Cyberattacks and data kidnapping: how can organisations protect themselves from ransomware?

In 2019, Rouen in Normandy, then Dax in Landes, Villefranche in Saône and now the city of Chalon-sur-Saône: in recent years, a number of hospitals and the public authorities that manage them have been victims of malware, paralysing their computer network.Between 2017 and 2020, multiple public authorities and French companies were subject to attacks, often followed by ransom demands. Data kidnapping can immobilise extremely risky sectors, like hospitals, already greatly weakened by the pandemic.

Elsewhere, Bouygues, Honda, Stadler Rail (a Swiss company), Canon, Sopra Steria and just recently, Gmail/Hotmail have also suffered this kind of attack.

Furthermore, a new means of cyber extortion seems to be emerging - a faster form of digital extortion, where data is not encrypted but a ransom is still demanded. Specifically, the most affected countries are Nigeria, Columbia, South Africa, China, Poland, Belgium and the Philippines.

According to a recent study by Xerfi, this form of cybercrime has cost companies around the world approximately €350 billion in 2017 and €885 billion in 2020..

Furthermore, the firm Accenturehas estimated the cost of cybercrime for the world’s businesses at €4,600 billion for the 2019-2024 period.

So how do these kinds of attacks work? And how can you protect yourself?

Similar modes of operation to the kidnapping of individuals

My research into kidnapping and extortion shows that the means of operation are relatively similar between ‘physical’ ransoming that directly involves people and ‘virtual’ or "intangible" kidnapping.

Cybercriminals are profiting from the instant nature of data exchanges, ever faster and larger in size, in both companies and society in general..

They use software with names like Darkside, Ryuk, Egregor, DoppelPaymer, REvil and Avaddon. Data is captured via encryption, and a ransom is demanded, usually in the form of cryptocurrency, in exchange for the decryption key to recover the data.

Certain companies have had to pay up to a million dollars for a single attack, while others have suffered losses of several hundreds of millions of dollars.

A recent study demonstrated the economic impact of ransomware on companies, between the amounts paid and loss of revenue due to the interruption in activity and production.

It is estimated that the cost of international cybercrime is at over $1,000 billion since 2018. The current record for the highest ransom ever paid is $34 million. It was paid by a company whose identity has been kept anonymous.

Evolution of ransomware

Research has shown that over time, there has been significant development in ransomware. Very quickly, we have gone from software that paralyse data for a ransom (locker ransomware), to software that capture data by encrypting it in exchange for a ransom (cryptoransomware), often in the form of cryptocurrency, such as bitcoin.

Nowadays, we see cryptoransomware and bitcoin being used in tandem, particularly for ransom payments, as this payment method is undetectable and makes it possible to transfer money without going via a third-party authority..

There is just as much variety in kidnapping for ransom in the real world:

bossnapping, express kidnapping, terrorist kidnapping, financial kidnapping, and so on.

Bossnapping is a practice that involves kidnapping only company heads, specifically by employees, in exchange for a certain outcome demanded by an organisation such as a union. We can take for example the case of Fernando Ruzza, general branch director of the subsidiary Omnia Network SPA. He was detained by his employees after they were made redundant while the company had increased profits.

Express kidnapping, which involves kidnapping a person in front of a bank ATM, is very widespread in Latin America, for example.

What are the consequences for the perpetrators and the company?

Fraudulently introducing data into an automated processing system, or deleting or modifying the data it contains, is punishable by five years of imprisonment and a fine of €300,000 (art. 121-3 of the French Penal Code). As for the attack on the system, blocking or interfering with the functioning of an automated data processing system is punishable by five years of imprisonment and a fine of €150,000.

Even if legally the breach is effectively covered by French legislation (art. 121-3 of the French Penal Code), according to Europol, there is a certain inadequacy in applying said legislation. For example, only a single accused party has been brought to trial in France, in a case in October. Though the defendant was found guilty of money laundering, they were cleared for the charges related to ransomware.

Cases related to ransomware remain very rare, as confirmed by Catherine Chambon, deputy director of the anti-cybercrime unit in France’s Central Directorate of the Judicial Police (DCPJ), in the newspaper Le Monde.

