At the end of 2019, Alberto (name changed to keep his anonymity) detected a problem at his work. He was the manager of a team of four employees that made up the IT department in a medium-sized Andalusian company (between 50 and 250 employees, between 10 and 50 million euros in annual turnover), so he was the one who was notified of what happened: a layout designer had received — and opened — an email that appeared to be from a regular customer. The domain and even the name were very similar. That email included a zip file, a frequent occurrence in the design department inboxes. Neither the firewall nor the antivirus detected anything strange. Nevertheless, two days after opening that archive, the entire company network became encrypted.
“‘Everything’ is ‘everything’. The SAP server (tools for business management), administration, virtual machines with corporate applications, the web hosted on an internal server, work teams of all personnel, copy servers security, IN THE. Everything, “Alberto remembers just two years after the event.
What was happening was a ransomware attack, the same that Telefónica received in 2017 paralyzing the internal activity of the company and opening the news of that day. The precedent that had made this type of attack known to the general public, beyond the sector of computer experts.
In this case all company activity stopped completely, since all its machinery depends on network resources. Without them, there is nothing to do. So all the employees were sent home … except for the IT group, who had to start thinking about what to do to get the encrypted information back. The nightmare had begun.
“There was panic in the company. We had some copies on external hard drives, but partial. The SAP infrastructure, for example, was completely lost, since that part did not depend on us, but on the company that gave us the SAP consulting. We contacted with Several companies to see how they could help us, we chose the one we liked the most and they came to try to put us back together and recover something “, explains Alberto.
They started working together and discovered that the malware they were dealing with was Phobos EKING (a similar Ryuk, the one in early 2021 he overthrew the SEPE). A malware that encrypts all files on the attacked network, except those ending in .exe or .dll extensions (executable files and libraries of Windows, respectively). The rest change to the extension .eking. That way, the system continues to function in a basic way. Thus the victim can discover a new unencrypted plaintext file on his computer where the conditions of the rescue are reported. That happened in this case.
“The company that helped us informed us that there is no vaccine for this ransomware, and that a customized one would have to be developed.” There they began to raise costs with the management of the company, which suggested evaluating the option of paying the ransom, which was set at a bitcoin, which at that time was trading at around 7,000 euros. The vaccine would have cost considerably more. “Neither the cybersecurity company nor the Civil Guard advised us to pay that ransom. Nothing guaranteed that they would give us the key to decipher the network.”
It may be surprising that the rescue of the entire system and information of a company that invoices millions of euros a year is only 7,000 euros. That’s because the attackers encrypted the information, but couldn’t read it, so they didn’t even know if what they were hijacking was a corporate environment or a domestic one. The cybersecurity company was clear with them: “They told us not to contact them using corporate email or say anything that could identify us, if we did it was very likely that they would ask for much more money for the ransom,” Alberto explains.
At that time, weighing costs, the company decided to pay and Alberto was the one who had to communicate with the attackers, always with discretion, posing as a private individual. The communication was in English writing to the mail of ProtonMail that they left in the clear text file, from a newly created Gmail account to leave no clues. To demonstrate that the method was safe, they offered to decrypt several files, something that the cybersecurity company tried to take advantage of to trick them by sending a database of key files to try to recover them without having to pay.
He also proposed to fight back by sending them malware that could identify them, but Alberto refused. “It seemed to me that this could cancel the deal with them and I finally decided to pay, despite the recommendations to the contrary.” Yes indeed, in the files that he sent as a test, it was found that nothing appeared that could suggest the volume of the company, such as their number of employees or even the fact that they used SAP, a sufficient indicator to trigger the amount of the ransom.
After making the payment of the agreed bitcoin, the company provided them with a program along with a recovery key and even a link to a YouTube video as a tutorial. Very close to home for a company with tens of millions of euros billed each year that suddenly had nothing.
