Nowadays, ransomware attacks have entered another

dimension. Last May, the giant Colonial pipeline was the victim

of an attack that blocked the supply of fuel to the entire East

of the United States. With a daily volume equivalent to 2.5

million barrels, one understand the impact on this key artery

for half of the American territory. To end this aggression, the

Colonial Pipeline Group stated to have been ransomed to the

tune of 4.4 million dollars.

Recently, a raid on Kaseya which provides, in particular, the

VSA package for management of server networks, impacted

simultaneously over 1,000 companies. Among these, a large

supermarket chain in Sweden was forced to close its stores,

its cashier stations being immobilized by the attack.

At the end of May, the American meat processor JBS

acknowledged paying an 11 million dollar ransom in bitcoins

to some hackers. 

The University of California San Francisco (UCSF), whose

medical research center is working to find a treatment for

Covid-19, paid a 1.14 million dollar ransom to pirates who had

taken its servers hostage using the Net Walker ransomware.

Summarizing, according to the cyber-security firm Emsisoft,

at least 18 billion dollars were paid to ransomware hackers last

year alone! During this Covid-19 period, hospitals are an easy

prey for cybercriminals. Already under pressure, the former are

more disposed to pay ransoms to get their Information

Systems back, their data, to continue admitting patients and

carry out their care in regular conditions without putting lives

in danger. According to PwC, attacks against healthcare

institutions throughout the world have jumped over 500%

within one year!

Principles of intrusion

It must be known that attacks generally begin by phishing or

spear-phishing tactics. These are designed to capture remote

access credentials or to activate malware (malicious software).

These malware can be embedded in emails or downloaded and

opened inadvertently. Often, it is a RAT (Remote Administration

Tool), hijacked such as a Trojan horse to travel through the

victim's network in search of valuable informational or

operational data. These are encrypted to become unusable

and then subject to ransom for recovery.

To guarantee payment, hackers generally apply the principle of

double extortion. This means that in addition to encrypting user

data, they add the threat of an exfiltration by making it public.

In these successful attacks, human error often plays a part.

Whether that of a network administrator, a careless user,

a poor configuration of parameters or the inability to correct

vulnerabilities in an old system, or even failure to follow

standard procedures. At JPMorgan Chase & Co., hackers

infiltrated themselves by exploiting a server whose security

settings were not upgraded to two-factor authentication.

The stolen loot: The personal information of 83 million

customers and 7 million businesses.

Leading-edge organizations

One is a long way now from the tortured teenager operating

from a windowless room. Attacks are, most often, carried out

by highly organized criminals within organizations with

well-proved systems. A recent report by the Cybereason office

reveals that DarkSide, one such organization, has targeted

more than 40 businesses and communities with ransom

demands ranging from 200,000 to 2 million dollars per incident.

For his part, Dr. Michael McGuire, a cybersecurity specialist

and lecturer at the University of Surrey, studied the use that

transnational crime syndicates make of this income. Huge

amounts of money are used to finance other activities such

as the worldwide trade in drugs, arms, human trafficking and

terrorism. It is thus established that ransomware brings in a

billion dollars per year to its authors. To operate, cybercrime

unions take advantage of local government corruption,

especially in transit countries, like Eastern Europe and the

Middle East.

For businesses, the indirect costs of an attack generated by

a business interruption are 5 to 10 times higher than the direct

costs. This amount goes well beyond the ransom itself.

It includes downtime, the costs of labor, equipment, network,

not to mention lost opportunities and damaged reputation... 8%

of French companies have declared between 1 and 5.3 million

euros in total costs.

After SaaS, comes RaaS

These operations rely on cutting edge malware, but also on

highly effective business strategies. Among these organizations,

Grancrab, for example, offered its affiliates RaaS, Ransomware-as-a-Service, in a sharing scheme of 60% for the affiliate and

40% for the operator. To make this Raas even more attractive,

the operator offers services such as a dashboard administrator

and dedicated sites where "dumps" (stolen data) are

automatically published in case the victim refuses to pay.

Like any lucrative criminal enterprise, cybercriminals must

launder their income and naturally turn to crypto-currencies,

bitcoins in particular.

