Skip to main content

How to protect your corporate network from ransomware (EN)


The Sudden Rise of Ransomware and Data Hacking

Ransomware refers to malicious software in which a hacker encrypts the victim’s system or data to make it inaccessible and demands a ransom payment.

In Start-Up, a popular television series by tvN, the protagonist’s start-up company is attacked by ransomware and receives a threat from the hacker that all recovery keys for the encrypted files will be destroyed if they don’t transfer 300 million KRW within 12 hours. 

Scenes from Start-Up depicting a ransomware attack (tvN)

The attack starts when a newly hired developer opens Port 20 to connect it to the server using SSH (Secure Shell) for remote work, and since it’s still in the beta-testing stage, the files have not even been backed up. 
In the end, the protagonist comes in to find a trace of a suspicious file in the Scheduler library and eventually defeats the ransomware by obtaining the restore keys. 
While the accident is described only briefly in the show, ransomware, spyware, and phishing attacks that hide malicious code in a computer to steal customer data are an extremely common type of data security accident.

What is Ransomware?

Ransomware is a form of malicious software (malware) that blocks access to computer systems or files until a certain amount of money or ransom is paid. Such cyberattacks involve encrypting victims’ data, rendering it inaccessible. Attackers commonly demand payment in cryptocurrency in exchange for the decryption key or unlocking the system. According to the Threat Intelligence Index published by IBM Security X-Force in 2023, 17% of cyberattacks that occurred in 2022 were ransomware attacks.

Ransomware spreads via phishing emails and malicious websites, as well as by exploiting software flaws. It uses malicious code to break into the system and encrypts the files or the entire system, limiting or blocking victims’ access to the data. Afterward, attackers permanently delete the files or demand a ransom payment, threatening that they will increase the amount of ransom if it’s not paid by the deadline.

A Case of a Ransomware Attack in Vietnam

There was a client in Vietnam who had been operating an outdated ERP for roughly 10 years and opted to have it migrated to the cloud. This was because a Vietnamese corporation took over their Thai factory, which housed the server, requiring the ERP database to be transferred to the cloud. 
While migrating this 10-year-old, 20TB database (MySQL) to Vietnam, the administrator accidentally exposed the database server on the internet and received the following email two days later.



To recover your lost database, send 0.02 Bitcoin (BTC) to our Bitcoin address.

………………..  After this, contact us by email with your server IP or domain name and proof of payment (payment ID).

Your database is downloaded and backed up on our servers. Any email without your server IP address or domain name and proof of payment together will be ignored. If we dont receive your payment within the next 10 days, we will delete or leak your sensitive information.”

As of December 1, 2023, 1 BTC is worth about 30 million KRW, Thus, 0.02 BTC is about 600,000 KRW. 

Although this is not a large sum of money, attackers would give back only part of the data upon receiving the payment and demand another ransom for the remaining data. At first, they propose a small ransom for relatively unimportant data and then demand a much larger amount of money in exchange for crucial data. Furthermore, most SMEs don’t possess a Bitcoin account or don’t know how to make a transfer using one. With these repeated payments, the total amount of ransom soon reaches 10 million or even 100 million KRW.

How is a System Hacked?

To know if your system has been hacked, you first should check out the logs and find the IP address connected to your database server so you can identify its country and region. 

If the database server uses a public IP or is exposed to the outside world, hackers can figure out its IP and port information without much hassle. (There are even websites that give access to such information.) 

Ransomware hackers also leave a note specifying their demands somewhere where the system administrator can easily come across it. In the image below, you can see how the hacker kindly left the amount of Bitcoin to be paid in the MySQL table as well as their Bitcoin address and the email address for their temporary email.

Example of a typical ransomware attack (MySQL table) Source: Google Search

A normal database server is vulnerable to hacking if it: 

  • allows remote access from the outside
  • uses default values in MySQL (username and port values)
  • uses simple passwords (12345678, pass1234, etc.)
  • is attacked by an inactive, suspicious account
  • doesn’t carry out automatic updates or patches for a long time

Preventing Ransomware Attacks

Protecting a database server from hacking requires effort from users. While AWS is said to be an extremely secure cloud platform, it’s still important to take basic precautions. 

The following are strategies proposed by the Ministry of Science and ICT and the Korea Internet & Security Agency to prevent ransomware attacks. 