The top priority was to get the files back so that the company could get back into business. Without that, there was no return to normality possible. “I risked my job and that of many other people, the company had lost everything. I know this feeds the beast and once I paid I risked being attacked every month, but I took that risk. “He paid the ransom and a few hours later he received a program with the decryption key. He came to think of the option of paying the ransom out of your own pocket so that the nightmare would end as soon as possible.
“I would act in the same way again, the situation was very complicated and I was playing my neck”
“We recovered everything. We had a problem with the virtual machines, because although they were decrypted, some were corrupt, but we minimized the disaster a lot. From there a lot of things changed. We did more than ten Backups of the data and we segmented everything on different disks in case there was any malware among the files “.
That happened immediately after recovering from the attack. In the days after the entire infrastructure was rethought, everything was formatted and they began to take “real” measures to prevent another attack like that. Those days coincided with the last of a deadline to present a matter related to the Treasury, they could not present the data on time and it brought them penalties. A trifle compared to what they had just experienced.
We asked Alberto if today he would do the same thing he did then. “Yes, without a doubt. The situation was very complicated and I was risking my neck. When we saw that we were recovering everything, we did not believe it, it is strange to say it like that, but it was a very great satisfaction, we had doubts and we did not know if it was going to succeed”.
A year and a half later, Alberto acknowledges that that attack left him with certain consequences that have altered their routine, even at the domestic level. “After that I make backup copies of everything several times, I bought several IN THE for my house, I do the cold copies and then I disconnect the disks as well … “.
“In ransomware we have seen everything”
Speaks Ramón Salado, CTO and founder of BeeHackers, a cybersecurity company whose services include the management of ransomware attacks like the one Alberto’s company received. “We always recommend not paying, because no one guarantees that in return they will give you the key to decrypt the files, and because you show that you are willing to pay for what is yours, so they will attack you again,” explains Salado. However, “it is understood that many people lose everything with an attack like this.”
No company is safe for being big or small: “Ransomware attacks can affect anyone”
Is there any type of company, by sector or by volume, that is more likely to be attacked than another? According to Ramón, no. “This can affect anyone. And with the boom Teleworking since the pandemic has opened many Terminal Server ports (Windows RDP), and that is one of the main vectors of entry. Also vulnerabilities such as EternalBlue or ZeroLogon, which have made it easier for cybercriminals to attack. “
Attacks are not always immediate as in Alberto’s company, but sometimes, especially when higher ransoms can be demanded due to the higher volume of business of the company, they simmer.
“We once discovered that the attackers had been inside the organization for more than 70 days prior to encryption. They had studied all traffic patterns, when and where to backup copies. They controlled the entire network and infected everything, that way they ended forced to pay, “he says, recalling the case.
Double and triple extortion
Another of the companies that usually provide their services in cases of ransomware attacks are the large consulting firms. An employee of one of the Big 4 in Spain explains to us, under condition of anonymity, that especially in recent years it has become a common practice, and that rescue prices are always proportional to the company’s turnover. “They ask an SME for 50,000 or 100,000 euros, no more. They can ask a large company for millions of euros.”
“The attackers have very professionalized structures, as if they were companies”
He also explains that the attackers have highly professionalized structures, “as if they were companies”, with 24/7 operators to communicate with the victims when they establish contact, perfectly organized hierarchies, negotiators, specialists in penetration into systems, etc.
This employee of one of the large consulting firms tells us how the modus operandi of these attackers have grown more vicious over time. “Before the files were encrypted and only the encryption key was delivered after receiving the ransom payment. Then came the double extortion: in addition to keeping the information encrypted, they publish it online. In that case, the company has to face a fine of the Spanish Agency for Data Protection for not having correctly protected personal data “. Fines on the sidelines, not paying and ending the data published on the network has another component: the reputational crisis.
And there is another twist that increases the perversion: “If you continue without paying, in some cases they threaten you with DDoS attacks – denial of service -, especially if you are a large company that offers online services “. These types of attacks can leave entire services inaccessible, something that in companies that only offer their product online means a total interruption of their business activity. To make matters worse, losing access to the information on which the company depends and seeing it published on the Internet.