On November 4th, the 2021 Tencent Digital Ecology Conference with the theme of "Integration of Digital reality and blooming new machines" continued to be held at the Wuhan Optics Valley Science and Technology Convention and Exhibition Center. At the meeting, Tencent released the "2021 Ransomware Attack Trend Analysis White Paper" (hereinafter referred to as the "White Paper").
The white paper analyzes that the reason for the frequent occurrence of global network ransomware attacks is that the internal infrastructure construction of enterprises is backward, the extortion profit is extremely high, and the increase in remote office scenarios, and the vast majority of extortion attacks cannot be cracked at present; it is recommended that enterprises pay attention to data encryption and backup, put security protection in front of the whole business, and enhance the security awareness of practitioners.
1
In the first half of the year, leaks increased by 24% year-on-year, and industrial systems were scanned 20,000 times a day
In recent years, with the rapid development and popularization of technologies such as 5G communications, artificial intelligence, and the Internet of Things, as well as the continued popularity of cryptocurrencies such as Bitcoin, ransomware attacks have shown a sustained high incidence on a global scale and may become one of the main factors threatening network security for a long time to come.
The white paper points out that a ransomware attack is the act of a cyber attacker blocking users' normal access to the system or data by locking devices or encrypting files, etc., and blackmailing the victim into paying a ransom. Since 2018, the number of ransomware attacks has increased by 350%. A report by the Office of the Australian Information Commissioner (OAIC) showed a 24 per cent increase in data breaches caused by ransomware attacks in the first half of last year compared to the second half of last year.
In terms of economic losses, a report jointly released by the Center for Strategic and International Studies and anti-virus software vendor McAfee pointed out that it is estimated that the annual losses caused by global cyberattacks will be as high as $945 billion, the cost of network protection is about $145 billion, and the total economic cost will exceed one trillion US dollars.
The Nandu Privacy Guard has previously reported on several large ransomware attacks around the world. In July, Ecuador's largest state-run telecommunications operator, cnt, was largely paralyzed by a ransomware attack, and the ransomware gang threatened to pay a ransom by disclosing a total of 190gb of customer personal information. In September, Japanese company Olympus was forced to shut down its computer network systems in Europe, the Middle East and Africa after a ransomware attack.
Facts have proved that how to effectively prevent ransomware attacks has become the focus of attention and discussion in the current field of cybersecurity. The white paper combs through and finds that ransomware attacks occur frequently around the world, which can be attributed to three reasons.
First, the internal infrastructure construction of enterprises is backward, and effective security protection measures are lacking after networking. It is reported that the network information of China's industrial control system continues to be spied on by overseas criminals, with an average of more than 20,000 scans per day, and the infrastructure and control systems of energy, manufacturing, communications and other industries have become the main targets.
Second, for cyber attackers, high ransoms have become a great motivation for them to commit crimes. Public data shows that ransom fees for ransomware attacks that occurred in 2020 averaged about $300,000, an increase of 171% over the previous year; in 2020, the total profit of various active ransomware on the market was $370 million, an increase of 336% over the previous year. This also means that the high return on profits makes more criminals willing to take risks.
Third, remote work increases security risks. Since the outbreak of the new crown pneumonia epidemic on a global scale, ransomware gangs have taken advantage of the security vulnerabilities brought about by remote work to continuously evolve attack methods through technology iteration, data leakage, encrypted data, etc., opening up new attack surfaces, and taking advantage of people's panic during the crisis to continue to increase the number of extortions.
2
The purpose is to turn from seeking wealth to stealing secrets, and most of them cannot be cracked
According to the analysis of the white paper, it is precisely because ransomware attacks are so different from other forms of cyber attacks that traditional network security protection measures are slightly weak in dealing with ransomware attacks. Therefore, to engage in confrontation, it is necessary to be familiar with the usual means and trend characteristics of extortion attacks.
