Earlier this month, the cybercrime wing of TN police received an unusual complaint. The mouthpiece of the ruling DMK party, Murasoli Facebook page, had been hacked by cyber criminals who even posted obscene pictures in the website. The hackers allegedly demanded a sum of $200 to decrypt the website and return access, according to cybercrime wing of the Tamil Nadu police.
The cybercrime wing had promptly registered a case and have begun investigations but officials admit that cracking such cases and bringing the criminal to book is highly impractical as such hacker networks are spread across the globe and the costs and legal complications involved severely deter them from pursuing such cases in detail.
That the ruling party, with its crores of supporters across the state, could not deter cyber hacks who demanded a meagre amount of $200 to restore its data, reveals how undetectable and safe cyber criminals feel even when attacking important websites, especially in a country like India. In December 2022, the servers of All India Institute of Medical Sciences (AIIMS), India’s premier healthcare destination, were hacked allegedly by Chinese malware and patient data got breached. While the site had been restored and put back in operation, the criminals walked away scot-free.
According to the India Ransomware Report 2022 brought out by Computer Emergency Response Team – India (CERT-In), the country has witnessed a 53 per cent increase in ransomware attacks in the year 2022 with IT and ITES remaining the most affected sectors. Ransomware players also targeted critical infrastructure organisations and disrupted critical structures, according to the report. It also points out how Ransomware As a Service (RAAS) ecosystem with financial motive is becoming increasingly prominent with double and triple extortion tactics to cause business disruption, thereby forcing the victim to pay ransom. More concerning is the emerging trend of geopolitical conflicts influencing ransomware attacks. According to CERT-In, this trend is expected to continue further as ransomware broadens its spectrum and becomes an arsenal of cyberwarfare.
RAAS has now become a global menace with even nations with highly sophisticated digital safety mechanisms bearing the brunt of such attacks. According to report put out by the US investigative agency Federal Bureau of Investigation in 2022 analysing the trends in cybercrime, the Internet Crime Complaint Centre (IC3) had received 2,385 complaints of ransomware attacks in 2022 alone causing an accumulated loss of $ 34.3 million dollars.
According to the FBI, cyber criminals use a variety of techniques to infect victims with ransomware: phishing emails, Remote Desktop Protocol (RD) exploitation, and exploitation of software vulnerabilities remained the top infection vectors for ransomware incidents. The agency also does not encourage victims to pay the criminal as paying ransom is likely embolden them to attack further and did not guarantee that the victim’s files could be recovered.
Stages of a ransomware attack
A ransomware attack is multi-stage process which often requires some form of engagement by the victim to allow entry into their network. Here’s a look at the various stages of a ransomware attack:
- Infection: Ransomware gains entry through various means such as phishing emails, physical media like thumb drives, or alternative methods. It then installs itself on a single endpoint or network device, granting the attacker access.
- Secure Key Exchange: Once installed, the ransomware communicates with the perpetrator’s central command and control server, triggering the generation of cryptographic keys required to lock the system securely.
- Encryption: With the cryptographic lock established, the ransomware initiates the encryption process, targeting files both locally and across the network, rendering them inaccessible without the decryption keys.
- Extortion: Having gained secure and impenetrable access to your files, the ransomware displays an explanation of the next steps, including the ransom amount, instructions for payment, and the consequences of noncompliance.
- Recovery Options: At this stage, the victim can attempt to remove infected files and systems while restoring from a clean backup, or they may consider paying the ransom.
IT experts and security agencies across the world agree that the best way to deal with a ransomware attack is to prevent one by having a robust security mechanism and various layers of protection for your digital assets. However, in the event of a ransomware attack, here’s what you should be doing, according to report brought out by Microsoft in November 2022:
Ten steps to take if you find yourself dealing with a ransomware attack:
- Stay calm. It’s natural for your first reaction to be anger or fear. You’re angry because somebody is trying to shake you down for your hard-earned money. Or maybe you’re scared because the hackers have threatened to reveal private or embarrassing information if you don’t pay. Fear is reasonable because you could lose valuable files, get your identity stolen, or have your information entirely compromised. However, it’s essential that you stay calm. You don’t want to do something irrational that could have negative long-term consequences for you or your device.
- Take a photo of the ransomware message. Remember that ransomware is a crime. In fact, hackers who distribute ransomware and extort less than $1,000 from their victims can still be charged with a felony. Before reporting an attack, it’s a good idea to take a picture of the ransomware message displayed on your device. You can do this with a smartphone, camera, or via screenshot, if possible. if possible.
- Report the ransomware. The long and the short of it is that malware is illegal. Take time to report the ransomware to the proper authorities. Not only will you be protecting others from a breach like yours, but you’ll also be protecting yourself from future breaches.
- Cut off incoming and outgoing connections. Nobody can access your computer remotely unless you’re connected to the internet. Disconnect from your Wi-Fi, unplug your ethernet cord, or do whatever else you need to do to disconnect your device from the web. If you’re not in a place where you can resolve the issue immediately, turn off the device to ensure malicious code doesn’t do further damage. Be sure to use Safe Mode when you restart your device, so you can access the basics of the operating system without allowing malware to do further damage. Cutting off your internet connection is the best way to quarantine your device.
- Disconnect external storage devices. Keeping backups of your files in the cloud or on an external storage device are good ways to protect anything you want to keep safe. The problem with many forms of malware is that they’ll also try to corrupt your external storage devices, so recovery efforts are futile. Quickly remove your external hard drive or thumb drives connected to your device to ensure it remains clean.
- Safely wipe the hard drive and reinstall your OS. With your items safely backed up, wiping your hard drive—while often a last resort—could be the best option when it comes to removing malware. You can reinstall your operating system and then move files from an external hard drive or the cloud back onto your device.
- Disable maintenance tasks. Many maintenance tasks on your device will continue to run as scheduled, regardless of a ransomware attack. Tasks like automatically emptying your Recycle Bin, cleaning out conversations, and deleting old files should be put on hold until the ransomware issue is resolved. Something could be deleted that you need to eliminate the malware or point authorities toward the source.
- Look for decryption tools in your antivirus software. Good antivirus software has a decryption tool of some sort to help resolve ransomware without meeting the hacker’s demands. Run through your antivirus software to look for decryption tools. If your software can’t help, search online on another device (a smartphone using cellular data is safe) to find a decryption tool.
- Identify the ransomware strain. Identifying the strain of ransomware can effectively identify the encryption code you need to unlock your device. Decryption websites can provide you with decryption codes, so you can resolve the issue without paying a ransom. The ransomware strain is also good to have when you go to the authorities to report the breach.
- Reset all of your passwords. A hacker who gains access to your computer also has access to any passwords you save in your web browser or operating system keychain. Once you’ve restored your operating system, go through and change as many passwords as you can. It’s also a good idea to make each of them unique from what you had when the breach occurred because a hacker who has a list of passwords will eventually be able to crack your new passwords.