Not just for the big ones

Ransomware attacks don't just target large companies

anymore. In the United States, 50 to 70% of attacks concern

SMEs. Changes accelerated by the pandemic have made small

businesses even more vulnerable. The increase in remote work

in particular has been a golden opportunity for hackers who

have taken advantage of outdated VPNs (virtual private

networks) and unsecured home networks. The data from the

National Security Alliance is brutal: 60% of small businesses

disappear within six months of an attack. Worse, 80% of victims

are hit a second time, according to Cybereason.

Cybersecurity: it’s everyone’s business!

 

A recruitment office specialized on cybersecurity

positions, EliteCyber is the first provider of these

competences for Thales. Its founder and CEO,

Laurent Halimi, shares with us his insights. 

 

EliteCyber is the leader in France. How did this all begin?

Laurent Halimi : About six years ago, we were the first

in France to become specialized in cybersecurity.

Within the expansion of the CNIL [French National

Commission for Computing and Liberties] regulations,

the GDPR [General Data Protection Regulation]

obligations, the new data-related standards and of

course, the hacking context, have all been supporting

our growth.

 

Describe for us the current situation:

LH : In two [well, four] words: lack of qualified

applicants. Facing repeated attacks on Information

Systems, whose devastating strength is only equaled

by their number in constant upward evolution, the

field is overly tense. Imagine, out of 3,800 vacant

positions in 2019, only 1,400 were filled! Young

graduates of higher learning schools should be made

more aware of these challenges. These days, in

partnership with training centers, we strive to bring

new resources to this marketplace. As an office,

this is our added value.

 

Facing these attacks, is the response only software-based?

LH : On threat and vulnerability management for IS’s

one evidences a boom of cyber solutions, of the SIEM

(Security Information and Event Management) and

SOAR  (Security Orchestration, Automation and

Response) types. However, asked about to know for

certain if an attack may have been avoided, my

CISO/ISSR contacts are clear. In 80% of cases, human

error is at its origin. Thus, cybersecurity matters for

everybody, not only the cyber teams. The challenge is

Prevention, with a capital P. Companies must train

their employees for threat recognition.

 

What worries us in this aggression context?

LH : On a larger scale, we have entered an era of digital

warfare carried out by foreign powers, such as Russia

or China, often through interposed hackers. What

worries me the most is the targeting of hospitals.

The criminal cynicism of attacks putting in peril

human lives by deleting, for instance, patient

treatment data and the history of their pathologies.

And what about the ERPs?

In the United States, 61% of business leaders consider that ERP

is the most important asset of the information system.

It estimates the average cost of an ERP attack to be over 5

million dollars. In France, the integration of an ERP is just as

critical. Financial, HR and customer data are the most sensitive

areas. With ERPs increasingly open to the Internet, prudence

requires from the outset to consider the security of the ERP as

a context where the risk of threats will affect all the

components of the information system. While the move from

ERP to the Cloud may mitigate the risk of attacks, putting

security rules in place and enhancing the awareness of

everyone to them is paramount.

One of the safest ways to protect the ERP from a cyber-attack

is to define up front the person in charge of the security of this

solution. A good distribution of tasks between CIOs, the various

IT managers and the publisher remains essential. Finally, if

despite everything an attack does take place, you should always

avoid paying because notwithstanding payment, data can

remain encrypted.

5 tips for protecting your ERP

 

To proactively counteract ransomware and ensure an

effective shield to nefarious intentions against your ERP,

experts recommend to act before the attack and to thwart

it with five measures:  

 

- Plan the backup of the IT devices  

- Regularly update the software, including the antivirus apps 

- Educate about and train employees against risks.  

- Implement data protection measures to guarantee a

minimum of loss and a  fast recovery of the data: 

- Compartmentalize the authentication systems and the domains  

- Update the storage snapshots outside of the main storage pool  

- Control access rights to data, etc.  

- Establish the action plan in case of an attack 

Sources: Harvard business review France, Bloomberg.com, Inc.com, BFM Business, journaldunet.com, cohesity.com, oracle.com, silog.fr, linkedIn.com, illusive.com, Waterfall, Maddyness, Radio-Canada

Share this article: