VietNamNet introduces an article by Mr. Dao Trung Thanh, a cybersecurity expert and Deputy Director of the Blockchain and AI Institute, to better understand the cyber attack at VNDirect Securities Company and the dangers of Ransomware.
Ransomware, a type of malware that encrypts data on a victim's system and demands a ransom to decrypt it, has become one of the most dangerous cybersecurity threats in the world today. Photo: zephyr_p/Fotolia

The VNDirect Case and What Makes Ransomware Dangerous?

On March 24, 2024, VNDirect Securities Company in Vietnam became the latest hotspot on the map of international ransomware attacks. This attack is not an isolated case.

Ransomware, a type of malicious software designed to encrypt data on a victim’s system and demand a ransom to decrypt it, has become one of the most widespread and dangerous cyber security threats in the world today. The increasing reliance on digital data and information technology in all areas of social life makes organizations and individuals vulnerable to these attacks.

The danger of ransomware lies not only in its ability to encrypt data, but also in the way it spreads and demands ransom, creating a financial transaction channel through which hackers can make illegal profits. The sophistication and unpredictability of ransomware attacks make them one of the biggest challenges facing cybersecurity today.

The attack on VNDirect is a stark reminder of the importance of understanding and preventing ransomware. Only by understanding how ransomware works and the threat it poses can we put in place effective protection measures, from educating users, implementing technical solutions, to developing a comprehensive prevention strategy to protect critical data and information systems.

How Ransomware Works

Ransomware, a terrifying threat in the world of cybersecurity, operates in a sophisticated and multifaceted manner, causing serious consequences for victims. To better understand how ransomware works, we need to delve into each step of the attack process.

Infection

The attack begins when ransomware infects a system. There are several common ways ransomware can get into a victim's system, including:

Phishing emails: Fake emails containing malicious attachments or links to websites containing malicious code; Exploitation of security vulnerabilities: Taking advantage of vulnerabilities in unpatched software to automatically install ransomware without user interaction; Malvertising: Using internet advertisements to distribute malware; Downloads from malicious websites: Users download software or content from untrusted websites.

Encryption

Once infected, ransomware begins the process of encrypting data on the victim’s system. Encryption is the process of converting data into a format that cannot be read without the decryption key. Ransomware often uses strong encryption algorithms, ensuring that encrypted data cannot be recovered without the specific key.

Ransom demand

After encrypting the data, ransomware displays a message on the victim's screen, demanding a ransom to decrypt the data. The message usually contains instructions on how to pay (usually via Bitcoin or other cryptocurrencies to hide the identity of the criminal), as well as a deadline for payment. Some versions of ransomware also threaten to delete the data or make it public if the ransom is not paid.

Transactions and decryption (or not)

The victim then faces a difficult decision: pay the ransom and hope to get their data back, or refuse and lose their data forever. However, paying does not guarantee that the data will be decrypted. In fact, it may encourage the criminals to continue their actions.

The way ransomware operates not only demonstrates technical sophistication, but also a sad reality: the willingness to exploit the gullibility and ignorance of users. This underscores the importance of increasing cybersecurity awareness and knowledge, from recognizing phishing emails to maintaining up-to-date security software. In the face of an ever-evolving threat like ransomware, education and prevention are more important than ever.

Common Variants of Ransomware

In the world of ransomware threats, some variants stand out for their sophistication, ability to spread, and impact on organizations globally. Here are descriptions of seven common variants and how they operate.

REvil (also known as Sodinokibi)

Features: REvil is a variant of Ransomware-as-a-Service (RaaS), allowing cybercriminals to “rent” it to carry out their own attacks. This significantly increases the ransomware’s ability to spread and the number of victims.

Propagation Methods: Distribution via exploits, phishing emails, and remote attack tools. REvil also uses attack methods to automatically encrypt or steal data.

Ryuk

Features: Ryuk primarily targets large organizations to maximize ransom. It has the ability to customize itself for each attack, making it difficult to detect and remove.

Propagation method: Through phishing emails and networks infected with other malware, such as Trickbot and Emotet, Ryuk spreads and encrypts network data.

Robinhood

Features: Robinhood is known for its ability to attack government systems and large organizations, using a sophisticated encryption tactic to lock files and demand large ransoms.

Propagation method: Spread through phishing campaigns as well as exploiting security vulnerabilities in software.

DoublePaymer

Features: DoppelPaymer is a standalone ransomware variant with the ability to cause serious damage by encrypting data and threatening to release information if a ransom is not paid.

Propagation method: Propagated via remote attack tools and phishing emails, especially targeting vulnerabilities in unpatched software.

SNAKE (also known as EKANS)

Features: SNAKE is designed to attack industrial control systems (ICS). It not only encrypts data but can also disrupt industrial processes.

Propagation method: Through phishing and exploit campaigns, with an emphasis on targeting specific industrial systems.

Phobos

Features: Phobos shares many similarities with Dharma, another ransomware variant, and is often used to attack small businesses via RDP (Remote Desktop Protocol).

Propagation method: Primarily via exposed or vulnerable RDP, allowing attackers to gain remote access and deploy ransomware.

LockBit

LockBit is another popular ransomware variant that operates under the Ransomware-as-a-Service (RaaS) model and is known for its attacks on businesses and government organizations. LockBit carries out its attacks in three main stages: exploiting vulnerabilities, penetrating deep into the system, and deploying the encryption payload.

Phase 1 - Exploitation: LockBit exploits vulnerabilities in the network using techniques such as social engineering, such as through phishing emails, or brute force attacks on intranet servers and network systems.

Phase 2 - Infiltration: After infiltration, LockBit uses a "post-exploitation" tool to increase its access level and prepare the system for the encryption attack.

Phase 3 - Deployment: LockBit deploys the encrypted payload on every accessible device in the network, encrypting all system files and leaving a ransom note.

LockBit also uses a number of free and open source tools in its intrusion process, ranging from network scanners to remote management software, to perform network reconnaissance, remote access, credential theft, and data exfiltration. In some cases, LockBit also threatens to release victims' personal data if ransom demands are not met.

Given its complexity and ability to spread, LockBit represents one of the biggest threats in the modern ransomware world. Organizations need to implement a comprehensive set of security measures to protect themselves from this ransomware and its variants.

Dao Trung Thanh

Part 2: From the VNDirect attack to anti-ransomware strategy