VNDirect was attacked: How dangerous is Ransomware?

The VNDirect Case and What Makes Ransomware Dangerous?

On March 24, 2024, VNDirect Securities Company in Vietnam became the latest hotspot on the map of international ransomware attacks. This attack is not an isolated case.

Ransomware, a type of malicious software designed to encrypt data on a victim’s system and demand a ransom to decrypt it, has become one of the most widespread and dangerous cyber security threats in the world today. The increasing dependence on digital data and information technology in all areas of social life makes organizations and individuals vulnerable to these attacks.

The danger of ransomware lies not only in its ability to encrypt data, but also in the way it spreads and demands ransoms, creating a financial transaction channel through which hackers can make illegal profits. The sophistication and unpredictability of ransomware attacks make them one of the biggest challenges facing cybersecurity today.

The VNDirect attack is a stark reminder of the importance of understanding and preventing ransomware. Only by understanding how ransomware works and the threat it poses can we put in place effective protection measures, from educating users, applying technical solutions, to building a comprehensive prevention strategy to protect critical data and information systems.

How Ransomware Works

Ransomware, a terrifying threat in the world of cybersecurity, operates in a sophisticated and multifaceted manner, causing serious consequences for victims. To better understand how ransomware works, we need to delve into each step of the attack process.

Infection

The attack begins when ransomware infects a system. There are several common ways ransomware can get into a victim's system, including:

Phishing emails: Fake emails with malicious attachments or links to websites containing malicious code; Exploiting security vulnerabilities: Taking advantage of vulnerabilities in unpatched software to automatically install ransomware without user interaction; Malvertising: Using internet advertisements to distribute malware; Downloads from malicious websites: Users download software or content from untrusted websites.

Encryption

Once infected, ransomware begins the process of encrypting data on the victim's system. Encryption is the process of converting data into a format that cannot be read without the decryption key. Ransomware often uses strong encryption algorithms, ensuring that encrypted data cannot be recovered without the specific key.

Ransom demand

After encrypting the data, ransomware displays a message on the victim's screen, demanding a ransom to decrypt the data. This message usually contains instructions on how to pay (usually via Bitcoin or other cryptocurrencies to hide the identity of the criminal), as well as a deadline for payment. Some versions of ransomware also threaten to delete the data or publish it if the ransom is not paid.

Transactions and decryption (or not)

The victim then faces a difficult decision: pay the ransom and hope to get their data back, or refuse and lose it forever. However, paying does not guarantee that the data will be decrypted. In fact, it may encourage the criminals to continue their actions.

The way ransomware operates not only demonstrates technical sophistication, but also a sad reality: the willingness to exploit the gullibility and ignorance of users. This underscores the importance of increasing cybersecurity awareness and knowledge, from recognizing phishing emails to maintaining up-to-date security software. With an ever-evolving threat like ransomware, education and prevention are more important than ever.

Common Variants of Ransomware

In the ever-evolving world of ransomware threats, some variants stand out for their sophistication, ability to spread, and the serious impact they have on organizations around the world. Here are descriptions of seven popular variants and how they operate.

REvil (also known as Sodinokibi)

Features: REvil is a variant of Ransomware-as-a-Service (RaaS), allowing cybercriminals to "rent" it to carry out their own attacks. This significantly increases the ransomware's ability to spread and the number of victims.

Propagation Methods: Distribution via security vulnerabilities, phishing emails, and remote attack tools. REvil also uses attack methods to automatically encrypt or steal data.

Ryuk

Features: Ryuk primarily targets large organizations to maximize ransom payments. It has the ability to customize itself for each attack, making it difficult to detect and remove.

Propagation method: Through phishing emails and networks infected with other malware, such as Trickbot and Emotet, Ryuk spreads and encrypts network data.

Robinhood

Features: Robinhood is known for its ability to attack government systems and large organizations, using a sophisticated encryption tactic to lock files and demand large ransoms.

Propagation method: Spread through phishing campaigns as well as exploiting security vulnerabilities in software.

DoppelPaymer

Features: DoppelPaymer is a standalone ransomware variant with the ability to cause serious damage by encrypting data and threatening to release information if a ransom is not paid.

Propagation method: Propagated via remote attack tools and phishing emails, especially targeting vulnerabilities in unpatched software.

SNAKE (also known as EKANS)

Features: SNAKE is designed to attack industrial control systems (ICS). It not only encrypts data but can also disrupt industrial processes.

Propagation method: Through phishing and exploit campaigns, with an emphasis on targeting specific industrial systems.

Phobos

Features: Phobos shares many similarities with Dharma, another ransomware variant, and is often used to attack small businesses via RDP (Remote Desktop Protocol).

Propagation method: Primarily through exposed or vulnerable RDP, allowing attackers to remotely access and deploy ransomware.

LockBit

LockBit is another popular ransomware variant that operates under the Ransomware-as-a-Service (RaaS) model and is known for its attacks on businesses and government organizations. LockBit carries out its attacks in three main stages: exploiting vulnerabilities, penetrating deep into the system, and deploying the encryption payload.

Phase 1 - Exploitation: LockBit exploits vulnerabilities in the network using techniques such as social engineering, such as through phishing emails, or brute force attacks on intranet servers and network systems.

Phase 2 - Infiltration: After infiltration, LockBit uses a "post-exploitation" tool to increase its access level and prepare the system for the encryption attack.

Phase 3 - Deployment: LockBit deploys the encrypted payload on every accessible device in the network, encrypting all system files and leaving a ransom note.

LockBit also uses a number of free and open source tools in its intrusion process, from network scanners to remote management software, to perform network reconnaissance, remote access, credential theft, and data exfiltration. In some cases, LockBit even threatens to release the victim's personal data if ransom demands are not met.

With its complexity and ability to spread widely, LockBit represents one of the biggest threats in the modern ransomware world. Organizations need to adopt a comprehensive set of security measures to protect themselves from this ransomware and its variants.

Dao Trung Thanh

Lesson 2: From the VNDirect attack to anti-ransomware strategy