Newsletter
Latest articles
Ransomware-malware-attacks-countries-security-WannaCrypt-internet

May 12th: the day the world woke up to Ransomware attacks!

by Lumiun Team
May 19, 2017
7 minutes of reading

On May 12 ransomware attack , recognized as one of the biggest attacks ever performed , caught the attention of the whole world. Information systems for companies and public services, such as the São Paulo Court of Justice, São Paulo Public Prosecution Service, INSS, England National Health Service, Telefónica, KPMG, MAPFRE, BBVA and thousands of companies worldwide, were part of their inaccessible systems.

How it all started ...

Ransomware can come in many forms. In this specific attack, international hackers explored a vulnerability in old and non -corrected Microsoft Windows . Microsoft has corrected vulnerability in its latest operating systems in March and on the 12th corrected old versions of Windows. Estimates suggest that the attack has affected more than 200,000 computers in at least 150 countries.

Hackers used tools belonging to the United States National Security Agency (NSA) , causing major problems in various public services and companies. However, the information that caught the eye was that if this failure was corrected in March, the affected computers were not up to date, as determined by security booklets .

The ransomware called Wannacrypt kidnapped and encrypted the data of infected equipment, which in this case were those that did not have recent updates of the operating system. After this kidnapping the victims were instructed to pay approximately $ 300 (about $ 1,000 in the current price) to be able to recover the infected files.

As payment should be made in Bitcoins , a virtual currency that allows criminals to have as many portfolios (repository that stores virtual money) wish to receive the amount required, without being identified, it is recommended not to pay the amounts that are requested, as there is no guarantee that the data will be recovered.

Who stopped the attack?

Still on Friday (12) , the day the attacks had their "peak", a young British 22-year-old researcher and a US information security engineer stopped the attacks, preventing them from spreading to other countries. The Briton who works at a threat intelligence company deactivated Wannacrypt after discovering a domain (internet address) associated with the propagation of malware .

To continue contaminating more computers, the virus verified whether this site was in the air or not. The boy bought the domain for a value equivalent to $ 33 and even the possibility of involvement with ransomware attacks was raised, but then it was understood that he activated a break mechanism in the Wannacrypt propagation process.

However, there is a concern about computers that are in the internal network and have been disconnected from the internet from the moment of activating the pause mechanism, where it is possible for the virus to go on spreading. In addition, versions without online check can also circulate by eternalizing this cycle of ransomware.

But after all, what is ransomware?

Ransomware is a type of digital threat that blocks access to your files and data, requiring payment of a redemption for unlocking. It is a form of extortion through data kidnapping. It is not new in the technological environment, as it was born in the 1980s, but today on the rise this type of virtual crime is one of the favorite forms of criminals, because it is a lucrative method and especially, which can most often maintain anonymity.

However, before this attack that scared many people and shook servants, companies and public agencies, it was already talking about the importance of maintaining data security to avoid further inconvenience. This realizes that in addition to Brazil, many countries still worry little about security and protection against cyber crimes.

It is important that there is greater interest in technological education, which can be through research, security content or even a document that explains the importance of using the internet correctly and protected.

Considering the growth in the number of ransomware-related incidents, it is important for companies and companies' employees and managers to be informed of the impacts caused by this type of threat, effectively valuing the organization's data and information.

How the attack occurs

The ransomware attack can start in different ways through fake emails phishing , update failures, among other forms. Many times when the attack happens through a fake email, the content induces the user to click on a link and thus causes harmful software. The ransomware, after downloading and installed without the user noticing, encrypts the files present on the computer and the network, provided that the user has access to them.

This encryption process will shuffle the contents of the files, making them useless, and only having the correct key you can reverse the files to the original state. At one point the ransomware will leave some indication of how you should contact the criminal. A text file in the desktop or a wallpaper with a message, for example, may contain an email address and contact instructions, aiming at trading the ransom.

Grant Thornton cyber crimes , 21% of companies consulted in 36 countries have suffered some kind of attack in the last 12 months; In Latin America 39% of virtual crimes against companies are related to theft or loss of strategic information.

The survey also shows that it increased from 15% to 21% the number of companies impacted compared to the survey conducted last year. Despite the larger number of affected, the damage caused by attacks decreased by 2015, when losses of $ 315 billion were estimated.

Measures to prevent and prevent ransomware

The main ways to avoid ransomware attacks are related to some simple principles that cover information security.

  • Beware of emails and fake websites : Users should be educated for their responsibility to company data and information. This includes knowing and understanding about the risks to which they can expose the data when clicking on an email link or visit a site without paying attention to the origin of the email, the site address and its truth.
  • Software Updates : It is important to keep the operating system and other equipment software packages up to date. Updates include various corrections and improvements related to information security, which, as seen earlier, are very relevant to avoid attacks such as those that happened.
  • Antivirus : Especially in Windows operating system computers and servers, it is essential to use good antivirus software, updated and configured to perform periodic scans throughout the system.
  • Internet Access Control : The use of protection mechanisms against access to malicious websites is increasingly important. In the case of companies, through this type of control it is possible to define which user groups will have access to which types of websites, thus avoiding the use of undue websites to the scope of work and also access to addresses with harmful content. Through this tool, the manager protects the network from the sites used in attacks and malware propagation.
  • Access permissions : In many small and medium businesses, it is an item left aside. However, it is relevant to check the level of access that each user or user group needs in relation to the file shared files, for example, in the sense that it does not provide access beyond the necessary. If a user group only needs to view certain files, and not modify, which has access only reading.

Situation after a ransomware attack

Some types of ransomware have already been decoded and compromised files can be recovered with tools for this, such as those provided by Kaspersky in the Ransomware Decryptor . However, there are also other ransomware whose encryption remains impossible to reverse without the hijacker's collaboration.

The main effort that will solve the problem and ensure business continuity after ransomware attack is something that should be implemented and operating before the attack: the backup .

It is never too much to remember the importance of having a reliable backup, from which the important data can be recovered after any incident. The main way to solve the problem after ransomware data block, is to restore data from backup.

The backup strategy should be implemented so that there is a security copy kept in a uncovered location from the original data site. That is, one should not keep the only backup on an additional disk connected to the same server.

If the safety copy is done on an additional disk constantly connected to the server or network where the original data are, in the specific case of ransomware, it is possible that the backup files are also blocked at the time of attack, making backup useless. It is important to have a copy if safety in a separate place physical and logically from the original place.

Criminal groups that perform ransomware attacks suggest that after blocking your files, you contact them to pay the redemption and subsequent data release. However, it is necessary to evaluate the risk of negotiating or paying the redemption, given that there is no guarantee of data recovery.

Tracking and maintaining security is essential to avoid attacks and prepare in advance for the continuity of the business after an incident such as what happened in more than 150 countries .

If you liked this article keep following our blog !

Lumiun DNS Mikrotik
Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
Author
Lumiun Team
More security and productivity on the internet for the company!
4 comments
  1. Pingback: Importance of security and control of internet access to companies | Lumiun's Blog
  2. Pingback: 4 resources to increase your company data security | Lumiun's Blog
  3. Pingback: Cybercrime: How to act in case of invasion and data theft? | Lumiun's Blog
  4. Pingback: Information Security Trends for 2018 and how to protect | Lumiun's Blog

Comments closed

Related Posts