Ransomware attack: how does it work?
Ransomware, called ransomgiciel in French, is malicious software. It blocks access to certain files — or downright to the computer — by encrypting them. To unlock them, the person whose computer is infected must pay a ransom. This cyberattack affects any company, administration and individuals.
Ransomware cyberattack: a bit of history
The ransomware attack is part of the malware family, just like worms, spyware or the Trojan horse. The origin of ransomware has its source in 1989. Named “AIDS Trojan”, the first ransomware was distributed by postal mail on thousands of floppy disks. Once inserted into the computer, the ransomware demanded US$189 to be mailed to Panama. At the time, the ransomware encrypted all files after 90 reboots.
It was in 2004 that the first modern ransomware was born. Called “GpCOde”, this used RSA encryption on the files. In 2007, “ WinLock ” was the first ransomware to lock the entire computer. Then, ransomware entered a new era in 2012, with the appearance of “ Reveton ”, an identity theft malware. In this case, the ransomware mimicked the FBI or Interpol site and asked victims to pay a fine for committing a computer crime.
Data encryption ransomware is still commonly used today. Hackers no longer hesitate to infect the computer systems of large companies in fields as diverse as the media, health or transport.
How a ransomware attack works
A ransomware attack occurs in several stages. First, the computer system is infected after opening an attachment from a fraudulent email. Sometimes the malware infects the computer from a compromised website.
Then, the malware takes control of the computer system. The files are gradually encrypted, the user can no longer access them. A notification appears on the screen to inform him of the presence of ransomware. The ransom amount (usually payable in bitcoins) and the payment process are detailed.
In case of paying the ransom, cyber criminals allow the victim to get back their system safe and sound. However, this is not guaranteed.
The different types of ransomware
There are currently three types of ransomware.
1. The “lockdown ransomware”. This malware blocks the access to the computer system. In English, this type of malware is called “ computer locker ”. The user can no longer use the computer and sees a message from the hacker on the screen. The latter clearly presents his intentions or pretends to be a legal authority to request the payment of a fine.
2. The “crypto ransomware”. This blocks and encrypts the data. This type of malware usually targets businesses. They access their computer system, see the pirated files, but cannot read them. Typically, cybercriminals use a countdown timer to get quick payment. They then threaten to disclose sensitive information or customer data.
3. “Scareware” or fake security software. In this case, the user is alerted to a security problem through a window that appears on the screen. If he clicks on the invitation to download the antivirus, it is actually malware that will hijack data from the computer system.
What are the hackers’ objectives during these cyberattacks?
Cybercriminals primarily seek to extort money from the victim. However, some attacks aim to damage a company’s computer system to cause it to suffer operating losses. Others wish to damage the image of the company by disclosing sensitive or compromising information.
Ransomware attack: why is this cyberattack the most frequent?
Over time, ransomware attacks have changed targets. From individuals, they have moved to companies, which are increasingly dependent on the digitization of their data.
Ransomware Attack: The Reasons for Success
Companies need to initiate a digital transformation. Time saving, better organization of data, simplified implementation of a logistics or commercial strategy, online sales… Digitization has become essential for any company wishing to progress in today’s world and that of tomorrow.
However, the budget allocated to cybersecurity does not match the digital transformation. Lack of qualified personnel, lack of employee vigilance, IT system security flaws: companies are vulnerable to the slightest cyberattack. The COVID-19 pandemic and the advent of remote working have only accelerated the pace of ransomware attacks.
You don’t need to be a hacker to launch a ransomware attack
The other reason for the increase in ransomware cyberattacks is the ease of launching an attack. Today, a cybercriminal with limited computer skills can hire a subcontractor on the darknet to craft malware. This software is called “Ransomware-as-a-service” (Raas).
Why is France one of the most affected countries?
The cybersecurity company Sophos conducted a survey for the year 2021, with 200 French companies. Figures show that 73% of French organizations have been affected by ransomware. In 2020, they were only 30%. While 78% of respondents restored their computer data, 34% paid the ransom. Too high a figure, which favors hackers in their choice to target French companies. Especially since those who chose to pay only recovered 45% of their data.
According to ANSSI (the National Agency for Information Systems Security), ransomware attacks have increased by 255% in France in 2020.
What to do in the event of a cyberattack?
Cybercriminals hope to succeed based on the importance of the data held hostage and time. The longer the blockage lasts, the higher the financial losses are likely to be for the company. That is why many decide to pay the ransom without delay. However, this solution is far from the best. On the one hand, the risk of not having your data decrypted is quite significant. On the strength of their success, hackers could, on the other hand, repeat their maneuver to extract more money. Several actions must be implemented in order to circumvent a ransomware attack.
Isolate computer system
It is necessary to start by disconnecting the devices from the Internet network and the local network. Be careful not to turn off infected computers or delete emails and connection logs. They represent the evidence of the attack.
Communicate on the attack
All employees must quickly become aware of the existence of the attack. As well as potential customers, suppliers and partners who may potentially suffer. Then, the referring staff must contact their insurer if the company has subscribed to cyber insurance.
File a complaint with the authorities
The management must report the ransomware attack to the competent authorities, then declare to the CNIL the extent of the personal data affected.
The dedicated cybersecurity team can reformat affected workstations and servers, then restore data from a recent backup.
Ransomware attack: strengthen your cybersecurity
Cyber hackers constantly renew their action plans. The best way to avoid an attack and to protect yourself properly.
1. Make employees aware of the risks of phishing. Better trained, employees better spot scams and other potential attacks.
2. Securing its infrastructures. This requires building or strengthening a cybersecurity team. The latter must regularly check the updates, the settings and secure the authentication processes of the computer systems.
3. Back up your data. Frequent backup of the systems allows them to be restored to their original state without too much damage. Care must be taken to back up offline, disconnected from the rest of the infrastructure.
The Clop ransomware alone caused nearly $500 million in damages worldwide in 2019, notably blocking the Rouen University Hospital.