Ransomware is part of the malware family. It encrypts your data, taking you hostage, with the threat of revealing your information if you don’t pay the required amount.
The news of cybersecurity is strewn with it: here, a ransomware would have attacked the Ministry of Justice, there, the Dax hospital found itself paralyzed by malware of the same type, in other cases, it is communities that are affected… In the ranking of the most widespread cyberattack methods, ransomware has been in first place for several years. But how exactly does this kind of tool, which paralyzes both companies and health establishments, work?
What is ransomware?
There are different types of malware (or malware). Take, for example, the spywarewhich are used to spy, computer worms, which copy themselves to spread the infection extremely quickly from one computer to another, or even Trojan horses, which enter a system and wait to be activated to attack from within.
Ransomware (or ransomware in French), they have the particularity of recovering and encrypting the data of the targeted organization. This then allows hackers to demand a ransom from the victim, usually in cryptocurrencies, in exchange for a decryption key. If the latter refuses, attackers can threaten to make critical information public (personal data, confidential projects, source code, etc.).
What does a ransomware attack look like?
Most often, this type of malware is delivered to the victim by phishing (or phishing): a deceptive email is sent to the targeted organization, which tricks the recipient into opening an attachment or downloading a file. When the person falls into the trap, upon clicking, they actually initiate the installation of ransomware on their computer. From there, the robot is programmed to infiltrate the company’s computer network and lock down access to all computers and connected systems it finds.
This locking can be done in different ways: some ransomware encrypt the data on which they come across, that is to say, they make it unreadable until the attacker agrees to decrypt it. Others block the screens, often by displaying more or less impressive messages, to prevent the victim’s access to his computer, his telephone, the computer system.
Who is attacking with ransomware?
In most cases, ransomware cyberattacks are motivated by greed. This means that perpetrators can be criminals of all sorts of stature: for newbies or those with little time, there is now a “ransomware-as-a-service” market. This allows you to buy all the tools necessary to organize an attack in exchange for a percentage of the gains made. The most critical cases, on the other hand, are the work of organized groups. In 2021, a report by ENISA, the European Union agency for cybersecurity, notes that Conti, REvil/Sodinokibi (recently dismantled) and DarkSide (also dismantled) are the criminal organizations which have garnered the most money thanks to this type of malware.
Who is attacked?
Hospitals, businesses, communities… Globally, cyberattackers target organizations. “We forget it a little, but individuals were targeted a lot until around 2015”, says Gérôme Billois, Cybersecurity and Digital Trust Partner at Wavestone. It was then necessary to pay one hundred, two hundred, three hundred euros to unlock his computer. “Since then, cybercriminals have understood that the return on investment would be much greater on the professional side, so the threat has shifted. » ENISA also points out that the amount of ransoms demanded is only increasing: in 2019, the highest was set at 15 million dollars, in 2020, this figure climbed to 30 million, and in 2021, the REvil group asked for 50 million dollars from Acer then 70 million from Kaseya, affected a few months apart.
Should the ransom be paid?
In the panic of the moment, faced with blocked screens, it may seem tempting. Problem: There is no evidence that the attackers will actually restore access to the data they encrypted. The risk is therefore to add a financial loss to that already caused by the attack. Otherwise, “whether you pay or not, the duration of crisis management will be substantially the same, says Gérôme Billois, because once you receive the decryption key, if you receive it, you still have to use it on each corrupted device. And, nothing says that you will recover the information in the state in which it was just before the attack. » The authorities therefore recommend not to pay cyber ransoms and have set up a dedicated website to turn to in case of problems.
How to protect against ransomware?
When deploying their ransomware via phishing, attackers use social engineering techniques: they seek to trick humans into giving up access to their computer. Faced with this type of tactic, the response recommended by most cybersecurity experts is training: raise awareness of cybersecurity issues, communicate on the specific risks presented by emails, attachments, URLs, offer phishing simulations to inform, etc.
From a practical point of view, data backup and duplication are also important. Having an up-to-date duplicate of your critical information makes it much less vulnerable to ransomware and allows you to get back to business much faster. Another common recommendation is to avoid using ‘administrator’ accounts, as these have more system rights than ‘user’ accounts — if attacked, ‘administrator’ accounts may give the ransomware wider access to corporate systems.