The fall of the SEPE by a Ransomware attack It has been discussed in half the world before the importance of digital services of a critical body to the functioning of the Spanish state, the promoter of employment policy and the manager of unemployment claims, subsidies or ERTEs so necessary in the midst of a pandemic. In addition, the SEPE processes sensitive data from millions of people, administrations and companies that could be at risk in the event of cyber attacks.
The body has managed to recover from the attack and claims to be working with the aim of Restore priority services as soon as possible, in particular the Public Employment Service web portal, which is at least already open, although we do not know if all its services are working.
It has also extended the deadlines for claiming benefits on the days it is out of service, and in the same way, applications are automatically renewed without loss of rights. They guarantee that from SEPE in no case this situation affect the rights of the beneficiaries.
From the SEPE, they have also warned about receiving any emails or false messages that users may receive. Cyber criminals often use critical and high profile incidents like this to launch malware campaigns through phishing and identity theft. Be extremely careful before posting any communication that claims to be from the SEPE and ensure that it is true.
What is ransomware and how does it work?
Ransomware is a computer attack that infects a PC, smartphone (or electronic device) with the aim of blocking its operation and / or access to part or all of the device. The most noticeable feature is that captures files with an encryption system to prevent the owner from accessing it. From there, cyber criminals demand a ransom amount from the user to set them free.
Most infections occur because of the user Open a malicious application or program This can come from any source, especially the common ones like a web browser (serving adware, redirecting to a malicious website …), email (instead of being attached, there is a link to Mega, Google Drive or Dropbox ) carries malware) or messaging services in increasingly widespread mobile attacks.
It’s also common to combine it with phishing, identity theft, and social engineering. In fact, the ransomware uses any kind of computer attack to achieve its main goal of encrypting the files and extorting money from the victims. Another big problem is that attackers often steal all confidential information They have access to it before encrypting the files.
While ransomware has previously made high profits for attackers solely for economic reasons, recently it is expanding its goals as the preferred method of introducing malware, controlling devices, spying, stealing confidential information, or simply corrupting on demand.
Finally, I would like to point out an additional problem for companies in view of the so-called Ransomware as a Service (RaaS), which developers are involved in Sell or rent malware to users on dark web forums. These affiliate programs provide low-level attackers with the ability to distribute and manage ransomware campaigns while the code developer receives part of each victim’s ransom for the decryption key. In this way, cyber criminals can initiate blackmail campaigns without having the ability to develop their own malware.
Organizations and companies in the spotlight
A decade ago, the majority of ransomware attacks in recent years were targeting client PCs for a few tens of dollars The main target are companies and administrations. And the bigger the better. The list for 2020 is very extensive and we can mention Canon, Garmin, CD Projekt Red, Blackbaud, Mapfre, ADIF, Capcom, Manchester United and some administrations and communities like Lafayette in the US.
And these are the acquaintances. Cyber security experts believe there are many more strangers out there who have paid to restore services as soon as possible and avoid the reputational loss that this type of security breach brings with it. The problem of paying these criminals, you know what it means: every satisfied ransom is an incentive for cyber criminals to keep using ransomware to blackmail more victims and follow the chain.
The result of all of this is that ransomware has been around for two years Main threat to the tech industry on the internetwith agencies, critical infrastructure and corporations (who usually pay blackmailers) in the spotlight.
Ryuk, an old friend for attacking SEPE
The development of Russian origin Ryuk aims to be the malware used in the attack on the SEPE, as our security colleagues explain by repeating the statements of Gerardo Gutiérrez, SEPE director, and referring to the statements of some employees that early in the morning (before turning off all computers) they found files with the RYK extension that is characteristic of this malware.
Although, as I said, almost any type of attack can be used for ransomware, Ryuk is one of the most specialized malware. An old friend who rose to “fame” after the attack on the largest oil company in Mexico, Pemex and Spain, also wreaked havoc in the attacks on Cadena Ser, Everis or the security company Prosegur.
Considering that one of Ryuk’s strengths is its persistence as it has several tools that can be used to attempt to penetrate infected systems, even if those disinfecting operations are undergoing, is to restart all SEPE services it may still take time. Fortunately, IT managers had a clean backup the day before the attack.
We can also highlight that the payment systems are not affected and this is vital for millions of citizens receiving some type of subsidy, unemployment or ERTE. In principle, no loss of the seized data would have occurred, which is a major problem given the amount of confidential information processed by the agency.
Tips against ransomware
Taking into account the operation of the ransomware and the Once infected, there is no solution When a researcher has failed to crack that particular encryption system, which usually takes years and extremely complex file recovery, one of the great tips against ransomware is to make regular backups in case you need to use them to restore the devices. And there are others to prevent infection, which are generally repeated against computer attacks. We remind you:
Backup. Backing up important data as a regular maintenance task is the most effective measure to minimize damage in the event of an infection. The backup must be on a different external medium than the computer in order to be able to restore the files from a “clean” location and does not have to pay the “ransom” demanded by these cyber criminals.
System and application update. The best place to start is to keep the operating system up to date with the latest security patches and any applications we have installed. WanaCryptor, one of the most powerful ransom donors, has exploited a vulnerability in Windows systems and attacks on some Spanish companies indicate unpatched vulnerabilities.
Line of defense. An anti-malware solution should be installed and maintained, including a properly configured firewall to allow exclusive access to required applications and services.
Anti-ransom tool. It is a special tool against this type of attack that tries to block the encryption process of a ransomware (monitoring of “honey files”). At the time of its execution, it will perform a memory dump of the malicious code, in which the symmetric encryption key used will hopefully be found.
Anti-spam filter. Many of the ransomware attacks are spread via bulk email campaigns. In addition to these filters, you should follow the general guidelines such as: B. not click on links or open attachments from unknown senders.
Security policy. Tools like AppLocker, Cryptoprevent or CryptoLocker Prevention Kit make it easy to create policies that prevent the execution of directories that are often used by ransomware, e.g. B. app data, local app data, etc.
Privileged accounts. Do not use accounts with administrator rights. 86% of threats against Windows can be avoided by using a regular user instead of an administrator. For this reason, it is important to use a common user for common tasks and only leave the administrator when a number of tasks related to system manipulation are to be performed.
File extensions. It is a good idea to view extensions for known file types to identify possible executable files that may want to disguise themselves as a different file type. It is not uncommon to see an .exe file with a Word document icon on it. If the extension does not appear, the user may not be able to tell whether it is a Word document or a malicious executable file. However, be aware that a Microsoft Office document can also contain malware.
Virtual machines. Using virtual machines to isolate the main system is another effective technique. In a virtualized environment, the action of ransomware usually does not occur.
And don’t pay … If you did get infected but performed the preventive and maintenance tasks, you will have backup copies so that you can restore them once the storage devices are formatted. It takes time, but it is always better than paying these criminals and encouraging them to blackmail more victims and follow the chain.