2019 was the year when ransomware, the computer programs that lock victims’ data and demand ransom, did the most damage. This is one of the lessons from a report, published Wednesday January 29 by the National Information Systems Security Agency (Anssi), while the International Forum on Cybersecurity (FIC) was held in Lille.
The state’s digital bodyguard, responsible for defending the most sensitive administrations and businesses, intervened 69 times in response to ransomware infection.
“It’s an exponential curve” said its director, Guillaume Poupard, on Wednesday January 29 at a press conference on the sidelines of the FIC. He expects to see simultaneous attacks in the future:
“The question that arises is how we handle more and more cases. It’s very disturbing. When there are 10 ransomware attacks at the same time, choices will have to be made, and the agency will focus on what is critical; what to avoid is having to make hard choices. “
“The most serious IT threat”
Some incidents have been publicized: this is the case of the attacks against M6, the consultancy firm Altran or Fleury-Michon. Others have affected, to varying degrees of severity, sensitive administrations, ministries or businesses. Anssi’s cyber firefighters say little more. We just learned that a majority of incidents took place in the fields of health (one incident in four) and local authorities (one incident in five). A prevalence which can be explained by the sensitivity of these sectors as well as by their lack of means to counter the attack alone.
Even if it concedes lack of exhaustive information with regard to ransomware on the whole of French territory, ANSSI believes that they constitute today “The most serious IT threat for companies and institutions”.
Most organizations infected with this type of malware are only victims, among others, of attackers who practice trawling: by trying to infect as many victims as possible, without targeting them, they hope to maximize their earnings. The attackers come to an end when the targeted organization is equipped with poorly updated software and defective defenses. “Any company, institution or individual with access to the Internet can be infected with ransomware if it has not implemented basic IT security measures” stresses Anssi.
The emergence of targeted ransomware
But the state’s digital bodyguard, like many other cybersecurity players, is pointing to the emergence in recent months of more targeted ransomware, causing more damage and bringing much more funds to their owners.
Infection with this type of program is preceded by intelligence and infiltration operations worthy of the most advanced state spy operations, writes Anssi. For weeks, if not months, hackers infiltrate, covertly locate and target the most important files in the business or organization.
The number of attempted attacks is lower, but they are much more profitable for hackers. The loot frequently exceeds $ 1 million, and over the course of their attacks, some groups have managed to extort up to more than $ 100 million. A foolproof return on investment: ANSSI estimates that the cost of their operations hardly exceeds one million dollars. The hackers behind GandCrab ransomware, which could be rented by other hackers, claimed to have recovered $ 150 million annually.
This ransom activity is now well inscribed in the cybercrime ecosystem. Ransomware hackers can outsource some of their activities – their IT infrastructure, buying personal data to better target the attack – to other hacker groups. Thus, notes the ANSSI, certain software initially designed for espionage purposes is used to locate before the deployment of ransomware.
To ensure that victims take out the check book – or rather the wallet at Bitcoins – certain hacker groups adopt a new strategy: they do not hesitate to disclose certain sensitive data, stolen from the networks of their victims during their locations.
The vicious circle of insurance
In its report, ANSSI explicitly denounces the vicious circle that appears to be the emergence of insurance to cover companies against damage from ransomware. Insurance companies frequently urge affected companies to pay the ransom – unlike all French authorities, who advise rebuilding the network, better protecting it and filing complaints as soon as possible. This is all the more questionable since, as experts frequently point out, paying the ransom is never a guarantee of recovering your data. “This incentive to pay validates the economic model of cybercriminals and already leads them to increase the ransoms and to multiply their attacks”, writes Anssi.
The authority outlines in its report some frightening perspectives. It notes that some companies recently affected by ransomware, such as the Norwegian NorskHydro and the French Altran, are subcontracting companies to many others. Also, an attack paralyzing their activities can, in turn, have a “Systemic impact on an industry”. Anssi clearly envisions the “Destabilization” large companies or even“A whole section of economic activity”.
Worse: certain attacks on actors close to the justice system (in particular, in 2019, against the Eurofins analysis laboratory) give fear to ANSSI that it is possible “That cybercriminal groups (or organized crime in general) someday rely on this means to put pressure on justice”. Referring to the NotPetya attack, ransomware-like sabotage software, most likely launched by Russia, ANSSI believes that“It is quite possible that foreign powers use ransomware in a destabilizing logic”. One thing is certain, for Anssi, “The ransomware phenomenon will increase in the years to come”.
–
