Two types of ransomware, WannaCry and Petya, sowed the seeds of panic throughout networks in May and June 2017… We talked about this in depth in this magazine. Ransomware attacks have been dangerously multiplying since 2016. Although there are preventive actions you can implement to limit the risks of infection, no industry is safeguarded against this type of threat. Sentryo explains how these malicious programs work and the steps to take should your industrial system fall victim to an attack.

1. What is a ransomware?

A ransomware is a malicious program capable of encrypting all or some of the data on a machine. Unlike phishing, a ransomware does not seek to steal sensitive information but rather forces companies to pay a ransom to regain access to their data.

Consequences for industries
A ransomware attack will encrypt data to render it illegible. The consequences for industrial victims can be huge if the plants needs to be permanently in operation to ensure infrastructures work, quality standards are achieved and delivery and supply deadlines are met.

2. How is a ransomware attack carried out?

A ransomware mainly spreads via email before infecting company networks. Hackers start by sending millions of emails containing the ransomware in an attachment. If the recipient of the email opens the infected file, it executes the installation of the malware that will encrypt data. A ransom request will appear on the computer screen: if the user refuses to pay the sum indicated (often expressed in bitcoins because this currency offers anonymity), the data will be permanently lost.

The bitcoin
Ransoms are almost systematically requested in bitcoins because they cannot be traced. Some companies even invest in bitcoins as a prevention against possible attacks.

In the case of the WannaCry and Petya ransomwares, a vulnerability in the Windows SMB protocol, discovered by the US NSA and disclosed by the “Shadow Brokers” group, was used to spread the infection and access computer files. Microsoft published corrective patch MS17-010 in March 2017 but unfortunately that did not prevent WannaCry and Petya from spreading in May and June 2017 on workstations and servers that had not received the security updates from Windows.

3. Who is at risk of these attacks?

Ransomware attacks can target any company, big or small. Small and medium-sized companies are generally less prepared for the risks of cyberattacks and are more inclined to pay the ransom in the hopes they will recover their data. Large companies, however, are not in the clear. In 2016, the cost of cyberattacks was estimated at 1 billion dollars and the amount in 2017 is expected to increase significantly with the WannaCry and Petya attacks. Saint Gobain estimates the financial impact of the Petya attack at 250 million euros while Merck estimates it at 310 million dollars (261 million euros).

4. How to react to a ransomware attack?

4.1. Do not pay the ransom!

All cybersecurity experts agree that in no circumstance should ransoms be paid. There is no guarantee that you will recover your data!

For example, an in-depth analysis of the Petya malware revealed that it was impossible to decrypt data on an infected machine. The key used to encrypt the index of files and directories in the hard drive (Master File Table or MFT) was destroyed during data encryption.

4.2. Isolate the machine, alert, save, restore, monitor

If your system has been infected by a ransomware, closely follow these steps to stop the malware from spreading and to recover your system:

  • Isolate the infected machine from the network in order to stop the malware from spreading (unplug the network cable, turn off the WiFi connection and all other communication interfaces). Note: do not completely turn off the computer just in case you have the possibility of recovering data or having your machine analyzed by legal authorities.
  • Alert the company’s head of security or the IT department asap and warn all network users in order to avoid further infections. Once the malware is identified, you can find out its characteristics (URL used, file name, subject of email, etc.). These elements will help you block future attacks and undertake the necessary corrective measures.
  • Save important files on blank and isolated pluggable devices just in case the files were altered or infected. This data can possibly be processed and recovered at a later time. This step is critical: you could possibly save the ransomware by mistake. In this case, the infection will start up again after the system has been restored.
  • Restore the system from healthy sources. Reinstalling the system from a known source and restoring data from the last backup is preferred over disinfecting the system. You then have to make the changes necessary to close the security gaps that permitted the infection in the first place (apply security corrective measures, change passwords, modify the local firewall, etc.).
  • Monitor your network in order to detect any possible infections and stop viruses before they spread.

4.3. Use data recovery software with caution

If the infected files have not been backed up and their level of importance justifies further action, then you can resort to a data recovery software. This operation needs to be carried out with caution so as not to cause a secondary infection on the IT system. The integrity and safety of recovered files can in no case be guaranteed.

The procedure to be applied in the event of a ransomware attack is quite complicated to implement and does not always guarantee company operations will go uninterrupted. It is therefore best to apply preventive measures to limit the risks of infection. We will discuss this topic further in an upcoming article. Stay tuned!