Ransomware has overtaken the authorities, who are powerless to curb this phenomenon. According to Chambon, it is extremely complicated to find the perpetrators. Especially since unlike cases in the real world and terrorist acts, information from intelligence services cannot be relied upon.

This is what gives greater importance to the work performed by the Europol departments in dismantling Emotet, one of the biggest networks of computers infected and used by some ransomware actors on their victims.

The same departments also recently arrested the team behind the ransomware Egregor, in Ukraine.

According to studies, the risk of breach (repercussions and risk of attacks on the company) increases by 50% in the three months following the announcement of an incident.

This risk can be up to 80% for French companies. To this is added an 8 to 10% loss of value after the attack is announced, without counting the immaterial damages to the company’s reputation. And this is all in a context where ransomware attacks have grown by 255% in 2020.

Ransomware-as-a-service (RaaS)

The ransomware black market operates as a service. Software is created by operators, who recruit what is known according to the jargon as ‘affiliates’, individuals who hack into a network and then split the proceeds with the software creators.

The affiliates are the ones who infiltrate the victims’ network with the ransomware. The ransom obtained will then be shared between the affiliate and the seller of the software at varying rates, according to criteria such as belonging to a certain group, for example.

Moreover, it is common for certain affiliates to decide not to work with certain operators if they consider that the retrocession percentage is too high.

This process can be compared with kidnapping for ransom in the real world, which is described by investigative journalist Dorothée Moisan in her work, "Le business des otages"(The Hostage Business).

Who are these cyber extortionists?

The process is based on a common three-part approach: encrypt the data so that the user cannot use it, obtain payment and decrypt the data.

Results of international research into organisations show that in 73% of cases, cybercriminals succeed in encrypting data, and in 24% of cases, the attack fails, meaning the data cannot be encrypted. More specifically, in France, we see that 17% of attacks are blocked before the data within organisations is breached.

As regards geographical location, it is believed that most hackers come from places such as Russia and Eastern European countries like Ukraine, as coding is most often done during time windows that correspond to countries that use Cyrillic script.

User flaws

Research into this topic also shows that most individuals lack rigour and knowledge about computers. This is a significant flaw, as hackers make use of this widespread negligence to inject the virus into the computer system, generally using an email or another means of social engineering.

Individuals tend to use free antivirus programs that are not as strong and fail to update the software or basic protections such as proxies or firewalls. Virus are also sometimes spread using the simple method of a USB plugged in to one of the company’s computers.

There are two kinds of attacks: blind attacks and targeted attacks.

• Opportunist or blind attacks refer to attacks without a set target, in large quantities. The objective is to obtain multiple ransoms (generally small amounts).

• As for targeted attacks, they are aimed at a particular victim with the means to pay a significant ransom. The target is often legal entities such as companies, banks and organisations.

The issue of paying the ransom

Whether it is a person who has been kidnapped or data, the essential question is whether, in the end, you should pay the ransom.

It is a complex and controversial question, and the answer is different in each case. In the physical world, research shows that the solution depends on the kind of kidnapping. For example, in the case of terrorist kidnapping, certain countries will pay the ransom, whereas others, like the United States, categorically refuse to do so.

Others state publicly that they will not concede, but still pay the ransom via an NGO acting as the intermediary.

In the world of cyberattacks, the research once again demonstrates a range of opinions on this question.

What are the solutions?

Many companies that have been victims of cyberattacks try to avoid making this public knowledge, so as not to damage their image and injure the trust of their clients, suppliers and partners. But in recent years, we have seen an evolution.

Companies opt for communication and transparency with their clients and partners, precisely in order to not lose their trust, and try to explain how the organisation is facing and successfully managing the situation.

The fact remains that the main techniques used by hackers are based on user flaws and their lack of knowledge around malicious emails and links. It is therefore advised for companies to regularly back up their data, stored in a space that is not connected to the corporate network, in order to avoid it being encrypted in the event of an attack.

As shown by scientific research, the best solutions to fight against kidnapping via ransomware can be summed up in three points: user education, a strict security policy, and back-up procedures and strategies.

Lastly, it is essential to report the attack to the national police and refer to specialised services, specifically the cybercrime department, the portal No More Ransom and the recommendations from France’s National Agency for the Security of Information Systems.