Attacks against businesses and public infrastructure are on the rise. In March, the trend for ransomware attacks continued worldwide, with the Ransom-DB platform counting 438 events in one month, compared to an average of 250 attacks in recent years.
However, that could be just the tip of the iceberg. Because the platform only counts the data that the criminal groups have stolen and illegally published on the Darknet. The vast majority of attacks in which the victims agree to the extortioners’ demands — and pay a ransom — remain in limbo.
Swiss destinations are also extremely popular among hacker groups. Among the victims were recently well-known institutions such as the University of Zurich, ABB, SBB and the Basel-Stadt education department.
Last week, the Federal Police (Fedpol) and the Customs and Border Security Service also had to admit that hackers had published their data on the dark web. The attack was not aimed at the offices themselves, but at the IT service provider Xplain, which operates them. However, important institutions such as the weapons group RUAG and the cantonal police were affected by the leak.
The publisher CH Media, which publishes this newspaper, was also attacked – and blackmailed – in March. The attackers hacked NZZ’s IT system, which supplies CH Media. As a result, they first paralyzed individual systems that are necessary for the production of the newspaper. For weeks, various newspapers could only be produced and printed to a limited extent.
Two weeks after the encryption, the hacker group Play claimed responsibility for the attack and a few days later demanded money for data. No ransom was paid at any time.
That’s typical. There are different types of crime on the internet. In Switzerland, fraud crimes, in particular, are at the top, according to statistics from the National Center for Cyber Security (NCSC). However, the number of reported ransomware attacks as of 2020 has risen sharply from 66 to around 160 over the past two years.
These are attacks with encryption trojans (“malware”) that lead to blackmail (“ransom”). According to the NCSC, the focus of the attackers has shifted from private individuals to companies.
human vulnerability
Ransomware gangs often work in the same pattern: they gain access to the system through an employee, for example by designing personalized emails with offers or interesting content that are sent as links or attachments.
As soon as a victim clicks on it and enters their credentials, the attacker gains access, burrows into the computer – and starts spying on the environment. The attacker then gains further access, for example through an administrator, to penetrate further areas (“lateral movement”).
The attacker uses this espionage technique to obtain and download sensitive data. This process usually takes several weeks, even months. As soon as the attacker has extracted enough data, he starts encryption: the systems collapse, access to the computer is made impossible.
In the worst case, nothing works at all. If the attacker has encrypted both the backup and the running systems, all data is lost.
This is followed by double extortion: first, the attacker wants money to decrypt the systems again. In a second step, he demands another payment to prevent the publication of sensitive data.
Large number of unreported cases
The NCSC does not want to give estimates of successful blackmail in ransomware attacks, it is not an investigative agency nor a law enforcement agency.
It’s a topic no one likes to talk about – and it’s a fundamental part of the problem:
There are indications: In 2021, the NCSC stated that Swiss SMEs were not adequately protecting themselves and were repeatedly victims of cyberattacks – and “not infrequently paid ransoms in the six or seven figures”. With 160 reported attacks and a large number of unreported cases, this quickly adds up to several million francs per year.
If a victim does not pay, he may not be able to continue his services. Whether it is the dentist, the media company or the painter: if there is no access to important systems, customer data and appointments, day-to-day work becomes impossible. This sometimes leads to an existential threat to a company if it is no longer able to process orders, call up contacts and pay wages. Often there is no other way out than to pay the ransom.
At the same time, the business model of the hacker gangs is fed. The ransom money allows cybercriminals to fund an infrastructure controlled by hackers and other collaborators, such as money launderers. In recent years, a cybercrime industry has developed that is said to have made billions. There are about 70 ransomware groups active worldwide. Therefore, the authorities strongly advise against giving in to the blackmailers and paying even one franc.
And law enforcement?
But there is a second reason why the authorities advise against paying the ransom: it is not certain that the attackers are gone, that they do not want to publish the data anyway and that the blackmail continues.
The perfidious of the situation: The risks for the criminals are limited. According to current police crime statistics, 34.4 percent of digital crimes can be solved. However, this applies in advance to fraud. The clear-up rate for ransomware attacks is 1.3 percent.
Criminal prosecution appears to be difficult or impossible in most cases. The criminals often operate from abroad. The police are working to improve their effectiveness. The Conference of Cantonal Police Directors (KKJPD), together with the federal government, wants to strengthen criminal prosecution, among other things. To this end, a national overview of cyber incidents will be drawn up, training of law enforcement authorities in the field of cybercrime will be further improved and cooperation between law enforcement authorities will be further expanded.
But politicians at a national level also disagree with the first point, the overview of cyber incidents. To date, there is no obligation to report cyber attacks. After all, the House of Representatives decided last week that attacks on critical infrastructures must in any case be reported. However, the Council of States did not want any further reporting obligations.
Prevention is a priority for both the police and the NCSC. For years, there have been warnings about hacker attacks and their serious consequences, including for SMEs. In 2021, the NCSC found that the warnings had faded and the recommendations for protection against attacks were not being “widely implemented”.
Awareness is slowly increasing – also because many companies have had to gain relevant experience in the meantime.
Two American IT security companies that have technically analyzed the “Play” approach speak of attacks based on known patterns of other hacker organizations. It is suspected that there is a personal connection to the group “Hive”. According to the US Department of Justice, “Hive” is responsible for more than 1,500 cyberattacks in more than 80 countries. In January of this year, the US authorities and Europol announced that the group had been infiltrated and dismantled. Despite this blow to cybercrime, “Play” continues to operate successfully through similar means.
It is not known who exactly is behind the organization ‘Play’. Equally unclear is the country from which the group is launching its attacks. An in-depth analysis by Chainalysis sees Russia as the main base for cybercrime in general. According to the analysis, in 2021, about 74 percent of extorted money went to groups with ties to Russia. This equates to more than $400 million.
(aargauerzeitung.ch)
Source: Watson
I’m Ella Sammie, author specializing in the Technology sector. I have been writing for 24 Instatnt News since 2020, and am passionate about staying up to date with the latest developments in this ever-changing industry.
