A company for the transport of Petroleum, one for the production of appliances audio and another that manages the sanitary system of an entire country: only in May, three production companies, different in terms of interests and position in the world, were united by a single problem, that of having to deal with a request for a ransom.
Today many threats come from the Net, where extremely advanced criminals are able to take possession of a computer system and obscure its contents, freeing it only on condition that one is willing to pay a figure decided by them. The murder weapon is called ransomware, an English term that comes from the contraction of words ransom, ransom, e malware, i.e. malicious software. And the main problem is that too many realities are not ready yet to face yet another digital challenge.
The bad example of the Colonial Pipeline
Among these, the Colonial Pipeline, a company that manages one of the largest oil pipelines in the United States, which on May 8 had to stop its work because of a ransomware, causing a serious fuel shortages all along the East Coast. The episode caused a real rush to distributors, because the company handles about 45% of the fuels of the coast, along 8900 kilometers of pipelines. The entire plant ended up in the hands of criminals, who only returned it to its rightful owners after paying nearly $ 5 million in Bitcoin.
“The luck, if we can say so, is that the intent of the attackers was exclusively to profit from the victim, rather than causing more serious damage and with potential political repercussions – he explained to Italian Tech. Stefano Zanero, IT security expert and associate professor in Computer Security at the Politecnico di Milano – But the episode raises in my opinion a much bigger problem, because if similar infrastructures can be attacked by criminals, then so could state entities. With very different and potentially more devastating outcomes ”.
Behind the attack on the Colonial Pipeline there would be a group of Russian criminals (probably a gang known as DarkTrace), as the analysis of numerous experts and American federal authorities suggest, which found that the ransomware used was programmed to do not act on computers that use Cyrillic. And it is precisely from Eastern Europe that most of the threats seem to arrive, according to the reports carried out by the main companies in the IT security sector.
the list
50 people from the Italian cybersecurity to follow. And it doesn’t stop there
by Arthur of Corinth
But how does ransomware work?
With roots as far back as computer science itself, ransomware are tools capable of encrypt a piece of data (or a group of data), following patterns generally known only to the attacker. Processed through one of these software, the information becomes unreadable to anyone who does not have access to one decryption key (a deciphering key), a kind of antidote that is released in exchange for the payment of the ransom. Almost always.
An exception is the episode involving the infrastructures of the Irish health system, which suffered an attack of this type, which sent reservations and laboratories all over the country: to partially remedy the attackers themselves, who released the decryption key for free, probably after realizing that of all the times someone could dream of attacking a state’s hospital infrastructure, this was by far the worst. However, a blackmail mitigated, but of enormous scope: “We have a lot of sensitive data and we will publish it if you don’t pay the ransom,” the criminals clarified. That they had repented, but not too much.
How is it resolved?
“As trivial as it may seem, the only possibility is try your best to prevent the attack from happening, or in any case fails – underlined Zanero – with targeted strategies and providing for recovery procedures that put an organization in a position to solve the problem as quickly as possible and without paying the ransom “. To do this, backups and procedures come in handy incident responses, which ensure organizations, private or public, to be able to repossess a copy of their data, if those stolen by hackers are not returned.
There is a way to react quickly, come proved the case of Bose, a company specializing in the production of audio devices that got rid of a ransomware that had hit it in a few days, without paying any ransom. “But one of the problems that companies have to face is that of timing – Zanero pointed out – Often they would be able to resume operations even in 20 days, but the cost of such a wait would be so high that sometimes people prefer to pay the ransom, in the hope that the other party will honor the agreement ”.
An ancient lesson
Since the beginning of 2021, according to the Washington Post, they have been well 26 US government organizations victims of cyber-blackmail, and although it is difficult to obtain a similar statistic on the private sector, generally more confidential on information that could compromise the credibility of companies, analysts agree that attacks using ransomware are on the rise.
“For such threats to fulfill their purpose, a favorable terrain for the attacker’s aims”, Is the observation of Stefano Di Paola, Cto of MindedSecurity and protagonist, in spite of himself, of an attack that is still teaching in the world of information technology. The episode dates back to April 2016, when a group of digital bandits took possession of the infrastructure of MedStar Health, one of the main hospital chains in the Washington area. As soon as the attack occurred, it compromised the networks of 10 facilities, including clinics and hospitals, it was immediately clear that the intrusion had occurred through a vulnerability discovered and reported 9 years earlier by Di Paola and his partner, Giorgio Fedon.
“We have identified this vulnerability in our daily work of researching problems on software and applications – is the memory of Di Paola – Specifically, it was a problem on RedHat’s Jboss application“, A very popular operating system on company servers:” Having made the report, RedHat thanked us and immediately released an update for all its systems, but the problem is that often, due to disorganization or misallocation of resources, a update might get lost, leaving an entire system exposed to old problems and, at that point, perfectly known even to the attackers ”.
In the case of MedStar Health, the software used to carry out the attack was designed specifically to scan the Net for devices that are connected and vulnerable to an attack on Jboss. And in the end, the company had no choice but to face one ransom note for 9 thousand Bitcoins, which at the time had a value close to 4 million dollars: “Unfortunately, too many organizations, public and private, are still exposed to very old vulnerabilities – explained Di Paola – In addition, the tools to identify potential easy targets are even more accessible “.
history
So Bose foiled a ransomware attack without paying the ransom
by Raffaele Angius
The case of Italy and the effects of the GDPR
An example of this is our country, where the only study on the subject that has been made public concerns the content management services (platforms such as Wordpress or Joomla) in use by the municipalities of the boot: a survey published by breaking latest news in 2018, carried out thanks to the work of mes3hacklab (Mestre HackLab), revealed that 67% of the domains and subdomains analyzed were not updated for more than a year and that 29% of the sites that used Wordpress were not updated since 2015.
“Today, a search on Shodan (a popular search engine for connected devices on the Net) is enough to find out which ones are vulnerable or not – added Di Paola – And that in front of us there are cyber spies or simply thieves who intend to make a profit, the choice of which weapons to use it is extremely facilitated “. The GDPR, the General Data Protection Regulation, put a stop to this, which “imposed a change of course and greater accountability of the victims, sometimes responsible for neglect, which is the first ingredient to become a target“. Zanero’s assessment is similar: “The empirical data show that Italy is not more protected than other realities, and in some cases the risk of having to pay a ransom is still preferred rather than the burden of allocating funds consistent with the protection needs of the organization “.
However, with the GDPR and the Cyber Perimeter, which imposes high security standards on all critical infrastructures, things are slowly changing: until our country is at the center of the battlefield, there may still be some time to secure our assets. But not much.
.