Ransomware: one month of September 2020 unprecedented
In September, we have identified nearly 270 ransomware attacks around the world, an explosion compared to previous months, while June and August had already been marked by an intense activity of cybercelinquers.But watch out for trompe-l'oeil.
In France, we counted 10 proven, to which is added a suspected case, but not confirmed at this stage, against 8 in August and almost as much in July.Confirmed attacks appear in the chronological frieze that we regularly update.At Intrinsec, Cyrille Barthelemy reports 13 cases "in crisis" in September, against 10 in August in August.
And to specify that his intervention capacities were obviously not the same in the middle of summer as at the start of the school year.At I-Tracing, Laurent Besset raises 9 interventions during the past month, against 4 during the previous.At Advens, Benjamin Leroux advances 3 major interventions and less than 5 minor interventions.But all the same 150 threat detections likely to lead to a detonation of ransomware, including especially the emotet.
At the beginning of September, the National Agency for Information Systems Security (ANSSI) indicated that it had treated, since the start of the year, 104 ransomware attacks, against 54 out of 2019 as a whole.And of course, this does not take into account cases outside its intervention perimeter.
On the side of the Cybermalvehization platform.gouv.fr, the general manager of the GIP ACYMA, Jérôme Notin, reported, still in early September, 1,082 ransomware reports on date, since the launch of the platform on February 4, with 44 % of companies or associations and 10% administrations or communities.On September, Jérôme Notin, notes 131 requests for assistance, against 104 in August, and 122 in July in July.
In France, it seems difficult, at this stage, to speak of an explosion.But if the tendency to progression appears less pronounced than for the rest of the world, the threat undoubtedly appears to be maintained at a high level.
The situation can find at least two explanations, which suggest that the threat is not called to diminish in the near future.We develop them below, after the chronological frieze.
A very favorable soil
The first element of explanation is the multiplication of discoveries of vulnerabilities opening the doors of information systems of public organizations as private.We are thinking in particular of remote access systems, or VPN servers, with the CVE-2019-19871 vulnerability for Citrix Netscaler Gateway systems, CVE-2020-3452 for Cisco ASA, CVE-2019-11510 forThe VPN Pulse Secure, the CVE-2020-5902 for F5 systems, or the CVE-2010-2021 for Palo Alto Networks and the CVE-2018-13379 for VPN Fortinet servers.
And that's not all.To this should be added certain vulnerabilities affecting applications and prized by attackers, such as CVE-2020-6287 for SAP Netweaver, or CVE-2019-11580 for Atlassian Crowd servers ... or these many DRP services accessible inLine without authentication on the network layer (NLA).
In fact, any vulnerability for obtaining initial access in an information system is likely to be exploited before this access to cybercelcoes is sold.Ransomware operators are particularly fond of these access, sometimes offered for sale for what may look like a bite of bread compared to the amount of ransoms then requested.
In addition, there are vulnerabilities like Zerologon which can accelerate the takeover of the Active Directory of the victim, once the attackers in the place, if the fixes have not been applied.
Particularly active cybermofious
To this fertile environment is added an increased aggressiveness of attackers.Emotet recently returned to fanfare, affecting businesses, magistrates, or even local communities, as in Besançon.The German counterpart of the ANSSI, the BSI, started to alert locally to the threat since the beginning of September, after a first information campaign launched in early August.
For its part, Proofpoint evoked it at the end of August, mentioning messages in French ... but without indicating France among the targets.ANSSI recently sounded the tocsin.And it is essential, because as Nicolas Caproni, intelligence pattern on Sekoia's threats recently: "Detect Emotet, Trickbot or Qakbot is surely the warning sign of a larger attack".
Added to this is the appearance of new ransomware practicing double extortion: the payment of a ransom is not required only to decipher the data, but also to avoid their disclosure.The new Conti is particularly aggressive, but it is also necessary to count with Mountlocker, SunCrypt, Lockbit, or Egregor (ex-Sekhmet).The best known, like Maze and Revil/Sodinokibi, have not hung up the gloves.And then there are also the most "discreet" like Ransomexx, Ekans, or Ryuk.
Precisely, this phenomenon imposes a certain caution: the considerable progression of the number of ransomware playing the double extortion is likely to produce a magnifying glass effect.In fact, the number of known attacks is not higher only because the attacks are more numerous, but also because more of them are made public.An analysis shared by Jérôme Notin.
A mafia that feeds on its victims
In addition, the multiplication of victims itself calls for a new multiplication of victims.As Fabien Lorc’h, from Airbus Cybersecurity, points out, "when a major like [CMA-CMG] is affected, the entire sector and [of his] contacts become even more at risk
Pivot from one target to another.In the end, to dare a metaphor, a ransomware campaign, it is like a pandemic: a single patient affected, and these are lots of contact cases ".
In fact, the data stolen by cybercelics before the triggering of their ransom is real gold mines for future highly targeted phishing campaigns ... and facilitated by the use of very real information gleaned during theprevious attack.A single list of thousands of email addresses with some additional personal elements can already constitute a formidable starting point.Mid-July, Brett Callow, at Emsisoft, drew our attention to such a suspicious case.And that is without counting with the use of technical interconnections.Or the illusion of security coming from insufficient sanitation of the compromise information system.
And then each ransom paid allows cybertruands to recruit new accomplices.Recently, the Revil group, operator of Ransomware Sodinokibi, was able to offer the luxury of depositing a deposit of almost $ 1 million, in Bitcoins, in a forum assiduously frequented by cybercelinquents as guaranteed for future recruits.While detailing the methods of sharing loots ...
Because if the mafia of the ransomiciel start by buying access to the information systems of potential targets, they then hire hackers capable of taking advantage of them to compromise the controller of the Active Directory domain, and deploy their payload.Before sharing income.
How to protect yourself
In fact, financial cybercrime largely borrows from the APT underlined in our columns in early February, Ivan Kwiatkowski of Kaspersky Research and Analysis teams.Concretely, this means that the attack extends largely in depth in the information system, until obtaining privileges worthy of an administrator and giving very large access to the data of the compromised company compromised.
This is why, when ransomware detonates, it's really too late.And the Active Directory infrastructure must be firmly protected and thought in a robust way, in distinct third parties according to the criticality of the roles, without ever understanding replication as a backup.
The safety of potential entry points exposed on the Internet appears undoubtedly crucial, with the application of the fixes available for known vulnerabilities.And that is without counting protection against threats disseminated by electronic messaging, starting with Emotet, as we recently detailed.
Beyond that, it is advisable to limit as much as possible the lateral movement capacities of the assailant, as described by Benjamin Delpy, creator of Mimikatz, in our columns, as well as to secure the tools of administration to prevent their diversion bycybercelinquents.