  • Build a web application database using a 3-tier architecture
  • Do not allow external IPs or ports to access the database (Don’t use default port values for key services)
  • If allowing external access, make sure it is via SSH and grant access only to certain accounts
  • Perform regular backups 
  • Change passwords regularly
  • Encrypt each database table individually
  • Do not use default port values

Above all, implementing preventive measures and backups is key to security management. 

In collaboration with various security management solutions in Vietnam and Korea, Tech Valley offers cybersecurity solutions that assess the level of security at companies, encrypt their databases and data, detect break-ins, and so forth. This is primarily done using technology and experts specializing in cloud solutions as well as technological partnerships with third-party solutions.


 

Vietnam IT Blogger | Tech Valley CEO Doyeon (Patrick) Kim

go2hanoi (KakaoTalk),  patrick@techvalley.biz

** The copyright for this post is owned by Patrick Kim. This content is intended for publication, and individuals seeking to quote or reproduce it must obtain prior permission.

 Feb. 21,2024・Translated and Published by Uptempo Global 

Labels:
Location: 베트남 Hanoi, 하노이

Comments

Post a Comment

Popular posts from this blog

Make in Vietnam - Phần 1: Thực trạng ngành IT Outsourcing tại Việt Nam

Khi có dịp đi công tác Hà Nội lần đầu vào năm 2013, được gặp gỡ các công ty về lĩnh vực CNTT, Telco, đài truyền hình Việt Nam, hầu hết những người Việt Nam tôi quen đều nói rằng: “Phần mềm ở Việt Nam đều miễn phí, nên hãy cân nhắc đến việc đầu tư vào lĩnh vực này. Khi số lượng người đăng ký tăng lên và doanh số bán bản quyền cũng tăng, sẽ đến thời điểm có thể chuyển sang mô hình trả phí, vì vậy hãy kiên nhẫn và chúng ta sẽ tiến xa cùng nhau." Thật là một lời nói khá mơ hồ. Tại Việt Nam, mô hình Revenue Share (Chia sẻ doanh thu) rất được ưa chuộng. Hãy cùng nhau chia sẻ doanh thu. Ở Việt Nam, ngành công nghiệp phần mềm còn một chặng đường dài trong vấn đề trả phí mua hoặc phí sử dụng sản phẩm, vì người dùng có thói quen mượn tạm sử dụng các ứng dụng phần mềm, khi hết thời gian được dùng miễn phí, họ xóa ứng dụng, cài đặt và tạo lại tài khoản để sử dụng tiếp. Lúc đó, điều này làm tôi hoài nghi về việc liệu ngành công nghiệp phần mềm ở Việt Nam có thể phát triển trong bối cảnh nhận t
Post a Comment
Read more

“When Will an AWS Data Center Arrive in Vietnam?”

 Amazon Web Service (AWS), the leader in Vietnam’s cloud market, has been closely working with the Vietnamese government to encourage major corporations to adopt AWS global clouds.  Nevertheless, AWS, as well as international cloud platforms like GCP (Google Cloud Platform), Microsoft Azure, and Alibaba still have their servers located abroad, failing to meet government regulations (drafted amendment to Decree 72 of the Law on Cybersecurity) regarding domestic data storage.  Even though other key foreign cloud companies criticize Vietnam’s banning of international data transfer, AWS says it’s willing to comply with government regulations on the cloud business in all countries in order to protect customers’ data. (AWS Singapore Priya Lakshmi) However, for a CSP (Cloud Service Provider) to construct a data center, they need to invest billions of dollars and obtain government permission, licenses, and so forth by working with interested parties.  There are also many other issues, includin
Post a Comment
Read more

Make in Vietnam 1 - The Current State of Outsourcing in Vietnam

In 2013, when I took my first business trip to Hanoi to meet people from various local IT, telecommunications, and broadcasting companies, most of my friends living there said, "As people here expect software to be free, you should think of it as an investment at first. Let’s patiently wait for the number of users and license sales to grow so we can make it a paid service." What a vague thing to say. The overwhelmingly dominant business model in Vietnam is revenue sharing (RS), which literally means sharing profits. This is a country where people use software designed by someone else until the free license expires and make a new account to use it again, so the idea of charging software users seems quite distant, which once made me wonder whether Vietnam’s software industry could grow at all.  However, since 2016, the country’s IT industry has seen tremendous changes and development. With Samsung starting full-scale production of its mobile phones in Vietnam, Android developer
Post a Comment
Read more