Real Life Cybercrimes

In the Media

Interview

Real Life Cybercrimes interview about ransomware

On September 28, Syhunt founder and CVO Felipe Daragon participated as a panelist alongside experts Fernando Ceolin (Akamai) and Rafael Silva (KnowBe4) at the Cybercrimes in Real Life event to discuss how organizations can defend against ransomware.

Read below the main excerpts from the interview by Igor Lopes with Daragon. If you prefer, you can still watch the video with all the participants on the official event website.

What is ransomware? How can ransomware enter the computer?

Felipe Daragon: There are many ways for ransomware to enter a computer. The word ransom means they ask for something in exchange, for what were your files. They encrypt the files and demand this payment, this is how it works. Nowadays any slip up, on our network [security], or from our personal behavior, like opening a file we shouldn't from an unsafe source, can lead to a ransomware infection.

There are some data that say that only 30% of the ransoms paid to companies allowed them to have their data back. It's complicated because even when you pay you don't have the guarantee that the data will be restored. Is it interesting to pay or not?

Felipe Daragon: Unfortunately, there are many cases of directors who made this decision to pay, but there really is no guarantee that hackers who commit this type of blackmail will keep their word. So, this is my thinking: the best way to deal with this [situation] is to understand that you failed and map what reflexes the leak will have, communicate in the best possible way, take measures to prevent it from happening again. You deal with the reality that, if at some point this kind of failure happened, it's over - once the data has been leaked, there's no way to put the information back in the "box".

How do I remove ransomware from my machine, from my company? How can it be resolved since I won't pay the ransom?

Felipe Daragon: From the moment you become aware that there was an infection like this, you have to ask a question, investigate about all the security you currently have within your network. Everything has to be re-evaluated, how this infection happened, how it started, this has to be done in a very detailed way, checking logs (records of everything that happened within the company). Something companies should pay more and more attention to is that sometimes a combination of factors can happen.

We saw this now, in a recent case. There was a password leaked on the dark web and this password was obtained through ransomware and from there the hacker knew that there was an MFA (multi factor authentication), and made an attack on the employee, but it was not working and he had to send a message to the employee, carrying out the so-called social engineering attack. He pretended to be an employee of the company itself and said " This from the technical departament. Look, you need to accept the pending MFA requests." and apparently that's how this attack succeeded. So you had a combination of things and a main factor for this to have worked, in the end, after everything that happened, was the [successful] social engineering attack. Social engineering attacks are increasingly being used to circumvent existing security mechanisms.

Sometimes the company's own C-level is attacked with ransomware when the attacker wants to target a company. The executive is at risk in these cases. How can it happen in this sense, how can I prevent myself, me being a company director and being a possible target in such a case?

Felipe Daragon: Even voice cloning is possible today with machine learning, so by capturing an audio from a company's executive it is already possible to clone his/her voice. We have our security professional mentality, which is a little more paranoid, so to speak, having done this exercise of thinking what would happen if my data were accessed, what would happen if that place was hacked, so you also start to plan a little of what you are going to improve in your security by thinking about this, by already preparing for an attack. So, you try to internally simulate the attacks, and then even the social engineering attacks I was talking about can be performed, and this can have a very positive effect on the security architecture.

I wonder if companies are prepared and have the right tools to fight what we are experiencing today?

Felipe Daragon: Regarding the issue of outdated technologies that are sometimes used, antivirus is something absolutely necessary in this fight against ransomware, but it is a fact that most ransomware victims in the world statistically, the companies that are victims, they had their antivirus up-to-date, like over 70 percent of the victims. So the antivirus does not handle most of the ransomware, I mean, it defends against the already known variants, but when the group is going to attack, it has the focus and objective of actually causing harm to a victim, they test all the antivirus software on the market with the latest updates, they test their malicious software using key antivirus software until they confirm they didn't detect their new ransomware. And then the group infects the machine, making no difference having the most up-to-date antivirus. So, all this has to be re-imagined in many aspects to use new technologies and approaches, because the scenario has really changed a lot.

If you want to know more about the ransomware threat, earlier this year Syhunt published a special, in-depth article on ransomware, which you can access through this link.