Representative offices: 

Request callback

How subtle attacks maximize hackers' profits and what defensive actions need to be taken immediately

Articles and reviews

Demanding programs change their image. Do they pay ransom, how to protect themselves and what to do in case of ransomware attacks?

The main news since the beginning of last month have been allegations of criminal activity by hacker groups around the world in order to obtain funds for stolen and encrypted data. Therefore, the month of May was marked by a number of major cyberattacks, including the use of software ransomware.


Liverpool's subway has been hit by a Lockbit encryption attack, a Brazilian state's court system has been shut down due to malicious file encryption on computers on the system, and Babuk Locker hackers who attacked the Metropolitan District of Columbia have threatened to pay bribery reveal police informants.

The Conti attack seriously undermined Ireland's healthcare system and its affiliates insurance giant AXA were subjected to cyberattacks using a ransomware program, by which hackers stole 3 TB of confidential data from Asian units of AXA.

The target of all these attacks, unfortunately, are critical infrastructure, government and commercial social institutions that function as life support systems for our daily lives. Thus, attacks on such facilities can lead to far-reaching consequences from the activities of criminal groups.


Even the security of companies like Apple was attacked: the brand fell victim to extortionists. A group of cybercriminals, Sodinokoby, stole confidential information about the brand's future products (MacBook laptops and other devices) through the REvil blackmail program, hacking into Apple Quanta Computer (Apple's partner) systems. Hackers were waiting for a ransom from Quanta Computer of $ 50 million by April 27 and threatened to publish more than a dozen diagrams and drawings of components. It was also noted that the size of the ransom could be reduced from 50 million to 20 million, if it is paid by May 7. Later, REvil malware operators removed stolen Apple schemes from their data source site for unknown reasons. At the same time, stolen data from another large company was offered for purchase in the darknet this month.

Spanish Glovo food delivery service, who fell in love with Ukrainians, also felt the effects of a hacker attack during which, the data of tens of millions of users (160 GB of data with information about names, phone numbers, passwords) were put up for sale for $ 85,000.

Toyota suffered a double cyberattack in May: the first hit European operations of Daihatsu Diesel Company, a subsidiary of Toyota, and later Toyota Auto Parts Manufacturing Mississippi uncovered another attack using a ransomware program. Reports say some financial and customer data has been stolen and made public by attackers.


The largest ransomware attack during this period halted the largest US pipeline. On May 6, the operator of the Colonial Pipeline pipeline was subjected to a cyberattack by the DarkSide group, as a result of which the company was forced to suspend the transportation of fuel along the entire length of the 9,000 kilometer pipeline. DarkSide penetrated the Colonial Pipeline network and received almost 100 GB of data. After receiving the data, hackers blocked the data on some computers and servers, requesting a ransom. In case of non-payment, hackers threatened to leak data. The Colonial Pipeline website was unavailable, and the company itself admitted that it would resume transportation, which was suspended on May 7, only on May 15-16.

The scale of the attack on Colonial Pipeline was similar to the NotPetya incidents and the attack on Solar Winds.


There is a stunning reality of extortion programs: 92% of organizations do not receive all their data, even if they have paid a ransom. Nevertheless, 32% of companies in 2021 are still willing to pay for it, hoping for a full recovery of their information. Due to this willingness of companies to comply with any conditions of criminal groups, only in the first three months of 2021 the amount of ransom increased significantly and now averages $ 220,000, while in the last three months of 2020 this figure was at $ 154,000. even after paying such crazy money, a third of organizations have not been able to recover more than half of their encrypted data.

It is also worth noting that the concept of blackmail program attack is evolving day by day, and now such attacks include payment requirements even without data encryption. Attackers demand payment in exchange for preventing leaks of stolen information on the Internet. But even after paying the extortionists in this case, the company has no guarantees and can not remain protected from the publication or sale of this data. Because does it make sense to rely on the honesty of fraudsters?

Threats from extortionist programs almost always have valuable consequences for business, including disruptions and theft of confidential data. So is it worth taking such a valuable risk?


Readiness for extortion programs has become so mandatory for all organizations that even executives and directors recognize it as part of their responsibility for the operation of the business. The company's team CrowdStrike - the developer of cybersecurity systems, which protects thousands of Amazon-sized companies from hackers, regularly assists organizations in both training and preventive protection, and in responding to attacks by extortionist programs. The company announces some of the practices it recommends in such a turbulent time from attacks.

