Understand the ransomware virus

Ransomware is the biggest information security threat today, extorting billions of dollars from individuals and businesses of all sizes. In this interview, Alon Zucker, information security expert and CEO of SOPHTIX will provide tools to better understand the threat and how to deal with it. First interview in the series.

Alon Zucker is an information security expert and the CEO of SOPHTIX, which focuses on cyber protection - one of the leading and most innovative companies in Israel in the field of information security. We took Alon for an interview in which we tried to understand how to deal with the biggest cyber threat to the business world today - the ransomware virus, which marks the threatening direction that the cyber world is moving towards - viruses that are more sophisticated and cruel than ever before, with an ever-increasing volume of attacks.

So first of all - what is the ransomware virus?
The ransomware virus is actually a malware that encrypts the organization's files, as soon as it encrypts them - the organization or the computer owner has no ability to access its files. Starting with emails, office files, databases and including CRM, ERP or other financial systems. In other words the ransomware can encrypt the entire business. As soon as the customer has no access to his files - the business is disabled. There are cases when the virus is a hit in the wing, for example if only one folder was encrypted, it can be restored in half a day and nothing happened. But there are cases where all the business information is encrypted and then even if it has a backup, everything still needs to be restored. For the purpose of the example, if the business has 50 computers, you need to format each computer and reinstall everything on it. Businesses get to a point where they can't work for weeks and the result can be fatal, even if they had a backup.

Ransomware Attacks Focus More on Business?
There are cyber attacks against users of all types and sizes. Starting from a private person who mainly keeps photos of his children and ending with huge organizations with information systems worth hundreds of millions of dollars. It can be said in general that the cybercriminals use the ransomware mainly against small and medium-sized businesses, since they are usually the weak link, when it is likely that they will be more vulnerable in terms of information security than large businesses, which invest huge budgets in protecting their information systems.

In general, it can be said that just as any business, of any size, is exposed to physical hacking or embezzlement, so is the cyber issue. The crime scene just moved there. If we were once afraid of hacks in which money, equipment or information would be stolen - today it happens at the cyber level. The difference is that today the threat is much more serious, for two reasons. First - today there are ways of camouflage to achieve anonymity, and it is difficult for all bodies to find out who you are and where you come from, so that if in the past criminals would avoid certain crimes for fear of being caught, today anonymity on the Internet gives criminals a mask and the possibility of remaining "in the shadows", secondly - today a cyber criminal does not You have to be a skilled hacker to be an attacker, there are professional hackers who create malware and sell it as products on the darknet. Thus, people without an extensive technical background can participate in crime, and a large mass of attackers regularly enters the field.

Where do most cyber attacks come from?
Most of the operations are carried out in Russia, but also in Africa and China. An interesting issue to think about in this context is why the local government officials do not perform more actions in order to locate and block malicious activity in their territory.

Why is it so difficult to track down the source of the hacks and catch the criminals?
Because many times the hacking happens by hacking into a chain of "host" computers in different countries. The attack can come originally from Africa, and from there hack into China, from China hack into Iran and from there hack into the victim's computer and implant the ransomware virus in it. To trace back the entire chain and find out who is at the end is an almost impossible task.
Beyond that, there are also tools that enable anonymity that help them, such as the Darknet. The Darknet is a general term for networks that are "dressed" on existing networks and access to them is with certain software, and Tor is one of the popular Darknet networks, among its capabilities is its masking capability, which does not allow the discovery of the IP address of the surfer. Using the column is legitimate, but the criminals exploit it for illegitimate activities.

How do you get infected with a ransomware virus?
The most common method is via e-mail. This is an e-mail message, which tries to be legitimate in appearance, and is attached to it, for example, a fake invoice or a link. The email is addressed directly to a specific person and will often come disguised as an email from large companies, such as Amazon or DHL. In more sophisticated cases, which I will expand on later, they may also come from recipients that the "victim" knows directly - company colleagues and the like.

The recipient, in his innocence, opens the link or the attached file and gets infected with the virus. Viruses can also penetrate a computer by browsing a website that looks completely normal, but it actually carries a virus that as soon as a surfer enters it - the virus penetrates his computer. Other methods that a virus can penetrate are through a flash drive that someone inserted into one of the computers, or through a smartphone that has been infected with a virus, and the virus can pass from it to the computer. Could be through someone who connected remotely to help, could be a supplier of the CRM or ERP or other software. Every connection interface, network or local, is an attack vector.

The more sophisticated attacks use the technique of "social engineering", which is a form of fraud. At this level you can find software that scans social networks, for example LinkedIn of a certain company. These programs can target one of the employees in the organization and send emails to the other employees in the organization supposedly on his behalf, with content and titles that match his role in the organization. In these cases - the chance that no one will open a legitimate looking email coming from one of his colleagues is very low.

In conclusion, the technological world we live in today is full of loopholes, and even though we must try to plug all the holes as best we can, new holes and loopholes will always be found. So The paradigm through which organizations are approached to protect must change. You have to start thinking like the attackers, and stop the attacks at an earlier stage of their development. You need to change your attitude.