asbe / Getty Images
The State Public Employment Service (SEPE) is the latest victim of Ryuk, a computer hijacking virus – ransomware – born in August 2018 and allegedly run by the Russian group Grim Spider. But it will not be the only one, because it is a difficult problem to eradicate. Ryuk is constantly evolving incorporating new skills that make it difficult to counter its attacks, such as spreading between computers that are not even turned on, says Josep Albors, head of research at the cybersecurity company ESET Spain. “Since the beginning of this year it has had characteristics that make it more dangerous in terms of its speed and ability to spread,” he explains.
Ryuk's threat is not indiscriminate. The recent evolution of viruses such as the one that keeps the SEPE systems down on Tuesday portrays criminal groups with specific interests. “This type of attack is aimed at quite large companies and organizations. It's not like a few years ago. They have long realized that most people if they close their files they do not pay. They go to those who know that they are going to pay it because they have essential information for the proper functioning of the company or because there is confidential data ”, says Albors.
A study conducted by the security firms AdvIntel and Hyas, encrypted in more than 150 million dollars the profits reaped by Ryuk since its inception, in 2018, after tracking ransoms paid in bitcoin to addresses attributable to criminals who use this virus.
In this sense, and according to Gerardo Gutiérrez, director of SEPE, the attack suffered by the entity defies the usual patterns. Although the agency confirms that the techniques used correspond to those of a computer hijacking and points to Ryuk as the architect of this, Gutiérrez denies that money has been claimed or that there has been a theft of data, reports Daniel Lara . "We think it is an attack on the reputation of the institution," reasons the director of the entity.
Luis Corrons, who works as a security evangelist in the company – the one in charge of explaining to users and potential clients the risks of attacks and possible solutions – is skeptical. “This is not a new attack. If you figure the information it is because then you are going to ask for a ransom so that the owner can recover it. If what you want is to do harm, you directly destroy ”, he reasons. But he agrees with Albors that private users don't have to worry about finding Ryuk hijacking files stored on their personal computer. “A company not only has a lot more money , it also has a lot more at stake. The damage that can be done is enormous ”, he says. “In the United States, I know of many cases where the ransom has been paid. And they decide to do it precisely because they have contracted insurance that covers their payment, which only adds to the problem. ”
Teleworking and weak links
The individuals that can be affected are the employees who use their personal computers to work remotely . "If when you telework you connect to your company network, your computer could be affected even when you are not at the office," warns Corrons. The prevention measures that individuals can take return us to the basic precautions that we must adopt in any of our interactions on the Internet: do not click where we should not.
Although it is not known exactly how the infection occurred. led to the hijacking of computers, the Avast expert explains that there are not many possible scenarios. “They are usually reduced to a user who has punctured where he should not. They send you an email, they fall, they infect your computer and from there they have already moved throughout the SEPE. It could be that, but also some vulnerability, for example, a badly configured server. ”
Kidnapping is the final step of an offensive that begins much earlier. In the first phase, criminals identify potential entry points. Once inside the castle , the value of the information contained in the infected computer is determined. "If there is not much profit, they begin to make lateral movements to see what they want to encrypt," says Albors. Thus, the increasing sophistication of the steps prior to the encryption of the files contributes to further entangle the skein.
For the moment, Corrons rules out that cybercriminals will change their strategy to refocus their attacks on private teams, since betting on the big fish is still profitable. “The money you can get from a large company is a lot and for the company it is not so much. Surely they get more expensive every day that they cannot work ”.
You can follow EL PAÍS TECNOLOGÍA in Facebook , Twitter , Instagram or subscribe here to our Newsletter .