Yoann Chevalier of Excellium Services. Photo: Mike Zenari
Ransomware appears to be receding in Luxembourg, but real risks remain. Who’s vulnerable, what are best practices to avoid getting hit, and what should you do if you’re attacked?
1. What is ransomware?
The more accurate description is “cryptoransomware” which “is a term for a malware type that blocks access to data on resources of the victim unless a ransom is paid,” states Pascal Steichen, CEO of Securitymadein.lu, a government-backed cybersecurity clearing house. “Cryptoransomware is not a new phenomenon. The first cryptoransomware was released in 1989, the ‘Aids Trojan’.” But it remained niche and not particularly lucrative.
That changed in 2013, with the rise in “anonymous payment methods like blockchain-based bitcoin,” says Steichen. “Cryptoransomware became a lucrative and somehow safe model for attackers to demand money from victims.”
Ransomware attacks typically arrive as an email attachment that is initially not detected by an individual user, says Yoann Chevalier of Excellium Services, a computer security firm based in Contern. “When he opens the attachment, nothing happens for them, but in the background, the attacker gets access to the machine. Depending on the security in place in the company, the attacker can get remote access, steal credentials, then use it to connect remotely to different systems.” While the range of malware apps differ, “the infection vector is quite the same. You don’t see it immediately, and if you’re not aware of it, you can leave this back door open for six months and you will see it only if the attacker then deploys a ransomware” programme.
2. How does ransomware software work?
“Typically ransomware will list all your files on your local computer, then begin to encrypt them with a secret key,” explains Chevalier. “It will, most of the time, exfiltrate this key to the attacker. This is the thing you will need to decipher your files.” Ransomware programmes “don’t only look for files on the local machine, but also all the connected devices,” such as USB storage keys and other machines on the same network, he says. Depending on “which type of malware, it may change the background to display an alert, it may add companion files in each directory or fill the desktop with the instructions. In this file, it explains that all [your] files have been ciphered and how to pay the ransom to get them back.”
Chevalier continues: “They focus on files that are important for users, so maybe documents, photos, videos, but for example, [the operating system or specific applications] are not impacted because they don’t care about it.”
“This is a very effective method to prevent a victim from accessing his data ever again without knowing the correct decryption key,” explains Steichen. “Assuming the implementation of the encryption process is done correctly--yes, sometimes also malware authors produce bugs in their code or don’t understand all elements correctly--there is no other way than using the private key generated by the attacker to decrypt the files.”
“Obviously, the attacker demands the payment of a certain amount of money in exchange for the cryptographic key,” says Steichen. “Usually, once the money is received, the victim receives a decryption tool containing the key to decrypt all the files back. There is, of course, no guarantee that the attacker delivers the key or decryption tool after payment.”
In addition, occasionally the malware programme does not correctly exfiltrate the cipher code, says Chevalier, “so even if you pay, you will never get your files back because the attacker doesn’t have the key.”
Securitymadein.lu “dealt with around 200 documented cases throughout the last six years,” Steichen reports. Of course, those are only people and organisations that have asked his outfit for help. “Apart from that, it can be estimated that there is a certain amount of unreported cases.”
Excellium Services has seen ransomware infections drop drastically. “We had seven cases in 2015 and eight in 2016 in Luxembourg,” says Chevalier. Since then, none of the firm’s Luxembourg clients has faced an attack.
4. Threat assessments
“Organisations should take all types of cybercrime seriously, although ransomware isn’t quite as prevalent as before, there are still risks involved,” comments Jim Cox, regional director Benelux at Proofpoint, an American cybersecurity service provider. Globally, “finance, manufacturing, technology, healthcare and retail were the industries” that faced the highest “attack severity and risk” of email attacks, according to Cox.
“The risk is real in Luxembourg as a digital nation,” says Jerome Jean, cybersecurity lead at NTT Luxembourg, an IT services outfit. “The more digital you are, the more connected you are, the more exposed you are.”
Indeed, Steichen does not think the issue of ransomware has been sensationalised by the media. “The threat is real and a serious risk, the outages are high, the time-to-recover can be large and the ransom payments substantial. Assessing what is at stake, this risk is to be considered massive.”
5. Do size and sector matter?
“Until a company has suffered an attack, cybersecurity appears only as a cost and the management does not always see the benefits, so only the sectors under specific regulation are proactively taking care of it, like the financial sector is better prepared and staffed to handle these attacks,” notes Jean.
“It’s not more targeted between one sector and another, but not all sectors are prepared as others,” concurs Chevalier. “For example, banks and insurance companies have good security maturity, so they’re not infected as much as others.” On the other hand, industrial firms tend to be less prepared. So they’re not targeted more often, “but more impacted.”
The same goes for organisation size. Hackers do not focus more on large groups or small outfits. Rather, “they target everyone,” reckons Chevalier. The potential consequences again come down to “the different security maturity of the company.”
