RANSOMWARE at the origin of the state of emergency declared in Costa Rica

by Bouchera BIBI TRIKI

2022-11-30

7 minutes, 38 seconds estimated reading time Cybersecurity

Tags :

Costa Rica has been undergoing for several weeks a massive cyberattack orchestrated by Conti hackers (the most powerful group of cybercriminals in the world) which targeted several government agencies including the Ministry of Finance, the Ministry of Labor and Social Security, the Social Development and Family Allowances Fund, the Ministry of Science, Innovation, Technology and Telecommunications, the National Institute of Meteorology … In short, most of the country’s organs are affected putting the country in a chaotic situation, which leads the president to declare a state of national emergency.On Tuesday, May 31, 2022, it was the turn of the country’s public health system to fall victim to the attack, a ransomware called « Hive » forced Costa Rican social security to put its systems offline.

The attackers appear to have infiltrated the government’s computers with a tool called Beacon that can record keystrokes, transfer files, execute commands to exfiltrate and encrypt data. To deal with it, the Costa Rican public health service opted first for a total shutdown of the digital platform, then restoration of data from backups. Except that there were no backups!

So what is Ransomware, and how can it infect our devices?

Ransomware is a type of malicious program, which encrypts files or even an entire computer and then demands a ransom in exchange for access to the files or computer. Ransomware uses encryption to block access to infected files or computers made unusable by the victim.

Some types of ransomware can infiltrate your device without any action on your part, while other attacks rely on more traditional methods of infection, namely:

Exploit Kits: Malicious developers create exploit kits to take advantage of vulnerabilities in certain applications, networks, or devices running obsolete software;
Phishing: In phishing attacks, the cybercriminal poses as a trusted contact or organization and sends you an email with a seemingly legitimate attachment or link. This type of social engineering attack often contains a fake order form, receipt or invoice;
Malvertising: Hackers can distribute malware by embedding it in fake ads. This is called malvertising. And even the most trustworthy websites can be affected by these malvertising attacks;
Stealth downloads: Cybercriminals can plant malware on websites so that when you visit them, the site automatically and secretly downloads the malware to your device. If your browser and applications are outdated, you are particularly vulnerable to this technique.

Some key figures on ransomware

For several years, cyber attacks have been increasing and the COVID-19 pandemic has not helped. With the repeated lockdowns, companies and administrations have had to adapt urgently, sometimes forgetting to protect themselves and to secure their employees’ workstations, even remotely, which favors the proliferation of ransomware.

Below are some key figures showing the resurgence of ransomware over the last 2 years and the seriousness of their impact:

20 billion dollars is the amount of ransomware in 2021 and expected to reach $265 billion by 2031 (Cybersecurity Ventures);
1.4 million dollars is the average cost in 2021 to recover from a ransomware attack (Sophos research agency);
32% of ransomware victims in 2021 paid the ransom, but only recovered 65% of their data (Sophos research agency);
57% of companies successfully recover their data with a backup (Sophos research agency);
Attacks are 94.34% faster than in 2019, with the average time from initial access to ransomware deployment dropping from 1,600 hours – more than two months – to just 3.85 days (IBM X-FORCE);
66% of organizations were affected by ransomware in 2021 versus 37% in 2020 (Sophos research agency);
~ $812,360, the average ransomware in 2021 versus $170,000 USD in 2020 (Sophos research agency);
~ $2.04 million in the industry & manufacturing sector and ~ $2.03 million in energy, oil/gas and utilities, are the largest ransomware payouts in 2020 (Sophos research agency);
88% of French organizations with 3,001 to 5,000 employees are covered by cyber insurance against ransomware, compared to 8% of those with 250 to 4999 employees (AMRAE study – Association pour le management des risques et des assurances de l’entreprise).

This alarming finding illustrates the fact that ransomware remains one of the major weapons in the cybercriminal arsenal and continues to dominate the cyber threat landscape.

Ransomware attacks will only grow in 2022!

