The alarms went off this week.
Two researchers from the Higher Council for Scientific Research (CSIC) complained on social networks that they had been without internet access for days.
One of them requested in a letter to the director of EL PAÍS published this Tuesday the immediate restoration of the systems so that the projects in progress are not delayed.
That same day, the Ministry of Science and Innovation released a statement acknowledging that the body suffered a
ransomware -type cyberattack
on July 16 and 17, similar to the one that has also affected the network of Max Planck research institutes or NASA this month.
The National Cryptologic Center (CCN), the CNI body in charge of ensuring the cybersecurity of public institutions, activated on July 18, according to the Ministry, a protocol that involved disconnecting all CSIC systems to prevent the spread of
"To date, no loss of sensitive or confidential information has been detected," Science also said.
And he pointed out that the investigation locates the origin of the cyberattack in Russia, something that various sources consulted by this newspaper consider premature to venture.
Because one of the basic characteristics of cyber attacks, which makes them so attractive to criminals, is the ease of masking their origin.
Defense Minister Margarita Robles insisted on Wednesday that the threat was attributable to the Russians.
@chaconlaborg Last week, after a minor ransomware attack the Spanish cybersecurity authorities (CCN and COCS) decided to disconnect from the internet the whole Spanish national research council (CSIC).
Our primary research agent is inoperative and nobody cares.
– Pablo Chacon (@PabloCh83144236) July 29, 2022
has been the preferred resource of cybercriminals for a few years
It is a type of cyberattack that encrypts the data of a system and then asks for a ransom in exchange for releasing it.
The recommendation of the authorities is not to pay, but many do.
Those who give in to blackmail usually try to keep it from spreading, but there have still been notorious cases.
Among the most recent is that of the Colonial Pipeline, one of the largest oil pipelines in the US. After suffering a
that paralyzed its activities, the authorities decided to pay the five million dollars that were required to release its systems and be able to restore service .
The investigation into what has happened at the CSIC is still ongoing, and therefore secrecy prevails over the particularities of the case.
However, the situation that the organization is going through is familiar to dozens of Spanish companies.
a peak moment, fueled even more by Russia's invasion of Ukraine.
According to data from Check Point, in the second quarter of 2022, global cyberattacks increased by 32% compared to the same period in 2021. The average number of weekly attacks per organization worldwide reached 1,200 threats, an all-time high.
The CSIC claims to receive some 260,000 intrusion attempts daily.
How exactly does this type of computer virus operate?
What can be done to counter it?
Is there an alternative to paying the ransom?
EL PAÍS reconstructs with the help of cybersecurity experts what those who fall prey to
1. Infection: everything works apparently fine
The first phase of the process goes completely unnoticed by the victim.
The cybercriminal looks for a way to access the system that he wants to attack.
The most common route of entry is
, or deception techniques by which the victim is enticed to share passwords or other useful confidential information.
For example, by posing as a bank or vendor and requesting credentials.
Other ways to place
on the target computer is to disguise it as another program for the user to download (a fake update) or to exploit vulnerabilities in the victim's operating system.
"I have worked for many years with the Administration and you would be surprised to see how common it is even today to come across Windows 2000 or Windows XP," explains an analyst who prefers to remain anonymous.
These operating systems, for which Microsoft no longer publishes updates, were the gateway for the WannaCry
, one of the most devastating in history, which in 2017 infected hundreds of thousands of computers in 150 countries.
A man looks at the notice that his computer has been encrypted. picture alliance (Getty Images)
Once the cybercriminal manages to enter a computer of the organization he is attacking, he has two main objectives.
First, get administrator permissions to gain control of the entire system.
Second, spread the
, or malicious
, as much as possible to reach as many devices as possible.
When he takes control of several or all computers, he can encrypt them and demand ransom.
Or go a step further and first extract data of interest and then threaten the victim with its publication (this modality is known as
Surprisingly, it doesn't take many people to orchestrate attacks like this.
“It is much simpler than it seems.
There is often only one person behind a powerful cyber attack.
They even sell applications to develop
at fairly affordable prices on the
[networks and technologies that try to preserve the anonymity of their users] ," says Marco Lozano, head of Cybersecurity for Companies at the National Cybersecurity Institute (Incibe).
Reporting to the Ministry of Economic Affairs and Digital Transformation, Incibe is the body that provides support to private companies and individuals that suffer cyberattacks (public entities are the responsibility of the CCN).
When executing the
, the files start to be encrypted.
“The more sophisticated the attackers are, the more damage they try to do.
