Cyber security experts describe an eight-step ransomware data encryption attack, which emphasizes that hackers attacking through zero-day security vulnerabilities are almost impossible to stop.
On April 5, the Vietnam Information Technology Press Club (Vietnam ICT Press Club) coordinated with the National Cyber Security Association to organize a seminar "Preventing ransomware data encryption attacks".
Here, Mr. Vu Ngoc Son, Technical Director of NCS National Cyber Security Technology Joint Stock Company, Head of the Technology Research Department of the National Cyber Security Association, described specifically a code attack. ransomware data.
How does a ransomware data encryption attack work? - first
Mr. Vu Ngoc Son, Technical Director of National Cyber Security Technology Joint Stock Company (NCS), predicted that encryption attacks will continue in the future (Photo: Cuong Quyet).
Accordingly, a data encryption attack will include 8 steps:
1. Search
First, hackers will try to find vulnerabilities in the system such as scanning for website vulnerabilities, mail servers, and software vulnerabilities. These are often zero-day vulnerabilities (unpatched or unpublished vulnerabilities), so are unknown to users and manufacturers.
Attacks through zero-day vulnerabilities are nearly impossible to prevent. Hackers detecting this vulnerability usually takes several months, not a day or two. During the time hackers are searching, if we monitor well and know the object we are searching for, we can prevent it early, avoiding the risk of data encryption attacks.
2. Intrusion
Hackers will take control of the server or admin machine or user machine. This stage often happens very quickly, sometimes in just a few minutes, especially through zero-day vulnerabilities. This stage is often difficult to prevent.
3. Lying in the area
This is a very important step for hackers as well as system administrators. This step usually lasts 3-6 months. If there is the ability to monitor and detect during this period, it can also be prevented.
Lying undercover helps hackers collect information and identify important targets. There are 3 goals hackers aim for: where is important data located, what is the user management system like, and what is the mission of the IT systems in that organization or business.
4. Encryption
At this point, the hacker will run encryption tools. How users encrypt data, hackers also use the same tool to encrypt. This can be a public tool or customized for faster encryption.
5. Clean up
Before we found the hacker, they promptly deleted all access data. This is very important for hackers because systems often store access logs. Hackers can find out where the system stores logs and clean up access logs to erase traces. After cleaning up, they started asking for money.
6. Blackmail
At this point, the hacker will ask to pay for the key to open the data. Normally, hackers will leave the key on the victim's system and then encrypt that key. Hackers will pack all the keys into a box. When paying, the hacker will give the password to open the box to get the key.
7. Money laundering
Currently, hackers often choose to pay in cryptocurrency to hide their crimes.
8. Repeat the attack
Hackers can repeat the attack with other victims or with the same victim. When they first get money, hackers will know the victim has the ability to pay.
Hackers may return to attack in the name of one group or another. This is a destructive form of attack. The victim not only lost money but also became a constant target of bad actors.
How does a ransomware data encryption attack work? - 2
On April 6, the Department of Information Security (Ministry of Information and Communications) published "Handbook for preventing and minimizing risks from ransomware attacks" (Illustration).
Faced with the increasing situation of extortion data encryption attacks in Vietnam, on April 6, the Department of Information Security (Ministry of Information and Communications) published "Handbook for preventing and minimizing risks". risks from ransomware attacks".
This handbook will be a useful document to help agencies, organizations, and businesses proactively prevent and protect their important information systems against potential cyber attack risks.