This conclusion is drawn from a recent publication jointly produced by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA. Which details the major trends seen in the international community in the growth of ransomware attacks:

Increase in phishing attacks;
Use of stolen credentials for remote access and brute force attacks;
Growth of cybercriminal for hire (RaaS) offerings;
More cyber threat actors sharing information about targeted victims;
More diverse attack matrices, including cloud services, industrial processes, and software supply chain;
Increased attacks on weekends and holidays.

Another major trend leading to the growth of ransomware attacks in 2022 appears to be the explosion of Ransomware as a Service – RaaS. Cybercriminal groups are renting their products and services to less organized or less skilled cyber threat actors, leading to a tidal wave of new ransomware attacks.
Therefore, it is now more than necessary for companies to define strategies and implement them to prevent the proliferation of ransomware attacks.

Major Ransomware Attacks between 2021 and 2022

COGNIZANT: Suffered a ransomware attack in April 2020 that reportedly cost the company over $50 million;
SOFTWARE AG: Germany’s second largest software provider, was reportedly hit by the Clop ransomware in an October 2020 attack. The cybercriminal group responsible demanded a ransom of $23 million;
KIA MOTORS: In February 2021, DoppelPaymer asked Kia Motors to pay 404 Bitcoins (US$20 million);
ACER: was the victim of a REvil ransomware attack in March 2021, the attackers demanded $50M;
The Washington Police Department: suffered an attack in May 2021 by a group called the Babuk Group, the worst ransomware attack on a U.S. police department. The hackers locked down highly confidential department files and demanded $4 million;
Colonial Pipeline: one of the largest and most critical gas pipelines in the United States, was hit by ransomware in May 2021. The company had to pay a hefty ransom of 75 bitcoins ($4.4 million);
Nvidia: The world’s largest semiconductor chip company confirmed on February 23, 2022, that it was hacked.

What are the ways to thwart these attacks?

Despite this rise in ransomware attacks, there are ways for businesses to thwart them and avoid losing both productivity and paying a ransom.

The National Institute of Standards and Technology (NIST) recommends organizations follow these basic steps to help thwart ransomware:

Use anti-virus software at all times and make sure it is configured to automatically scan your email and removable media (e.g., USB drives) for ransomware and other malware;
Keep all computers fully patched;
Use security products or services that block access to known ransomware sites on the Internet;
Configure operating systems or use third-party software to allow only authorized applications to run on computers, preventing ransomware from running;
Restrict or prohibit the use of personal devices on organizational networks and for telecommuting/remote access without taking additional steps to ensure security;
Use standard user accounts instead of accounts with administrative privileges whenever possible;
Avoid using personal applications and websites, such as email, chat, and social networks, from organizational computers;
Avoid opening files, clicking on links, etc. from unknown sources without first ensuring that the content is not suspicious. For example, you can run a virus scan on a file or look at a link to see if it goes to the site it claims to go to;
Develop and implement a disaster recovery plan with clearly defined roles and strategies for good decision-making, and test that plan regularly;
Plan, implement and regularly test a data backup and recovery strategy. It is important to not only have secure backups of all critical data but also to ensure that backups are kept in another location so that ransomware cannot easily spread there;
Maintain a list of internal and external contacts to notify in the event of ransomware attacks, including those in law enforcement, and understand each contact’s role in the recovery phase;
Ensure you have implemented and are using multi-factor authentication (MFA) where possible;
Educate users to better identify and prevent cyberattacks, including phishing attacks;
Another interesting defensive opportunity may be greater use of Zero Trust architecture. There is strong momentum for Zero Trust as a way to slow down and even combat new ransomware attacks.

Should the ransom be paid, or should payment be forbidden?

Ransomware attacks are increasing at a frightening rate. And the more victims pay in ransom, the richer the cybercriminal networks become, allowing them to intensify their attacks… To stop this vicious cycle, regulators around the world are considering an extreme solution: banning ransom payments.

Some experts believe that a payment ban would give organizations relief, and provide them with leverage to fend off their attackers. But such bans should be implemented only after governments have established effective victim support mechanisms.

While others believe that instead of focusing on judicializing ransom payments, state governments should focus on finding ways and building strategies to protect citizens from cyberthreats in the same way they protect against bandits or terrorists…