Cybermonth : The ransomware in 4 questions

Partager cet article

Ransomware, what is it?

The first ransomware dates back to 1989. While ransomware hit the headlines with the global computer disruptions of 2017 -Wannacry / NotPetya, it never happened with such frequency as we know it now in 2020.

In France, ransomware processed by the National Agency for Information Systems Security – ANSSI recorded an increase of 51% between 2019 (69 cases) and 2020 (104 cases between January and September). In addition, certain sectors of activity are particularly affected: health, local authorities and services in the top # 3 most affected.

A recently published report from the Digital Health Agency shows a significant increase of + 40% in ransomware attacks directed against healthcare establishments in France during the year 2019, it is recalled. This confirms the sector trend reported above.

In addition, the first week of confinement due to covid-19 reflects a significant increase of + 400% in this type of virus.

As the name suggests, ransomware or ransomware is a computer attack whose objective is to obtain the prior acquittal of a ransom by the victim, usually in exchange for a key to decrypt their personal data. or confidential documents, taken hostage by the attacker. ANSSI considers this type of attack to be the greatest scourge of the current years.

How it works ?

The most common vehicle ransomware exploits is corporate email. Typically, an employee at company headquarters opens an email and clicks on an infected attachment. Malicious code is activated. The virus will spread and be able to infect the entire computer network, thanks to the interplay between the networks.
But there are many other ransomware attack vectors:
- - - a simple navigation on a compromised website,
    - an enterprise software vulnerability that has not been updated (lack of security patch implementation, for example),
    - an internal threat caused by human error, for example the case of an infected employee’s USB key which allows the virus to circulate in the company’s information system,
    - indirect intrusion, for example by social engineering (the attacker masquerades as a company employee. He asks the victim if they can, for example, download and install a patch of software in common use in the company, which he has not managed to deploy remotely. Unfortunately, the employee complies and finds himself trapped, and at fault for having entered the malware into the company’s information system).

How is a ransomware computer attack characterized?

The singularity of this virus lies in its property of transversality. This type of attack quickly has a destabilizing effect in the company.

In fact, ransomware can shut down vital business communication functions such as: telephony, email or business applications. But also more seriously, to quickly cause disruptions in the supply chain or in the production of the whole company and not only that of an activity, a department or an entity of the company taken in isolation. NotPetya has managed to spread to millions of users, hundreds of thousands of computer systems and thousands of computer workstations around the world, it is recalled.

Unfortunately, neither the size nor the sector of activity of the company are criteria of exemption from this potential virality. The increasing professionalization of attackers illustrates this trend.

How to respond to ransomware in business? 8 things to do / 3 things not to do

Do

Isolate infected computers by disconnecting them from the computer network and the Internet;
Perform a complete system scan using previously updated antivirus;
Restore the information system to a date prior to that of the attack;
Immediately report to the IT department (or to the IT provider if this service is outsourced);
Identify the source of the infection;
Submit a complaint to your local police station or gendarmerie brigade;
Keep as much technical evidence as possible relating to the attack to facilitate investigative work;
Surround yourself well i.e. find technical assistance from qualified and referenced professionals (cybermalveillance.gouv.fr, ...);

Don't

What are the winning measures to minimize risk factors? 14 action plans that can be deployed before the attack is carried out

Have full visibility of all the major assets that make up the IT environment and have a risk map on these assets;
Always make sure to keep operating systems, antivirus software and all installed applications up to date;
Set up annual audits and intrusion tests (at a minimum);
Set up employee reaction tests in different risky situations (scripting);
Perform regular backups of the information system in the cloud to ensure the existence of a copy of the data;
Block peer-to-peer downloads;
Use complex passwords (generated by a password manager for example) and change them every 3 to 6 months;
Display file name extensions;
Educate users to change their habits: do not click to open malicious emails (unknown senders, unusual message subjects, ...);
Need to install a new app? download executable files from official sites;
Establish a control policy for external media that employees use on company workstations; limitation of the attribution of administrator accounts; Internet access control;
Develop a business continuity and even resilience strategy, implement and test it;
Anticipate a communication strategy in the event of a ransomware crisis
Without forgetting to analyze the opportunity to take out a cyber insurance policy

Founded in 2018, Alcees is a digital services company(dsc or esn in french) of French and European essence.100% cyber centric. Alcees offers communities ans public companies, banks, insurers, software publishers, healthcare operators, tailor-made consulting solutions to improve the performance of their operations and simplify their exposure to cyber risks through compliance with highest standards/norms and implementation of simple measures : technical, organizational, cognitive.