Ransomware attack: how it spreads and how to protect yourself

Cyber attacks are growing in quantity and severity

As stated in the Clusit 2022 Report, 2021 was the worst year ever recorded. Overall, the world’s serious cyber attacks increased by 10% compared to the previous year. Of the attacks detected, 79% had a “high” impact (compared to 50% the previous year), while those with “medium” and “low” impact decreased. The increase in frequency and severity has brought the estimated damage to $ 6 trillion for 2021 (from $ 1 trillion estimated for 2020).

The year 2022 began with a war that is being fought not only on geographic territory, but also in cyber space. We can therefore only foresee further complications with regard to IT security for the current year and for the future ones.

Given these premises, it is important to understand which are the main attacks that companies and individuals are most likely to suffer and how to defend ourselves.

The main attack technique: Ransomware

The Clusit 2022 Report reconfirms Malware – and in particular Ransomware – the preferred techniques of cyber criminals. They account for over 40% of the attack techniques used. Ransomware is a Malware that prevents the victim from accessing their data and threatens to publish or delete them if a ransom is not paid.

The idea of infecting a PC to encrypt the data inside and ask for a ransom dates back to 1989. The biologist Joseph Popp spread the AIDS Trojan which, after encrypting files on hard disk, displayed a message to inform the victim that a hypothetical software had an expired license and was asking to pay $ 189 to unlock the system.

But the attack that made the Ransomware technique known to the whole world was WannaCry. In May 2017, over 230,000 computers in nearly 100 countries were infected and blocked. WannaCry spread via a Windows vulnerability in the handling of the SMB protocol, related to file exchange over the network. The bug in question was called EternalBlue and is thought to have been developed by the NSA and then stolen by a group of hackers called “The Shadow Brokers”.

How it spreads

Although WannaCry did not spread via an email message, most Ransomware attacks start with an email message that carries a virus. These emails may contain a link to a website controlled by an attacker where the user unintentionally downloads the virus. Other times the email contains a malicious attachment which, once opened by the user, downloads the virus on the computer.

How cybercriminals work

The task of the virus is to give criminals access to the system. In this way they can study their victim individually and then determine which type of Ransomware is most appropriate to carry out. Based on the size of the victim – or his ability to pay a more or less high ransom – they decide how to intervene:

• Automatic mode: the virus that has already infected the victim’s PC downloads a software that automatically encrypts the data. A message is then displayed with the cost of the ransom.
• Manually: if the data is large and valuable, the attackers take steps to take a copy out of the company (exfiltrate it). Then they disable or delete the backups and conclude by encrypting the victim’s remaining data or deleting it directly. The only way to recover the data is through the copy that the attackers took outside the perimeter (by paying a ransom).
• An advanced version of the Ransomware attacks also consists in a prolonged stay of criminals within the victim’s systems. In this way they can steal information for a long period of time.
• The payment of the ransom is in some cases asked to prevent the dissemination of stolen data. Attackers, who have previously performed the exfiltration, may threaten to disclose confidential and / or sensitive data. See the attack on the Italian SIAE which, having chosen not to pay, saw its data made public.

What are the tools and techniques to defend against a Ransomware attack?

There is no single tool but a series of techniques and technologies to avoid risk as much as possible. We mention a few:

• A backup system that makes the data unchangeable and / or stored outside the company.
• A Firewall system to protect the perimeter of the company capable of detecting any anomalous outbound traffic.
• A software that protects all devices used by users (Endpoint Protection).
• A good Email Security system to protect corporate email accounts.
• Make users aware of the risk through a training course.

For the management of your business emails we suggest evaluating the services offered by Qboxmail

Qboxmail is a cloud business email management service that provides a suite of complete tools to manage emails anywhere. It includes an advanced Email Security system and Mail Time Machine, the automatic backup service.

For more information contact us, we will be happy to explain our services in detail.

If you want to take advantage of the free trial of all our services
for 30 days sign up here

Clusit, has been founded in 2000 at the Computer Science Department of the University of Milan. It is the largest and most authoritative Italian association in the field of information security. Today it represents over 600 organizations, belonging to all sectors of the Country-System. Qboxmail has been a partner since 2021. More information on clusit.it.