According to recent studies, Brazil has ranked among the countries with the highest incidence of cyberattacks, specifically ransomware attacks. It goes without saying how dependent we are on technology.
Personal information and databases are constant targets. The larger a company’s database, the higher the ransom value demanded.
But after all, what is ransomware and how does it work?
Ransomware is a type of malware in which criminals “kidnap” data by encrypting it, making it inaccessible to users, corporate networks, and company or personal servers/storage.
Did you know that virtual attacks have long been a major issue affecting most companies that store data on disk — both locally and in the cloud?
Brazil is the second most attacked country in the world, due to poor cybersecurity, lack of investment, and negligence in online protection.
In recent years, we’ve seen corporate antivirus solutions become increasingly effective against malware attacks, fulfilling their purpose of detecting or removing threats from physical or virtual servers.
However, a new method of intrusion has emerged: through open ports, malicious code is installed and goes undetected by security systems and even system administrators.
According to research conducted by cybersecurity expert and marketing director Sally Adam:
“94% of organizations whose data was encrypted were able to recover it. More than double the recovery rate via backups (56% of data recovered) compared to those who paid the ransom (26% of data recovered).”
Source: https://news.sophos.com/pt-br/2020/05/12/o-estado-do-ransomware-2020/
The first ransomware attack in history
Ransomware is highly sophisticated and widely spread across the internet. But the concept of holding information hostage started a long time ago.
The first ransomware attack occurred in 1989, carried out by Joseph L. Popp — a biologist with a PhD from Harvard. He took advantage of the AIDS outbreak in the 1980s to spread his ransomware.
During that decade, information about the AIDS virus was being widely circulated. Joseph had access to subscriber lists from the WHO and the PC Business World magazine.
Using those lists, he sent a floppy disk labeled “AIDS Information Introductory Diskette” to the recipients, which of course piqued their curiosity.
The diskette included a document with step-by-step installation instructions. The license agreement stated that by installing the program, the user agreed to pay $378 to the company.
After a period of time, the program activated, encrypting the computer’s data and displaying a message indicating that the trial period had expired — and that payment was required to release the files.
This ransomware became known as the AIDS Trojan. The system was relatively simple, using symmetric encryption — meaning the same key was used to encrypt and decrypt the files — and that key was stored within the program itself.
To eliminate the virus, one only had to locate the key in the software and use it to decrypt the data.
Joseph Popp was arrested after being identified. He set a major precedent for a new kind of crime: cybercrime.
The evolution of ransomware
Following that first attack by Joseph Popp, data became prime targets — and ransomware was quickly seen as a highly profitable type of cyberattack.
But just as technology constantly evolves, so did ransomware. Over the years, it has become more efficient and far more damaging to its victims.
Cryptomalware
Even with the attention brought by the AIDS Trojan, the idea of ransomware only resurfaced in 1995. The goal was to improve the original concept, making it harder to reverse and more profitable for cybercriminals.
The new ransomware variants began using asymmetric encryption — unlike the AIDS Trojan, which used the same key to encrypt and decrypt. Now they used two different keys: one to encrypt and another to decrypt. This variant became known as cryptomalware.
The idea of receiving ransom in digital currency also appeared at that time, even though cryptocurrencies hadn’t yet been invented. It was a futuristic vision for the time.
Blocking ransomware
The ransomware evolution continued. Starting in 2007, blocking ransomware emerged — it interfered directly with the system, completely locking the computer.
When blocked, a message would appear on the screen demanding payment to unlock the computer. In some cases, it was possible to unlock the machine without paying the ransom — a skilled programmer could bypass the restriction.
Hybrid ransomware
To overcome the weaknesses of blocking ransomware, a hybrid ransomware appeared in 2013 — combining system blocking with cryptomalware.
In addition to locking the computer, it also encrypted the data. Even if users were able to unlock their systems, the data remained encrypted.
At this point, cryptocurrencies were already being used for ransom payments.
Ransomware continued to develop, and in 2016, attacks began to grow exponentially.
Ransomware began to be sold widely — there was no longer any need to be a programmer; you just had to choose the ransomware you wanted and purchase it. The industry became extremely profitable.
Today, ransomware is widely distributed across the globe. And don’t assume only businesses are targeted — although they are the most profitable.
Personal data from everyday users is also a common target, and confidential information is frequently stolen, with ransoms demanded to prevent public disclosure.