Normally they will try to encrypt files shared internally on the organization's network, not just the
of the infected computer, ”illustrates Gergely Revay, systems engineer in the threat intelligence and research division of Fortinet, an American
developer. of cybersecurity.
“They also look at backups, which is the best protection against
, to encrypt and override them,” he adds.
2. Detection: I can't open the file
The victims know nothing of what is going on in their computers.
Until one fine day they see that they cannot open a file.
That is the most common way to realize that something is wrong.
It is common for a ransom note to appear outlining instructions for paying the ransom.
“They are usually text files that open automatically if you try to access any folder on the machine.
Other cybercriminals bet on changing the wallpaper to make it even more obvious”, details Revay.
There are more signs that can set off alarms.
For example, security tools or backups are disabled.
It is also suspicious that administrator accounts appear that did not exist.
"Sometimes several months pass before the cyberattack shows signs of its presence," says Eusebio Nieva, technical director of Check Point Software for Spain and Portugal.
Attacking a company with 400 employees is not the same as attacking another with 400,000.
The more sophisticated the attack and the larger the prey, the longer preparations can take, while the larger the cybersecurity teams of its victims will be.
In the kidnapping note, the attackers usually provide some way to contact them.
“It can be an address in TOR [a routed communications system that protects the identity of users] or in the
, so that you can write directly in a chat to negotiate the price, which is lower the sooner you pay.
As the days go by, it increases.
If you pay, hopefully the system will be released for you,” says Revay.
3. Reaction: payment or no payment?
The recommendation of authorities and experts is not to pay.
Among other things, because there is no guarantee that after doing so, the encryption key to recover the systems will actually be received (don't forget that you are dealing with criminals).
But many end up doing it.
"I have helped several companies to manage the payment of the ransom," says Deepak Daswani, a
and cybersecurity consultant.
“They usually ask for it in bitcoins.
The amount varies depending on the size of the company.
If they ask you for 5,000 euros, you still prefer to pay to forget about it.
It is true that there is more knowledge of cryptocurrencies now, but
has been active since 2013 and then hardly anyone knew how to operate with them, ”he notes.
What can those who decide not to give in to blackmail do?
"There are two types of companies: those that have contingency plans, some security policy that allows them to restore activity in the event of possible incidents, and those that do not have a plan B. The latter are the ones that most concern us," Lozano underlines, of the Incibe.
Main facade of the CSIC headquarters.
Response plans have their own manual.
The CCN is following yours to resolve the CSIC incident.
The theory marks a series of stages in the action: containment, identification, incident mitigation, recovery and post-incident analysis.
Part of the work can be done remotely, but it is normal for technicians to go to check the attacked equipment and coordinate with the personnel of the attacked company or organization.
"Everything will depend on at what point in the process you discovered the attack," summarizes Fortinet's Revay.
“If it has been done early, without destruction or data extraction yet, the first thing is to try to identify patient zero, which machine was infected first and which ones followed.
And then analyze which part of the system is compromised,” he explains.
This seems to be the stadium in which the CSIC is.
“In case your data has started to be encrypted, the situation is different: your move is to try to restore the systems as soon as possible.
That is why it is crucial to have backup copies and know how to protect them.
At the same time, it is necessary to investigate how they have managed to get into the systems and reestablish control, so that they do not have administrator powers”, continues Revay.
Having hybrid backups, which host the information on external servers and in disconnected memory sticks, is today the best guarantee to withstand a
There are also advanced tools capable of inferring anomalous behavior of the operating system, such as that which arises when an encryption process is started.
They help buy time and get ahead of the cybercriminal.
4. Outcome: recover systems or start from scratch
But there are attacks so sophisticated that they have no solution.
“There are times when you have to set up a new network.
When cybercriminals have gotten into the network so much that it is impossible to restore it and it is better to start from scratch, ”acknowledges a cybersecurity expert who does not want to give his name.
A recent Google report highlights that there are companies that are forced to close because they do not recover from a cyberattack that causes them to lose their key databases.
If, on the contrary, the situation is controlled, it is time to debug machine after machine and, once there is no trace of the
, the system can return to normal operation.
Then begins the phase of analysis of what happened, whose objective is to take measures so that it does not happen again.
It is also about knowing the author of the attack.
“Depending on the type of
, the design of the campaigns and the tools used, we can have a preliminary idea of the geographical origin of the attack, but determining with precision if there is an organization behind it or a specific individual is a mission that in many times it is impossible”, Nieva points out, from Check Point.
You can follow
EL PAÍS TECNOLOGÍA
or sign up here to receive our