Khi nào Trung tâm dữ liệu đám mây Amazon AWS sẽ có mặt tại Việt Nam?
2024년 04월 02일
How to protect your corporate network from ransomware (VI)
2024년 04월 02일
The Sudden Rise of Ransomware and Data Hacking
Ransomware refers to malicious software in which a hacker encrypts the victim’s system or data to make it inaccessible and demands a ransom payment.
In Start-Up, a popular television series by tvN, the protagonist’s start-up company is attacked by ransomware and receives a threat from the hacker that all recovery keys for the encrypted files will be destroyed if they don’t transfer 300 million KRW within 12 hours.
Scenes from Start-Up depicting a ransomware attack (tvN)
The attack starts when a newly hired developer opens Port 20 to connect it to the server using SSH (Secure Shell) for remote work, and since it’s still in the beta-testing stage, the files have not even been backed up.
In the end, the protagonist comes in to find a trace of a suspicious file in the Scheduler library and eventually defeats the ransomware by obtaining the restore keys.
While the accident is described only briefly in the show, ransomware, spyware, and phishing attacks that hide malicious code in a computer to steal customer data are an extremely common type of data security accident.
What is Ransomware?
Ransomware is a form of malicious software (malware) that blocks access to computer systems or files until a certain amount of money or ransom is paid. Such cyberattacks involve encrypting victims’ data, rendering it inaccessible. Attackers commonly demand payment in cryptocurrency in exchange for the decryption key or unlocking the system. According to the Threat Intelligence Index published by IBM Security X-Force in 2023, 17% of cyberattacks that occurred in 2022 were ransomware attacks.
Ransomware spreads via phishing emails and malicious websites, as well as by exploiting software flaws. It uses malicious code to break into the system and encrypts the files or the entire system, limiting or blocking victims’ access to the data. Afterward, attackers permanently delete the files or demand a ransom payment, threatening that they will increase the amount of ransom if it’s not paid by the deadline.
A Case of a Ransomware Attack in Vietnam
There was a client in Vietnam who had been operating an outdated ERP for roughly 10 years and opted to have it migrated to the cloud. This was because a Vietnamese corporation took over their Thai factory, which housed the server, requiring the ERP database to be transferred to the cloud.
While migrating this 10-year-old, 20TB database (MySQL) to Vietnam, the administrator accidentally exposed the database server on the internet and received the following email two days later.
“To recover your lost database, send 0.02 Bitcoin (BTC) to our Bitcoin address.
……………….. After this, contact us by email with your server IP or domain name and proof of payment (payment ID).
Your database is downloaded and backed up on our servers. Any email without your server IP address or domain name and proof of payment together will be ignored. If we don’t receive your payment within the next 10 days, we will delete or leak your sensitive information.”
As of December 1, 2023, 1 BTC is worth about 30 million KRW, Thus, 0.02 BTC is about 600,000 KRW.
Although this is not a large sum of money, attackers would give back only part of the data upon receiving the payment and demand another ransom for the remaining data. At first, they propose a small ransom for relatively unimportant data and then demand a much larger amount of money in exchange for crucial data. Furthermore, most SMEs don’t possess a Bitcoin account or don’t know how to make a transfer using one. With these repeated payments, the total amount of ransom soon reaches 10 million or even 100 million KRW.
How is a System Hacked?
To know if your system has been hacked, you first should check out the logs and find the IP address connected to your database server so you can identify its country and region.
If the database server uses a public IP or is exposed to the outside world, hackers can figure out its IP and port information without much hassle. (There are even websites that give access to such information.)
Ransomware hackers also leave a note specifying their demands somewhere where the system administrator can easily come across it. In the image below, you can see how the hacker kindly left the amount of Bitcoin to be paid in the MySQL table as well as their Bitcoin address and the email address for their temporary email.
A normal database server is vulnerable to hacking if it:
- allows remote access from the outside
- uses default values in MySQL (username and port values)
- uses simple passwords (12345678, pass1234, etc.)
- is attacked by an inactive, suspicious account
- doesn’t carry out automatic updates or patches for a long time
Preventing Ransomware Attacks
Protecting a database server from hacking requires effort from users. While AWS is said to be an extremely secure cloud platform, it’s still important to take basic precautions.
The following are strategies proposed by the Ministry of Science and ICT and the Korea Internet & Security Agency to prevent ransomware attacks.
- Build a web application database using a 3-tier architecture
- Do not allow external IPs or ports to access the database (Don’t use default port values for key services)
- If allowing external access, make sure it is via SSH and grant access only to certain accounts
- Perform regular backups
- Change passwords regularly
- Encrypt each database table individually
- Do not use default port values
Above all, implementing preventive measures and backups is key to security management.
In collaboration with various security management solutions in Vietnam and Korea, Tech Valley offers cybersecurity solutions that assess the level of security at companies, encrypt their databases and data, detect break-ins, and so forth. This is primarily done using technology and experts specializing in cloud solutions as well as technological partnerships with third-party solutions.
Vietnam IT Blogger | Tech Valley CEO Doyeon (Patrick) Kim
go2hanoi (KakaoTalk), patrick@techvalley.biz
** The copyright for this post is owned by Patrick Kim. This content is intended for publication, and individuals seeking to quote or reproduce it must obtain prior permission.
Feb. 21,2024・Translated and Published by Uptempo Global
SHARE
Labels
LABELS: MAKE IN VIETNAM (EN)
LOCATION: 베트남 HANOI, 하노이