Don’t be fooled into thinking the internet is completely safe or that your data is secure. Cybercriminal groups specializing in digital crimes actively target this information.
Brazil, a constant target of ransomware attacks
According to research conducted by Sonicwall, a digital security company, Brazil became the 6th most targeted country by ransomware in the world in 2020, with over 1 million attacks.
The study also showed that in 2020, malware attacks decreased by 24% worldwide compared to 2019. But Brazil went against the trend. In June 2020, there was a sudden spike in attack volume, contrary to the global drop.
On April 28, the STJ-RS (Court of Justice of the State of Rio Grande do Sul) suffered a large-scale ransomware attack, leaving its system inaccessible for 24 hours.
In an interview with Tilt, a technology website, Judge Antonio Vinicius Amaro Silveira from the court’s communications council stated:
“We’ve had attempted attacks before, but never anything on this scale. It’s unprecedented.”
Main entry points used by cybercriminals
One of the most common strategies used by cybercriminal gangs is to exploit security flaws to coordinate malware deployment. That’s why you need to know the 6 most frequently used entry points:
- Websites with Flash-based animations;
- Emails with unverified attachments and malicious links;
- Malicious software such as OS activators (cracks and keygens);
- Clicking on misleading ads or suspicious URLs;
- Outdated or obsolete devices;
- Unnecessary open ports with known security flaws.
Now that we know hackers have many ways to infiltrate machines, perhaps the worst among them is negligence — followed closely by lack of attention.
Today, there’s no shortage of online security tools such as antivirus software, endpoints, and anti-malware systems. But it’s important to highlight that the most powerful antivirus is the user themselves — who can also be the biggest security weakness. That’s why it’s essential to invest in cybersecurity awareness.
Protecting the entire IT ecosystem of a company also means investing in the digital education of all employees, ensuring they don’t fall for spam emails or phishing scams.
Regardless of how expensive the technology is or how meticulous your infrastructure team is with firewalls and protocols, if employees don’t browse responsibly, everything can still be compromised.
The most common types of ransomware
- WannaCry;
- CryptoWall;
- Locky;
- CryptoLocker;
- NotPetya;
- Dharma;
- Nemucod;
- CrySis;
- Dharma;
- Ryuk;
- REvil Sodinokibi;
- Phobos;
- Rapid;
- Blobelmposter;
- Matrix;
- Bitpaymer;
- Samsam;
- Gandcrab;
- BlackMatter;
- PYSA;
- Conti;
- LockBit 2.0
- LockBit 3.0
- CLOP
- BlackCat
Understanding how hacker attacks work
To draw a simple comparison: encrypted data is like the symptoms of a disease, attacks are the reason the system gets “sick,” and the attack itself is the disease.
The goal of all criminal hackers, regardless of the case, is to get paid — usually through cryptocurrency — in exchange for releasing the decryption keys for the stolen data.
It’s rare for an attacker to launch a ransomware campaign just to destroy data or disable systems without demanding payment — the motive is almost always financial.
Every action cybercriminals take is calculated, and each attack is driven by a clear intention — often causing significant damage.
Cybercrimes carried out with the help of malicious insiders often include a commission paid to the employee once the company decides to pay the ransom to recover its data.
The ransomware decryption process
Digital Recovery has a multidisciplinary team of specialists who can support you through the process of decrypting files affected by ransomware.
We consider all possible scenarios to help your company restore encrypted data from servers, databases, or even virtual machines — even when there are no backups available.
The most effective approach is not to pay the hackers, since many times they keep your money and don’t provide all the necessary decryption keys.
Few companies truly invest in developing the advanced technologies needed to recover data from ransomware.
That’s why our company positions itself as a secure bridge in the middle of this crisis scenario.
The process of reverse engineering and building tailored recovery solutions is not easy — despite what some media outlets or self-proclaimed recovery “experts” may claim.
Digital Recovery – experts in ransomware decryption
We operate advanced research labs and have specialists who develop technologies specifically designed to recover files encrypted by ransomware. We take strategic actions during one of the most sensitive moments for companies and users.
Get in touch with us and allow us to restore your files. We are recognized for our unwavering philosophy: we believe it’s possible!
Our solutions can be performed remotely, eliminating the need to ship your device to one of our labs — significantly reducing recovery time.
In just four steps, the decryption process can begin — with no need to remove your equipment from the company premises.
Talk to our sales team to see if your case qualifies for fully remote service.
Contact us now and start the decryption process for your files.
