The CSIC is offline: x-ray of a ‘ransomware’, the cyberattack that everyone fears | Technology

The alarms went off this week. Two researchers from the Higher Center for Scientific Research (CSIC) complained on social networks that they had been without internet access for days. One of them requested in a letter to the director of EL PAÍS published this Tuesday the immediate restoration of the systems so that the projects in progress are not delayed. That same day, the Ministry of Science and Innovation released a statement acknowledging that the body suffered a cyberattack of the type ransomware on July 16 and 17, similar to the one that has also affected the Max Planck Institute or NASA this month. The National Cryptologic Center (CCN), the CNI body in charge of ensuring the cybersecurity of public institutions, activated a protocol that involved disconnecting all CSIC systems to prevent the spread of the virus. software malicious.

“To date, no loss of sensitive or confidential information has been detected,” the Ministry also said. And he pointed out that the investigation locates the origin of the cyberattack in Russia, something that various sources consulted by this newspaper consider premature to venture. Because one of the basic characteristics of cyber attacks, which makes them so attractive to criminals, is the ease of masking their origin. Defense Minister Margarita Robles insisted on Wednesday that the threat was attributable to the Russians.

The ransomware It has been the preferred resource of cybercriminals for a few years. It is a type of cyberattack that encrypts the data of a system and then asks for a ransom in exchange for releasing it. The recommendation of the authorities is not to pay, but many do. Those who give in to blackmail usually try to keep it from spreading, but there have still been notorious cases. Among the most recent is the Colonial Pipeline, one of the largest oil pipelines in the US. After suffering a ransomware that paralyzed its activities, the authorities decided to pay the five million dollars that were required to release its systems and restore service.

The investigation into what has happened at the CSIC is still ongoing, and therefore secrecy prevails over the particularities of the case. However, the situation that the organization is going through is familiar to dozens of Spanish companies. The ransomware It is experiencing a critical moment, driven even more by Russia’s invasion of Ukraine. According to data from Check Point, in the second quarter of 2022, global cyberattacks increased by 32% compared to the same period in 2021. The average number of weekly attacks per organization worldwide reached 1,200 threats, an all-time high. The CSIC claims to receive some 260,000 intrusion attempts daily.

How exactly does this type of computer virus operate? What can be done to counter it? Is there an alternative to paying the ransom? EL PAÍS reconstructs with the help of cybersecurity experts what those who fall prey to a ransomware.

1. Infection: everything works apparently fine

The first phase of the process goes completely unnoticed by the victim. The cybercriminal looks for a way to access the system that he wants to attack. The most common route of entry is phishing, or deception techniques by which the victim is made to share passwords or other types of useful confidential information. For example, by posing as a bank or vendor and requesting credentials. Other ways to place software malicious software on the target computer is to disguise it as another program for the user to download (a fake update) or to exploit vulnerabilities in the victim’s operating system.

“I have worked for many years with the Administration and you would be surprised to see how common it is even today to come across Windows 2000 or Windows XP,” explains an analyst who prefers to remain anonymous. These operating systems, for which Microsoft no longer releases updates, were the gateway to the ransomware WannaCry, one of the most devastating in history, which in 2017 infected hundreds of thousands of computers in 150 countries.

Once the cybercriminal manages to enter a computer of the organization he is attacking, he has two main objectives. First, get administrator permissions to gain control of the entire system. Second, extend the malwareeither software malicious, as much as possible to reach as many devices as possible. When you take control of several or all computers, you can encrypt them and demand ransom. Or go a step further and first extract data of interest and then threaten the victim with its publication (this modality is known as ransomware double extortion).

Surprisingly, it doesn’t take many people to orchestrate attacks like this. “It is much simpler than it seems. There is often only one person behind a powerful cyber attack. They are even sold at dark web [redes y tecnologías que tratan de preservar el anonimato de sus usuarios] applications to develop ransomware at quite affordable prices,” says Marco Lozano, head of Cybersecurity for Companies at the National Cybersecurity Institute (Incibe). Reporting to the Ministry of Economic Affairs and Digital Transformation, Incibe is the body that provides support to private companies and individuals that suffer cyberattacks (public entities are the responsibility of the CCN).

When executing the ransomware, the files begin to be encrypted. “The more sophisticated the attackers are, the more damage they try to do. They will typically try to encrypt files shared internally on the organization’s network, not just the hardware of the infected computer”, illustrates Gergely Revay, systems engineer in the threat intelligence and research division of Fortinet, an American developer of software of cybersecurity. “They also look for backups, which is the best protection against a ransomwareto encrypt and cancel them”, he adds.

