Ransomware - the dark side of the internet

Service Business

The Internet has two faces. One clear one, which shows the daily use by millions of people of its resources in the field of entertainment and work. And the second, dark one, which we deal with every day, but most often we are not aware of it. We mean the phenomenon of ransomware.

When you write about the dark side of the internet, you can have many negative associations in mind. For example, a common phenomenon in the use of e-mail: the deliberate delivery of spam, i.e. unsolicited messages, to e-mail inboxes. However, the main dark side of the internet is cybercrime, in other words the threats to which computers connected to the global network are exposed every day. Cybercrime is associated with a wide range of external factors to which we are exposed when surfing the web. Many people use some type of security and have anti-virus software installed on their computer. This minimum security does not protect 100% of the methods of attacks encountered today. However, having an antivirus, even a free one, is an absolute must. Computer viruses are one of the best known threats, unfortunately not the only one at the moment.

Ransomware - an online form of crime

From the very beginning, the Internet posed a threat to the functioning of computers connected to it. Various types of hackers have even outdone each other in attack methods: "releasing" increasingly sophisticated viruses, Trojans and other types of malware to the market. On the other hand, this was accompanied by the need to defend itself, in the form of the first Internet Security systems, the main component of which were anti-virus programs.

The fact is that the first computer viruses did not do much havoc, and on a scale comparable to today's attacks, they were something of an innocent trick. The most common events at that time were: blocking the program, freezing the computer, its sudden shutdown and many similar. Over time, criminals became more and more "advanced", experiencing their victims more and more severely. Viruses appeared that damaged files, deleted the contents of floppy disks or hard disks, damaged or permanently blocked the operating system in a way that required reinstallation of system programming, etc. With the development of the Internet and its use, not blocking or deleting files was important. New generations of threats have emerged. Espionage, data theft, breaking into company systems, taking over remote supervision of computers without the owners' knowledge. This is the current most desirable area for cybercriminals and the face of threats. Software generally defined as malicious now includes spyware, adware, malware, Trojans, and exploits alongside viruses, and ransomware attacks are at the top of this list today.

Reason? Always the same - money

We must be aware that criminals operating on the Internet today are not playing pranks, for the sake of bragging or vain fame.The scale of attacks has only one fundamental dimension, and that is money. The real income generated by the attacks for criminal groups is in the millions of dollars. One has to realize that an attack on a computer system, for example in a company, is not caused by one person today, but by a type of structure similar to a mafia organization. Cybermafia is a huge and very serious problem, not only in the business scale of, for example, large companies. They pose a real threat to the functioning of states, attacking the most important elements of their system, such as the energy, telecommunications and financial sectors, mainly banks. They are also an important link in the so-called information warfare. The conflicts in Ukraine and the war with the Islamic State proved it irrefutably. The use of disinformation methods has been an important factor in the game of stakeholder winning supporters. Cybarmafia are well prepared, they have in their ranks not only skilled programmers, but psychologists, specialists in social media and other fields. For what? When preparing an attack, criminal groups analyze the environment very well, they know a lot about the organization in terms of getting to know its internal structure. People responsible for specific functions in the company, e.g. members of the board, chief managers, or people responsible for finances, e.g. chief accountant. When preparing a ransomware attack, the weakest link is used. Unfortunately, it is still human. People are always the greatest concern of any security system, because the security of corporate resources depends on their behavior.

We effectively lower the level of security ourselves, mainly by making our lives easier. We use various websites, where we will leave, for example, our logins, passwords, without trying to name them in a sophisticated and complicated way. What's more, to remember, we write them down on cards or, for example, on the phone. The smartphone has become a confidant of our secrets, we save notes and information regarding e.g. logging into bank accounts. Unfortunately, logins and passwords to websites are a tasty morsel. Many people use the same password for different places. In this way, the leakage of one password may result in the attacker's access to other services. Mobile devices, unfortunately, lead the way in the number of entries and intrusions, information theft. Although still most incidents take place with the use of desktop computers.

Ransomware's biggest challenge

The tip of the iceberg in the scale of threats is currently ransomware, which most security experts call the greatest risk and challenge for security specialists. What is an attack that poses such a threat. The result is the encryption of resources on corporate drives of the company's computers. The biggest problem is its scale, because all the most important types of corporate files, such as documents, photos, scans, audio files, film files, etc., are encrypted. In a word, all kinds of documentation that we most often deal with in a business environment. Can the encrypted peaks be recovered somehow? Yes, there are two possibilities. We can read them if we have a backup, i.e. data backup from servers that store backup copies of documentation. If we do not have a backup, there is a second method, we will recover the peaks if we pay the ransom.

How is a ransomware attack going?

The course of the attack can be described as follows. Malware must run for your computer to be encrypted or locked. E-mail is most often used to distribute malicious code. An e-mail, usually with very innocent and non-suspicious content, such as an energy bill or a mobile phone, contains an attachment that looks like a typical document, such as a spreadsheet or a PDF file. It can also be an archive type or other file. Another method is to use a redirect link, also via e-mail, to another website infected with the code. Opening an attachment or clicking on a redirect link infects our computer and, consequently, begins the process of encrypting or blocking files. The program then places a note on the computer. Instructions on what to do to recover files are provided. Usually, criminals ask for money to be transferred to an electronic bank account and in return promise to provide a key and instructions on how to decrypt the data. The latest version of ransomware called Jigsaw goes even further. Well, the files are encrypted, and the message informs us that if the ransom is not paid, they will be permanently deleted from the computer. In support of the threats, from time to time a certain batch of data is permanently deleted. Even paying a fee will not restore files that have already been deleted. This is to give credence to the hackers' determination and to speed up the decision to pay the ransom.

How to Avoid Ransomware Attacks?

The worst thing about ransomware attacks is the lack of a warning that an attack is happening. Unfortunately, most even paid antivirus programs still have a problem with early detection of malicious code. When we find out about the attack, the files on the disks are encrypted. Secondly, the attack and payment of the ransom does not protect us from another such incident. There is a known case of a hospital that was attacked three times by ransomware, paying a ransom of several dozen thousand euros each time. How can you avoid this threat? Applying the principle of moderate trust and common sense. For example, if we receive e-mail with an e-mail that we have suspicions about, do not open it right away. Let's check where it was sent from, e.g. from what domain. In the electricity bill, the sender's domain should come from Poland. Often, criminals use various types of automatic translation programs to prepare the content of the letter. If typical stylistic or linguistic mistakes are made in the content, it should increase our vigilance.