Cox agrees: “While larger organisations may be attractive for their deep pockets, smaller companies may be more vulnerable due to relative lack of controls and awareness, both of which create lucrative potential outcomes for threat actors.”
Steichen says it is “not possible” to generalise about who faces the deepest threats. Many individuals “don’t have backups at all”, he says. “They would lose everything accessible on their computer in case of a successful attack. In professional environments, we have seen good and bad preparedness, regardless of the size of the company or structure.”
Increased connectivity is make the situation more complex. “The main risk can be [internet of things] devices, as their number is exploding, and there is virtually no security in place to protect in professional or personal usage,” observes Jean.
“The best measure you can take before an attack is functional backups, [stored] offline and tested,” says Chevalier. “We already faced [situations where] some clients had backups, but in the backup process there was a problem, so when we tried to restore the backup, [all the files] were corrupted.” So regular restoration tests are vital.
He also reiterated several times during his interview that organisations should keep backups offline (and not synced in real time). This can limit the damage from a malware attack. “Some people may do backup on a remote server, but if the remote server is always connected, when ransomware cyphers all the files, it will also do it on the backup.”
Chevalier also recommends adding separation within company networks, “because if ransomware tries to infect other machines, if you have good network segregation, then it will limit the impact.” Next, install “security information and event management” software, which monitors activity on computer systems and issues alerts when it detects unusual situations. “Set up properly,” he says, “it will detect when ransomware is running” but before it has cyphered data. “You will have to quickly take action to block it, but it may reduce the impact if you detect the very beginning” of an attack. In addition, “have a good email policy, like ensure that you block some types of files,” such as “.exe” files embedded inside “.zip” files that are a favourite attachment technique of ransomware attackers.
While raising awareness internally and training employees is important, “it will never be perfect,” says Chevalier. “The problem sometimes is it just needs one user to open the file to give the attacker a foothold in the company. So, yes, it helps, it will reduce the probability of occurrence, but yes, you can’t totally be sure that none of your employees will click” on an infected attachment.
7. Facing an attack
Chevalier states: “The easiest way to face ransomware attack is to have backups. Even if all your files are not accessible anymore, if you have done your backup well, you can restore everything and you don’t have to pay.” That only works “if you secure backup offline and are not connected [at the time of the attack]. If ransomware encrypts your backup, it will be more complicated.”
“Financial loss doesn’t start with the potential payment of a ransom. It starts at the moment data is no longer accessible,” notes Steichen. “The IT department has to identify the computers running the malware, identify the way of distribution, identify and fix security problems and vulnerabilities, and inform the other users of potential similar emails in the inbox.”
“A team will then check the availability--and consistency--of a recent backup and ideally be able to restore these backups. Under certain circumstances, for instance if discovered that large parts of the network are compromised since a long time, the entire infrastructure has to be rebuilt from scratch before restoring backups of data,” he notes.
“These are time-consuming tasks, while the company at the same time is perhaps not able to operate. The financial loss can be huge,” says Steichen, even if the demanded ransom itself is often a relatively small amount.
Several insurers provide coverage against computer attacks. The Cyber Pro policy, for example, reimburses the cost of restoring backed-up data, decrypting data that is being held hostage when that is possible, and business continuity costs, according to Frédéric Helias, product manager at Foyer Assurances. The insurer also has a 24/7 hotline with technical experts to support clients who are experiencing an attack. Helias adds: “It is important to note that the payment of a ransom is always excluded.”
Chevalier says his firm does not pay ransoms on behalf of clients, so he cannot provide specific amounts. But, generally speaking, “it’s not too expensive because if it was too expensive, then nobody would pay and that’s not the goal of the attacker. The attacker prefers a lower price, and if more people are impacted and even if a few people pay, it’s good for him.” Hackers may ask for several hundred dollars in bitcoin, for example.
Steichen says an “opportunistic attacker” will demand “less than €1,000”, which is not much for most companies, “however, for private people, it can be a lot.” But he warns that: “In more targeted cases, we saw significant ransom demands of €500,000 and €1,500,000.”
Most people do not stump up, says Chevalier. Firstly, “even if you pay, you’re not sure you will get your data back.” Secondly, it could encourage the hacker to continue the extortion. “If you pay once, they will come back and [demand that] you pay again. We tell our clients not to pay.”
10. How can you be sure?
“As with everything in security, it’s impossible to be 100% sure you will never be hacked. You can add layers and layers of security, but as attackers [continue to innovate], you’re never sure to be fully secure,” says Chevalier. Much depends on your threat model, which is to say, who you’re protecting yourself against. Is it “kids in their bedroom launching a script they found online or a state [actor] with lots of money and lots of people who can develop attacks you didn’t know existed. You have to adapt your security to your threat model. If you have limited resources, you have to choose and accept [risks]. That’s not specific to ransomware, but security in general.”