'The way' hackers penetrate the system to attack data encryption

Extending the "nightmare" of data-encrypting malware.

The cyberattack on VNDIRECT's system, a company ranked among the top 3 in the Vietnamese stock market, which occurred on the morning of March 24th, has now been largely resolved. The data has been decrypted and the My Account lookup system is back online.

VNDIRECT has reported that the incident on March 24th was carried out by a professional attack group, resulting in the encryption of all company data. Ransomware attacks have been a constant nightmare for businesses and organizations worldwide in recent years due to the severe consequences they can cause. Experts even liken ransomware to a "nightmare" or "ghost" in cyberspace.

According to the roadmap announced by VNDIRECT to its customers and partners, the systems, products, and other services will continue to be gradually reopened. The company plans to test the flow of traffic with stock exchanges on March 28th.

However, from the analysis of information security experts, it is clear that the arduous journey for VNDIRECT's technology team and vulnerability scanning experts to thoroughly resolve the incident is still long. Ransomware is not a new form of cyberattack, but it is very complex and requires a lot of time to clean up data, fully restore the system, and bring normal operations back to normal.

“To completely resolve a ransomware attack, sometimes the operating unit even has to change the system architecture, especially the backup system. Therefore, with the incident VNDIRECT is currently facing, we believe it will take more time, even months, for the system to fully recover,” said Vu Ngoc Son, Technical Director of NCS Company.

According to Mr. Nguyen Minh Hai, Technical Director of Fortinet Vietnam, depending on the severity of the attack, the level of preparation, and the effectiveness of the response plan, the time required to restore the system after a ransomware attack can vary greatly, from a few hours to several weeks for complete recovery, especially in cases requiring the recovery of a large amount of data.

"Part of this recovery process includes ensuring that the data-encrypting malware has been completely removed from the network and that no backdoors are left behind that could allow attackers to regain access," Mr. Nguyen Minh Hai informed.

Experts also noted that, in addition to serving as a "wake-up call" for the entities managing and operating critical information systems in Vietnam, the cyberattack on VNDIRECT once again demonstrated the dangerous nature of ransomware.

More than six years ago, WannaCry and its variants caused significant disruption to many businesses and organizations as they rapidly spread to over 300,000 computers in nearly 100 countries and territories worldwide , including Vietnam.

In recent years, businesses have constantly worried about ransomware attacks. Last year, Vietnam's cyberspace recorded many ransomware attacks with serious consequences; in some cases, hackers not only encrypted data to demand ransom, but also sold the data to third parties to maximize their profits. According to NCS statistics, in 2023, up to 83,000 computers and servers in Vietnam were reported to have been attacked by ransomware.

Common 'pathways' for infiltrating systems.

VNDIRECT's technology team, along with information security experts, is implementing solutions to fully restore and secure the system. The cause of the incident and the 'path' the hackers used to infiltrate the system are still under investigation.

According to Mr. Ngo Tuan Anh, CEO of SCS Smart Cybersecurity Company, to carry out data encryption attacks, hackers usually choose to infiltrate servers containing important data and encrypt it. There are two common methods hackers use to penetrate organizational systems: directly through vulnerabilities or weaknesses in the server system; or by "bypassing" through the administrator's computer and thereby gaining control of the system.

Speaking with VietNamNet , Mr. Vu The Hai, Head of Information Security Monitoring Department at VSEC Company, also pointed out several possibilities for hackers to infiltrate and install malware into systems: Exploiting existing vulnerabilities in the system to gain control and install malware; sending emails with attached files containing malware to trick users into opening and activating the malware; logging into the system using leaked or weak passwords of system users.

Expert Vu Ngoc Son analyzed that with ransomware attacks, hackers usually gain access to systems through several means such as password cracking, exploiting system vulnerabilities, mainly zero-day vulnerabilities (vulnerabilities for which the manufacturer has not yet released patches - PV).

"Financial companies typically have to meet regulatory standards, so password cracking is almost impossible. A more likely scenario is an attack via a zero-day vulnerability. In this type of attack, hackers remotely send corrupted data snippets, causing the software to malfunction during processing."

Next, the hacker runs remote executable code and takes control of the service server. From this server, the hacker collects further information, uses the acquired administrator accounts to attack other servers in the network, and finally runs data encryption tools to extort money,” expert Vu Ngoc Son analyzed.

Lesson 2 - Experts show how to respond to ransomware attacks.

System security assessment for online securities trading by April 15th: April 15th is the deadline for securities companies to complete the review and assessment of information security and implement measures to remedy risks and weaknesses in their systems, including systems serving online securities trading.