First, extortion attacks are highly stealthy and harmful. Ransomware attacks usually use spam, web advertising and other disguised means of communication to achieve the purpose of intrusion, it will also be highly imitated the target company's coding methods and naming conventions to bypass complex testing, cross-audit, verification and other links; at the same time, ransomware attacks generally have a clear target and a strong purpose of extortion, from simple money to steal commercial data and political secrets.
Second, ransomware viruses mutate quickly and spread easily. While rapidly evolving network technology is fueling the speed of virus fission, so is the awareness of "anti-detection" among cyber attackers — ransomware writers are constantly improving software variants to evade detection. In fact, most of the time, ransomware authors can evade detection by quickly updating samples and using new samples to attack delivery.
In addition, the extortion attack path and target tend to diversify. At present, ransomware attacks are changing from passive to active, in addition to using system vulnerabilities to launch remote attacks, cyber attackers will also induce employees within the enterprise to leak sensitive information; and the target of the attack is also changed from the computer to the mobile end, from individual users to enterprise devices, focusing on the government or enterprise's key business systems and servers in order to claim higher profits.
However, the white paper points out that the vast majority of current sophisticated and diverse ransomware attacks cannot be decrypted. The very few cases that have been cracked are mainly due to two situations: one is that the producer of the ransomware virus has leaked the internal information of the virus; the other is that the loopholes in the ransomware virus itself have greatly reduced the difficulty of cracking.
Prevention is important in advance, and it is recommended to set up a zero-trust 3 security mechanism mechanism
The white paper found that China's current laws do not have special provisions for ransomware, but the provisions on extortion, information network technical support and assistance, and the production and dissemination of computer viruses and other aspects of endangering network security are relatively perfect.
In July this year, the National Internet Emergency Response Center issued the "Ransomware Prevention Guidelines", which stipulates nine requirements and four recommendations for preventing ransomware. In August, the State Council issued the Regulations on the Security Protection of Critical Information Infrastructure, clarifying the responsibility boundaries and responsibility requirements of various functional departments, as well as key identification principles and identification mechanisms, forming a legal responsibility system for key security protection work; in November, the Personal Information Protection Law was implemented, providing a more solid legal guarantee for cracking down on acts involving ransomware and other acts that infringe on citizens' and organizations' personal information.
The white paper analyzes that the loss and consequences of cyber ransomware attacks are immeasurable, so the focus of preventing ransomware attacks is on the pre-defense link rather than the decryption link after the attack. To this end, the white paper puts forward suggestions for enterprises from three aspects: technology, mechanism and awareness.
First, focus on the frontier technology of security and improve the protection capability. Enterprises should pay attention to data encryption and backup, through the "zero trust" security mechanism (that is, assuming that all identities, devices and behaviors are not secure, and the whole process of security verification and inspection is required at the time of access) to reduce the risk of being attacked, which can effectively increase the difficulty of theft, prevent the spread of ransomware attacks, and timely detect and control risks to a minimum.
Second, build a security front-end capability to enhance the "immunity" of enterprises. Enterprises should protect security throughout the entire system life cycle, realize the security capabilities in the front of the business link, pre-judge potential security risks in advance, form a threat sharing mechanism among enterprises in the industrial chain, and coordinate to prevent network attacks; organizations should strengthen code audits and security inspections of suppliers, and establish security protection mechanisms such as "zero trust" architecture.
Third, enhance the safety awareness of personnel. Enterprises should strengthen the publicity of security knowledge, so that practitioners should maintain a high degree of vigilance against various suspicious situations that may occur such as unidentified mail, websites, software, storage media, etc.; strengthen network isolation and restrict unnecessary access channels; in addition, they should use the strategy of local storage and cloud dual backup to strictly limit access to the backup system.
Written by Fan Wenyang, researcher of Nandu Personal Information Protection Research Group
![Looking for a substitute driver but being extorted for nearly 10,000 yuan? note! Drunk driving "touching porcelain" has a new routine[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)