2. Detection: I can’t open the file

The victims know nothing of what is going on in their computers. Until one fine day they see that they cannot open a file. That is the most common way to realize that something is wrong. It is common for a ransom note to appear outlining instructions for paying the ransom. “They are usually text files that open automatically if you try to access any folder on the machine. Other cybercriminals bet on changing the wallpaper to make it even more obvious”, details Revay.

There are more signs that can set off alarms. For example, security tools or backups are disabled. It is also suspicious that administrator accounts appear that did not exist. “Sometimes several months pass before the cyberattack shows signs of its presence,” says Eusebio Nieva, technical director of Check Point Software for Spain and Portugal. Attacking a company with 400 employees is not the same as attacking another with 400,000. The more sophisticated the attack and the larger the prey, the longer preparations can take, while the larger the cybersecurity teams of its victims will be.

In the kidnapping note, the attackers usually provide some way to contact them. “It can be an address in TOR [un sistema de comunicaciones enrutadas que protege la identidad de los usuarios] or in the dark web, so that you can write directly in a chat to negotiate the price, which is lower the sooner you pay. As the days go by, it increases. If you pay, hopefully the system will be released for you,” says Revay.

3. Reaction: payment or no payment?

The recommendation of authorities and experts is not to pay. Among other things, because there is no guarantee that after doing so, the encryption key to recover the systems will actually be received (don’t forget that you are dealing with criminals). But many end up doing it. “I have helped several companies to manage the payment of the ransom”, says Deepak Daswani, hacker and cybersecurity consultant. “They usually ask for it in bitcoins. The amount varies depending on the size of the company. If they ask you for 5,000 euros, you still prefer to pay to forget about it. It is true that there is now more knowledge of cryptocurrencies, but the ransomware It has been active since 2013 and then hardly anyone knew how to operate with them,” he says.

What can those who decide not to give in to blackmail do? “There are two types of companies: those that have contingency plans, some security policy that allows them to restore activity in the event of possible incidents, and those that do not have a plan B. The latter are the ones that most concern us,” Lozano underlines, of the Incibe.

Response plans have their own manual. The CCN is following yours to resolve the CSIC incident. The theory marks a series of stages in the action: containment, identification, incident mitigation, recovery and post-incident analysis. Part of the work can be done remotely, but it is normal for technicians to go to check the attacked equipment and coordinate with the personnel of the attacked company or organization.

“Everything will depend on at what point in the process you discovered the attack,” summarizes Fortinet’s Revay. “If it has been done early, without destruction or data extraction yet, the first thing is to try to identify patient zero, which machine was infected first and which ones followed. And then analyze which part of the system is compromised,” he explains. This seems to be the stadium in which the CSIC is.

“In case your data has started to be encrypted, the situation is different: your move is to try to restore the systems as soon as possible. That is why it is crucial to have backup copies and know how to protect them. At the same time, it is necessary to investigate how they have managed to get into the systems and reestablish control, so that they do not have administrator powers”, continues Revay.

Having hybrid backups, which host the information on external servers and on removable memory sticks, is today the best guarantee to withstand an attack by ransomware. There are also advanced tools capable of inferring anomalous behavior of the operating system, such as that which arises when an encryption process is started. They help buy time and get ahead of the cybercriminal.

4. Outcome: recover systems or start from scratch

But there are attacks so sophisticated that they have no solution. “There are times when you have to set up a new network. When cybercriminals have gotten into the network so much that it is impossible to restore it and it is better to start from scratch, ”acknowledges a cybersecurity expert who does not want to give his name. A recent Google report highlights that there are companies that are forced to close because they do not recover from a cyberattack that causes them to lose their key databases.

If, on the other hand, the situation is controlled, it is time to debug machine after machine and, once there is no trace of the malware, the system can return to normal operation. Then begins the phase of analysis of what happened, whose objective is to take measures so that it does not happen again. It is also about knowing the author of the attack. “Depending on the type of ransomwarefrom the design of the campaigns and the tools used, we can have a preliminary idea of ​​the geographical origin of the attack, but accurately determining if there is an organization behind it or a specific individual is a mission that is often impossible”, he points out. Snow, from Check Point.

You can follow THE COUNTRY TECHNOLOGY in Facebook Y Twitter or sign up here to receive our weekly newsletter.