Paris (AFP)
The insurer MMA, the online ticket seller MisterFly or the specialist in commercial animation CPM France have just been added to the long list of companies or institutions victims of ransomware, a scourge which continues to grow. .
Ransomware allows cybercriminals to encrypt company files, successfully crippling all or part of their business. The hackers then demand a ransom to decrypt the files.
Their actions are less spectacular than the hacks of global personalities' Twitter accounts reported last week, but can cost the impacted businesses hundreds of millions of dollars.
And they are more and more numerous, warn specialists.
"There is a development of all that is ransomware at the moment with an almost military approach: targeting, planning, execution", explained for example at the beginning of July Guillaume Poupard, the director general of Anssi, guardian of the French computer security .
"To give you an example, 28 ransomware targets called the Anssi last week or were called by the Anssi," he continued in front of an audience of cybersecurity specialists. "The curve of cases looks like an exponential (...) we are running after fires."
The tactics of criminal groups are more and more evolved and more and more "professional", note the observers.
"Major cybercriminals today operate in networks," explains Ivan Fontarenski, technical manager of threat intelligence at the French technology giant Thales.
- "Improve investigative capacity" -
"They communicate with each other, share their tools, + challenge + each other their modus operandi, give each other sound advice and challenge each other through ever more advanced attack campaigns," he continues. "It is not a question of a simple logic of cooperation but of real emulation."
Ransomware attacks are now perpetrated by "very organized" groups who will often spend "1, 2 or 3 months integrating into the business environment" before striking, notes Gérôme Billois, from firm Wavestone, which often acts as cyber fire brigade for attacked companies.
"These are extremely profitable attacks for the authors, with returns that can reach 400, even 800%" in relation to the resources committed, he estimates.
A worrying phenomenon in recent months, attackers have increasingly blackmailed the publication of data, threatening to sell or publish the data of affected companies, or their customers.
A terrible blow to the reputation of these companies, whose legal liability can also be engaged if flaws are demonstrated in the protection of personal data in their custody.
Faced with this proliferation, it is necessary to strengthen the defenses of companies, but also "to improve the investigative capacity" of the authorities after an attack and "the judicial treatment" of cases, underlines Gérôme Billois.
According to Guillaume Poupard, these efforts exist and are starting to bear fruit.
"The positive point is that thanks to" effective international cooperation, "we begin to know how to observe the attackers, we begin to know who they are attacking even before the encryption has started" in their victims, he said. explained on July 2. "When we see them moving, we have 48 hours to intervene .. we had some particularly more interesting weekends" where "cases which could have turned into drama" were avoided.
Among the most cited criminal groups in recent months are Maze (alias ATK 161), author in particular of the attack against Bouygues Construction last January, ATK103 (alias TA505) at the origin of the attack against the Rouen University Hospital, ATK168 (aka Sodinokibi), ATK182 (aka Netwalker).
© 2020 AFP