A few months ago we witnessed an unprecedented cyber-attack with 200,000 victims in 150 countries already during the first weekend. Apart from crippling tens of British hospitals and clinics, it also affected Renault which then rather stopped production in many of its plants. The Spanish telecom operator Telefónica and hundreds of computers from the Russian Interior Ministry were also affected during the weekend. The Chief of Europol stated that "we have seen nothing like this before." Two weeks after the attack, there were still 1.3 million computers running Windows OS at risk.
This attack, which hit the global infrastructure, belonged to the group of malware called ransomware. This is a malicious code that gets into a victim's computer by the user clicking on a link in their email or by opening a seemingly ordinary file - an invoice, a job offer, or another document. Ransomware then encrypts data on the user’s computer, allowing criminals to hold the victim to ransom in return for decrypting the data. How to correctly identify this type of attack in real time is described in our blog using the setting "behavioral patterns” in Flowmon Anomaly Detection System.
Another major and potential attack is EternalRocks. This worm uses similar infection spreading mechanisms as WannaCry, but with more devastating effect. And again, NSA and Windows operating systems are “mixed up” in this.
In the case of the latest mass ransomware attack, criminals demanded $300 in the Bitcoin virtual currency for each device attacked in return for releasing the data. Bitcoin can be owned anonymously, so it is a popular choice of payment for similar illegal activities. Here, the attackers received tens of thousands of dollars over several days, according to experts.
This type of "business" is possible thanks to the Dark and Deep Web. The Dark Web is an encrypted computer network that exists between TOR (The Onion Router) servers and their clients. It is a place for various illegal activities, from the sale of drugs and weapons, to the cyber-attacks mentioned earlier.
The Deep Web is simply a content of databases and other web services, which for certain reasons cannot be indexed using common search tools. Put simply: The Deep Web contains all the links to the Dark Web. Users of these services stay anonymous - they just simply use the services of TOR. However, TOR detection can be done easily. Flowmon Anomaly Detection System has been able to do this for some years.
Some users increase their anonymity by using special VPNs, available at a reasonable price (e.g. IPVanish).
Ransomware as a Service
Naturally, similar massive and widespread attacks will always attract the attention of the media, but the bad news is that in the future it will be necessary to expect hundreds of smaller attempts at online extortion, which journalists will barely know. Ransomware is commonly available as a service. One of the most recent ones, called Fatboy, promoted in Russian-language forums is worth mentioning. Fatboy ransomware is a nice demonstration of how thought-out and customer-friendly internet ransomware-as-a-service (RaaS) is becoming.
Fatboy has a user interface localized in 12 world languages, technical support via Jabber and an interesting, automatic price adjustment feature. The amount of the decryption fee for an infected computer is determined by where the victim lives, using the so-called The Big Mac Index. Victims from countries where the standard of living is higher have to pay more than those who come from poorer countries.
In the digital world, there is not only space for organized crime, but also for ordinary pickpockets and fraudsters. Cyber-attacks are offered as a service and you can buy them as simply as buying a lunch at a restaurant.
Complete, impenetrable protection is very complex, if not impossible. But if we want to get closer, we need to adopt the entire security cycle from detection to prevention. An important role is played by network traffic monitoring, which can provide detailed information to allow control of what is happening in your environment. But obtaining an overview is not enough in itself. Monitoring should be complemented by tools capable of detecting unusual behavior and threats in real time, providing features for the rapid response to threats, and subsequently, information for the strengthening of the entire security mechanism of an organisation.