1. Increasing the resilience to threats of applications with Internet access

It is not recommended to connect RDP directly to the Internet. Attackers use one-factor authentication and unregistered Internet applications. Hackers regularly target systems through Remote Desktop Protocol (RDP), which is available from the Internet.

It is recommended that you use a VPN with multifactor authentication and make sure that any CVEs associated with the VPN platform and the underlying authentication application have priority for fix. This principle should apply to all remote methods and Active Directory (AD) and Citrix Gateway.

2. Introduction and improvement of e-mail security

The victim organization is caught through a phishing letter - this is the most common tactic. Typically, these phishing emails contain a malicious link or URL that delivers data to the recipient's work platform.

Therefore, it is recommended that you implement an email security solution that filters URLs, as well as an isolated attachment software environment. In addition, organizations may prohibit users from receiving password-protected zip files, executable files, javascripts, or Windows Installer package files unless there is a legitimate business need to do so. Adding the "External] tag to non-organization emails and a warning message at the top of the email helps remind users to exercise caution when handling such emails.

Users should also have a documented process to report any emails they are unsure of. In addition, organizations should consider restricting users' access to personal email accounts.

3. Endpoint protection

During the lifecycle of an attack, which ends with the deployment of a ransomware, attackers often use a number of methods to exploit endpoints. These operating methods range from the use of bad AD configurations to the use of public exploits against unprotected systems or applications.

That is why we have to:

  • Provide full coverage of all endpoints in your network for endpoint security products and for the endpoint detection and protection platform (EDR).
  • Develop a vulnerability and patch management program.
  • Follow Active Directory security guidelines: avoid easy passwords with weak authentication methods; avoid having regular users with a domain with local administrator privileges and local administrator accounts with the same passwords for the entire enterprise; restrict data exchange between workstations; avoid sharing privileged credentials.

4. Offline backup

The only reliable way to save data during a ransomware attack is backups that are protected from those programs. When developing a stand-alone backup infrastructure, protected from extortionate programs, keep in mind that:

  • Standalone backups as well as indexes (which describe what data is contained) must be completely separated from the rest of the infrastructure.
  • Access to such networks must be controlled through strict access control lists (ACLs), and all authentications must be performed using multifactor authentication (MFA).
  • Administrators who have access to both stand-alone and network infrastructure should avoid re-using account passwords.
  • Cloud storage services with strict ACLs and rules can also serve as a stand-alone backup infrastructure.
  • Emergencies, such as a blackmail attack, should be the only case where a stand-alone infrastructure is allowed to connect to an existing network.

5. Restricting access to virtualization management infrastructure

New attacks use the ability to directly attack virtualized infrastructure. This approach allows you to use a hypervisor that deploys and stores virtual machines (VMDKs). As a result, endpoint security products installed on virtualized machines do not see malicious actions that target the hypervisor.

Many ESXi (VMware hypervisor) systems do not have a Secure Shell (SSH) protocol by default and are usually managed through vCenter. If SSH is disabled, previously stolen administrator credentials are used to enable SSH on all ESXi systems, so:

  • Restrict access to ESXi hosts to a small number of systems and make sure that these systems have proper endpoint monitoring.
  • Make sure SSH access is disabled, or make sure it is MFA protected.
  • Make sure that passwords are unique and secure for each ESXi host, as well as for the web client.

6. Implementation of the identification and access management program (IAM)


Any organization can fall victim to malicious extortion campaigns with seven-figure ransom demands, but much can be done to stop criminals. The damage that companies can suffer from one such attack can be ten times higher than the cost of its prevention and modern protection. Moreover, it is necessary to take into account the fact that every malicious action on the organization leads not only to material losses, but also damages the business reputation, brand and position of the company. Avoid such risks helps iIT Distribution.

iIT Distribution specializes in advanced information security solutions. We not only provide software and hardware, but also provide a full range of support and consulting services. We offer initial examination and assessment of the state of your information security of the enterprise, which is carried out by highly qualified specialists, selection of equipment and software and implementation of comprehensive cybersecurity solutions in the existing infrastructure, so you can be sure of your protection!

Try to contact with us through the feedback form on the website and get advice from professionals!


Mobile Marketing