On the morning of 4 November rumors began to run about a ransomware attack that had hit several Spanish firms. It seemed to be a case of déjà vu at first; only a couple of years previously, after all, in May 2017, WannaCry had checkmated companies like Telefónica, Iberdrola and Gas Natural. The victims this time were the service company Everis and the radio station Cadena SER.
Ransomware is nothing more than malware capable of encrypting the victim’s network and then demanding a decryption ransom to free it up. In the early days ransomware attacks were scatter-gun. Diverse mechanisms were activated at the same time in an attempt to encrypt as many computers as possible, regardless of whether they were of household or corporate use, with the idea of being able to claim the biggest ransom possible. Over the years this trend has changed and the attacks have become more specifically targeted.
Although the victim companies have as yet given us no official explanation of what happened, we do have enough information to give us a good idea of the malware agents’ modus operandi.
First of all a user of one of the victim companies visits a website that might have been designed ad hoc by the hacker or it might be a bona fide website that has been infected or compromised. The user is notified that he or she needs to download a browser update (which in fact is hidden malware); the user accepts, kicking off the whole process. After installation the malware does not yet encrypt the computer but it gives the hacker a foothold for spreading through the computer’s whole network at will. The hacker identifies other network computers plus basic services like the active directory and tries to obtain privileged access to as many resources as possible.
Once the hacker has accessed the network it can then decide whether the target is worth further effort. If it turns out to be a critical, high-impact target the hacker will then order the malware to unleash and spread the ransomware, in this case Bitpaymer, and then run it. From then on it will be the security team’s responsibility to detect the threat and try to head it off as soon as possible.
Let this latest attack be yet another warning to all internet users. It can happen to anyone. This is why we should always follow security guidelines and use common sense. Beware any link that arrives by email. Don’t trust websites with dodgy behavior. Don’t download third-party software onto your computer. Make sure the operating system and antivirus are both kept bang up to date.
It is vital to follow these guidelines to detect the problem in the early stages or even head it off altogether. If the hacker manages to break into our network the damage will already have been done. And the dent in the firm’s reputation will be almost worse than the economic damage. If you’re not able to protect yourself, who’s going to trust you for protecting others?
Author: Jaime Cebrián Benavides
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV