorway into employers.

“If I work on a shared computer at home, a computer where my son plays on more or less dubious sites, and then someone connects via VPN to the computer that was on the company server , there is a problem,” says one of the experts CNN Portugal spoke to, who spoke on condition of anonymity.

What is the motivation? Species

Porfírio Trencheiras is clear when the question is the motivation of those carrying out these attacks: “what we have seen in recent years is that the attacks are mainly ransomware, that is, they are mainly motivated by financial reasons, something that did not exist in the past”.

“The overwhelming majority of attacks are ransomware attacks. In other words, there is a financial incentive for the computer attack, and that naturally causes a greater intent to carry it out.”

But, how are attacks normally handled? And how do you make money with them? If it depends on the cybersecurity experts contacted by CNN Portugal, they do not win

“After gaining entry, all data is encrypted, with a key, which only the attacker has and who only returns it in exchange for money, normally paid in the form of cryptocurrencies and, above all, in crypto -currencies that are not possible. to follow. (…) I have never paid or even tried to contact [os hackers]“, guarantees Trenches.

Ricardo Negrão, specialist in the field of cyber-risk, is also peremptory: “1st recommendation, do not pay. 2nd recommendation, do not pay. 3rd recommendation, do not pay. Always do not pay”.

Why? “For two reasons. The first reason: 60% of businesses that paid couldn’t keep the ransom, it didn’t work. 60% globally. They pay and either don’t keep the data or can’t prevent transmission of data. publicly disclosed. Second factor: if I pay, I fund this type of activity. At this point, there are already clear indications that attackers who make ransomware attack and demand ransoms in the amount of the insurance policy that the company has because they know that up to that amount can go, more than that maybe not”.

And now?

But if we don’t pay, how are we going to get our data back? Professor António Pinto of the Escola Superior de Tecnologia e Gestão of the Polytechnic Institute of Porto explains that “we must resort to safeguards and have time”.

“Resetting the system takes time. There is no quick fix, whether you pay or not,” he explains in an interview with CNN Portugal, adding that to be able to reset the system it is necessary to having backups saved outside the network that was attacked and also having a “safe” server where that backup can be restored.

Porfírio Trencheiras even says that it is “one of the most common mistakes of our companies: the system coexists in the same network”.

An expert contacted by CNN Portugal, who requested anonymity, says “resetting is not enough”. In addition to the backup, you also have to make sure that the “servers are sanitized” before doing anything.

“It is very important before people make the backup replacement, a forensic copy is made, that is, a copy of the places that are “infected” to do an analysis. And at the same time, only after making this copy, can you start the reset process”he explains, also specifying that only “replaces the essential, the essential minimum until knowing where things happened to correct the vulnerability”.

Also because it is important to “realize that there is no other type of spyware or ransomware on the networks” that will not leave the company in the hands of hackers in the future.

“It is not uncommon that months after the unresolved attack there are other types of attacks, financial fraud for example, and since the entry point is not patched, they are vulnerable to an attack of other characteristics: intellectual identity theft or financial fraud”.

Is it possible to recover systems without paying?

Generally speaking, yes. And the experts contacted by CNN Portugal guarantee that this is how they managed to recover the companies that hire them after being invaded and blocked outside the “castle”.

António Miguel Ferreira, general manager of Claranet, explains that requests for help usually arrive “within hours” and that availability must be “for immediate intervention”. Once the alert has sounded, it’s time to get to work to get everything back up and running.

“We are focused on recovering affected resources, platforms, applications and making them operational. And we are also focusing on post-attack analysis, in order to minimize the risk of companies finding themselves in situations similar to the attack. “future. Cybersecurity is a concern that must be present in the planning and processes of every company and our role is to provide this support and the necessary skills”.

Contacting hackers is not an option for anyone working in this field because, as we said before, it does not guarantee that the attack will stop and the data will be restored.

“Our center of action is the recovery of systems, by exclusively technical means and not within the framework of a negotiation. Of course, this recovery is all the easier when the company is better prepared. If the planning and necessary investments have been made in advance, recovery is possible, which reduces the risk and impact of possible attacks.When advance planning is neglected, the risk is high and the impact can be very significant. cannot rely on luck alone,” adds the Claranet expert.

The AtelierLógico cybersecurity specialist also claims that recovering from backups is the method chosen by him, even if it takes time and requires controlled steps.

“I never paid or even tried to contact. I always reset the system from backups and I was careful to check if there was any personal data that had been affected, I never had no instances where I had any personal data affected What I had affected accounts, usernames and passwords and we immediately blocked all accounts and reactivated them as people were showing up again. [O problema é que] You don’t know if you’ll get it back. Attempting to contact you for the key could get you caught. When you leave the information because you have to pay, the money travels anonymously on the Internet, you never see it again and most likely you don’t have the key”, reiterates Porfírio Trencheiras.

Ransomware/Cybersecurity Dictionary

What is a ransomware attack?
Ransomware is a type of attack that encrypts files the user has access to, with an asymmetric key. Thus, at the start of the process, the key capable of reversing it is sent to the attacker and only he can reverse the process.
How is it treated?

The first step is to access the computer or more generally the computer network of the target entity, this access is normally achieved by one of two processes, it can be done by exploiting a security flaw in the servers of the target entity. attacked entity that are exposed to the Internet (web server, mail server or other) or via social engineering, in this case, which represents even the most common way, a network user is tricked into activating malicious software, either through a deceptive attachment, a link to a previously infected website or any other similar process.

How does it spread?

Once a computer is infected, the process of encrypting its files begins, while using that user’s access to infect the next computer.

How to identify if you are infected?

Usually the infection is detected by the presence of files with a different extension from the original, for example document.doc.ryk

How is the ransom demanded?
In traditional ransomware cases, a file is usually left on the victim’s computer with the ransom note.

Leave a Comment