The fall of the SEPE through a Ransomware attack has been covered in half the world before the importance of digital services of a critical body for the functioning of the Spanish state, promoter of employment policies and manager of unemployment claims, subsidies or the ERTE so necessary in the middle of the pandemic. In addition, the SEPE handles sensitive data of millions of people, administrations and companies, which in the event of cyberattacks can be compromised.
The agency has managed to recover from the attack and says it is working with the aim of restoring priority services as soon as possible, especially the web portal of the State Public Employment Service, which at least is already open although we do not know if all its services are working.
It has also extended the deadlines for requesting benefits on the days when it is out of service and in the same way, job applications will be automatically renewed without loss of rights. The SEPE assures that in no case will this situation affect the rights of applicants for benefits .
From the SEPE they have also warned of the receipt of any email or false message that users may receive. It is common for cybercriminals to take advantage of critical and high-profile incidents like this one to launch malware campaigns through phishing and identity theft . Exercise extreme caution before any communication that claims to come from the SEPE and make sure it is true.
What is Ransomware and how does it work?
Ransomware is a computer attack that infects a personal computer, smartphone (or any electronic device) with the aim of blocking its operation and / or access to part or all of the equipment. Its most distinctive feature is that it seizes files using an encryption system to prevent access by its owner. From there, cybercriminals demand a “ransom” amount from the user to free them.
Most infections occur because the user opens a malicious application or program that can come from any source, especially the usual ones such as a web browser (adware deployment, redirection to a malicious website …), email (instead if attached, there is a link to Mega, Google Drive or Dropbox that leads to malware) or messaging services in the case of increasingly widespread mobile attacks.
It is also common to see it combined with phishing , identity theft, social engineering. Actually, the Ransomware uses any kind of computer attack to achieve its main goal, encrypt the files and extort money from the victims. Another big problem is that attackers often steal all the confidential information they have access to before encrypting the files.
In addition, if until now Ransomware used to have exclusively economic motivations producing high profits for attackers, lately it is expanding its objectives as a preferred method of introducing malware, for controlling equipment, spying, stealing confidential information or simply to do damage on request.
Finally, to point out an added problem for companies in the face of what is described as ransomware as a service (RaaS), where developers sell or rent malware to users in dark web forums . These affiliate schemes give low-level attackers the ability to distribute and manage ransomware campaigns, while the code developer receives a portion of each victim’s ransom payment for the decryption key. This allows cybercriminals to initiate extortion campaigns even without having the skills to develop their own malware.
Organizations and companies in the spotlight
If a decade ago the majority of Ransomware attacks were aimed at client personal computers with the aim of obtaining a few tens of dollars, in recent years the main objective is companies and administrations . And the bigger the better. The 2020 list is very extensive and we can mention Canon, Garmin, CD Projekt Red, Blackbaud, Mapfre, ADIF, Capcom, Manchester United and a few administrations and municipalities such as Lafayette in the United States.
And those are the acquaintances. Cybersecurity experts believe that there are many more strangers, those who have paid to recover services as soon as possible and avoid the reputational loss that this type of security breach entails. The problem of paying these criminals you know what it means: each satisfied ransom is an incentive for cybercriminals to continue using ransomware to extort more victims and follow the chain.
The result of all this is that for two years, Ransomware has become the main cyber threat in the technology industry , with organizations, critical infrastructures and companies (which usually pay extortionists) in the spotlight.
Ryuk, an old acquaintance for the attack on SEPE
The development of Russian origin Ryuk aims to be the malware used in the attack on the SEPE, as our very security colleagues explain, echoing the statements of Gerardo Gutiérrez, SEPE director, and relying on the statements of some employees who, early in the morning (before turning off all computers) they found files with the RYK extension, characteristic of this malware.
Although, as we said, almost any type of attack can be used for Ransomware, Ryuk is one of the most specialized malware . An old acquaintance who rose to “fame” by attacking the largest oil company in Mexico, Pemex, and in Spain also wreaked havoc in the attacks on Cadena Ser, Everis or the security company Prosegur .
Taking into account that one of Ryuk’s strengths is its persistence, since it has multiple tools to try to prevail in infected systems even when they are subjected to disinfection, the restart of all SEPE services may still take time . Fortunately, IT managers had a clean backup one day before the attack.
We can also highlight that the payment systems have not been affected and this is vital for millions of citizens who receive some type of subsidy, unemployment or ERTE. In principle, there would have been no leakage of the seized data, a big problem considering the amount of confidential information handled by the agency.
Tips against Ransomware
Taking into account how Ransomware works and that once infected there is no solution unless a researcher has managed to decrypt that particular encryption system, something that usually takes years to happen and through an extremely complex file recovery, one of the great tips against Ransomware is to make regular backup copies in case they have to be used to recover the computers. And there are others to prevent infection that are generally repeated against any computer attack. We remind you:
Backup . Backing up important data as a regular maintenance task is the most effective measure to minimize damage in the event of infection. The backup must be hosted on an external medium other than the computer to be able to recover the files from a “clean” place and not have to pay the “ransom” demanded by these cybercriminals.
System and application update . Keeping the operating system updated with the latest security patches and all the applications that we have installed is the best starting point. WanaCryptor, one of the most powerful Ransom, exploited a vulnerability in Windows systems and attacks against some Spanish companies point to unpatched vulnerabilities.
Line of defense . An antimalware solution should be installed and maintained, including a properly configured firewall to allow exclusive access to the necessary applications and services.
Anti Ransom Tool . It is a specific tool against this type of attack, which will try to block the encryption process of a ransomware (monitoring “honey files”). It will perform a memory dump of the malicious code at the time of its execution, in which hopefully we will find the symmetric encryption key that was being used.
Anti-spam filter . Many of the Ransomware attacks are distributed through mass email campaigns. In addition to these filters, you should follow the general advice such as not clicking on links or opening attachments from unknown senders.
Security policies . Tools such as AppLocker, Cryptoprevent, or CryptoLocker Prevention Kit facilitate the establishment of policies that prevent the execution of directories commonly used by ransomware, such as App Data, Local App Data, etc.
Privileged accounts . Do not use accounts with administrator privileges. 86% of threats against Windows can be dodged by using a common user instead of an administrator. That is why it is important to use a common user for common tasks and only leave the administrator for when a series of tasks related to the manipulation of the system are to be carried out.
File extensions . Showing extensions for known file types is good practice to identify possible executable files that want to masquerade as another type of file. It is not uncommon to see an .exe file with the icon of a Word document. If the extension is not seen, the user may not be able to distinguish whether it is a Word document or a malicious executable, although it is also good to remember that a Microsoft Office document can also contain malware.
Virtual machines . Using virtual machines to isolate the main system is another effective technique. In a virtualized environment, the action of ransomware does not usually materialize.
And do not pay … If unfortunately you have been infected, but you followed the prevention and maintenance tasks, you will have backup copies so that once the storage units are formatted, you can recover them. It takes time, but it is always better than paying these criminals and encouraging them to extort more victims and follow the chain.