Between 12 and 15 of May, 2017, more than 200 000 computers from 150 countries were affected by WannaCry, a ransomware software that encrypted the data from the computers and asks for a ransom starting with several hundreds of US $ in exchange of the code for decrypting it. This was one of the biggest commented moments in media related to this ransomware cybercrime.
The damages were evaluated between hundreds of millions to several billions of US dollars. At the end of 2017, USA, Australia and United Kingdom formally asserted that North Korea was behind of the attack.
This is a serious issue for everybody's life which is related to computers, so it should be treated like that.
According to Beazley Breach Response (BBR)
Beazley Breach Response (BBR) Services found that 71% of ransomware attacks targeted small businesses, with an average ransom demand of $116,324 and a median of $10,310, after analyzing 3,300 incidents involving its clients in 2018.
Look at this report from 2018 regarding the payments done to cybercriminals for recovering the encrypted data:
The hackers are attacking everything that has something to lose, even there are Hospitals or other vital facilities for living people, small or big businesses, institutions, etc. There is no mercy in their mind.
Ransomware is on the rise with an increase of nearly 750 percent in the last year.
Cybercrime realted damages are expected to hit $6 trillion by 2021.
But What is a Ransomware and how it works?
Ransomware is a software (malware) used to lock your hard drive or encrypt your files and demand money to access your data.
It is a form of malware that often targets both human and technical weaknesses by attempting to deny an organization the availability of its most sensitive data and/or systems.
A bad actor uses a phishing attack or other form of hacking to gain entry into a computer system. One way ransomware gets on your computer is in the form of email attachments that you accidentally download. Once infected with ransomware, the virus encrypts your files and prevents access.
The hacker then makes it clear that the information is stolen and offers to give that information back if the victim pays a ransom.
Victims are often asked to pay the ransom in the form of Bitcoins. If the ransom is paid, the cybercriminals may unlock the data or send a key to for the encrypted files. Or, they may not unlock anything after payment, as we discuss later.
Real and recent case
So, this was the past. In the late of 2019, a friend of mine which own a small hotel was "granted" with a ransomware attack. Didn't pay the money asked (around 1000 $), but in exchange he had to reinstall and recover all the data from the main computer. It was around 2500$ and a couple of months.
In the april of 2020, another ransomware took place and this time the amount asked was 1500$.
After some negociations, the accepted price was 750$. The address where the BTC should be sent was 12yECQeh8Pz9PxhKmnxjuDnCNw9depQtbD
Here is the conversation flow between the hacker and the victim:
As you can see, after the payment of the equivalent of 750 $, the hackker send a first part of process of decrypting and after that he turned to silent mode.
The money and the data from the computer were lost.
Let's see what I found following the money:
First, they were left for few days in that account. After a week, they were moved through several accounts until a first split was done:
I followed the both addresses to see what is happening further. The smallest amount, the 97$ landed in a pool with a 38 K $ turnover.
The bigger amount was divided in two:
From this point, another 11,86 $ were gathered in another pool, maybe like a sort of fee for hackers:
The 636 $ is going to be divided 32$ si 604$: https://explorer.bitcoin.com/btc/tx/a2cf332b2f35dde063a78e02b2ccb2a2a56f79298fac5c777e239904dc10caa8
From this, I reached the first bigger fish - an address with 168k $ turnover, and it seems it makes regular payments when 0.5 BTC are gathered: https://explorer.bitcoin.com/btc/address/1LsVbEx27H3ejGaq5HDCtxGiBwsChXxwpD
this is one of the address where the payment was done from the previous - 0.622 BTC - 24 May: https://explorer.bitcoin.com/btc/address/3BREFT1Nz1PS7JB7hT1Row8ELsNbDUt5wt
BUT THIS IS BIG: 5.2 mil $ turnover://explorer.bitcoin.com/btc/address/37FQzapmd4RttBNeWs1YcgUGpCQiWrRFgK
here is an 1,64 BTC deposit: https://explorer.bitcoin.com/btc/address/3HSkkTH5ymLwiPK6kLA2DmmV8AHzDNu931
And it seems I found a pattern - this is an address where everything is splitted in big amounts, to 3 addresses: https://explorer.bitcoin.com/btc/tx/c5934ff2accdcc662b8dd2769ca00cef18aedbcd53372a24e886b96539b8939a
a medium fish of 35 BTC: https://explorer.bitcoin.com/btc/address/179K5ai6ZydwE6NLmV7udw3VzaLWtV2cLY
And the work could continue. I'd like to see how can we get those scammers and expose them.
What to do for avoiding this situations:
Tips for IT leaders (but also for everybody involved):
To prevent a ransomware attack, experts say IT and information security leaders should do the following:
- Keep clear inventories of all of your digital assets and their locations, so cyber criminals do not attack a system you are unaware of.
- Keep all software up to date, including operating systems and applications.
- Back up all information every day, including information on employee devices, so you can restore encrypted data if attacked.
- Back up all information to a secure, offsite location.
- Segment your network: Don't place all data on one file share accessed by everyone in the company.
- Train staff on cyber security practices, emphasizing not opening attachments or links from unknown sources.
- Develop a communication strategy to inform employees if a virus reaches the company network.
- Before an attack happens, work with your board to determine if your company will plan to pay a ransom or launch an investigation.
- Perform a threat analysis in communication with vendors to go over the cyber security throughout the lifecycle of a particular device or application.
- Instruct information security teams to perform penetration testing to find any vulnerabilities.
Mitigating an attack
If your company is hacked with ransomware, you can explore the free ransomware response kit for a suite of tools that can help. Experts also recommend the following to moderate an attack:
- Research if similar malware has been investigated by other IT teams, and if it is possible to decrypt it on your own. About 30 percent of encrypted data can be decrypted without paying a ransom, Kolochenko of High-Tech Bridge says.
- Remove the infected machines from the network, so the ransomware does not use the machine to spread throughout your network.
- Decide whether or not to make an official investigation, or pay the ransom and take it as a lesson learned.
That's all folks. The conclusion is: the simplest way to save money is to backup your data weekly, if you cannot do it daily, on an USB stick, stored away from the computer.
Be well and take care!