When one asks Vasu Jakkal on what prevents him from sleeping, the answer fuses: the ransomware, ransomware in French. The young woman is an engineer, a double graduate of an Indian and American university and holder of an MBA from Stanford. For the past two years, she has headed a cybersecurity department at Microsoft. She admits that the ransomware gives her headaches, and that the situation is deteriorating more than it improves. “It has become an industry in its own right. It targets businesses as much as individuals, particularly vulnerable people.”
In this area, explain various Microsoft executives interviewed last month in Seattle, all the lights are red. They speak of a global “pandemic” to describe the wave of attacks in ransomware. They try to reassure their customers and their interlocutors by an abundance of resources: 8,500 people assigned to the security of networks and applications, 4 billion dollars in annual investments, a global presence and collaboration with governments, police, and thousands of companies, some competitors, with whom information is shared without restraint.
But the tide is strong. “A year ago, explains Vasu Jakkal, we detected every second 571 attacks related to digital identity breaches, attempts to decipher passwords. Last July, the figure rose to 921 attacks. Today , we’re at 1,287 attempts per second. In total, last year, we fended off 70 billion attacks…”
Cybercrime Multinationals
Global cyberpiracy resembles an interweaving of multinationals organized by profession. Some groups obtain the identities that allow a first phase of intrusion (see below)others develop the viruses, and finally others ensure the execution: intrusion, deployment, management of attacks, collection of ransoms.
The organization charts are those of classic companies: technical management, R & D, marketing, human resources, customer support… Recently, Microsoft took part in the dismantling of an organization which even designated its employee of the month.
A dive into the first level of the Dark Web is already revealing. With a special browser and some connection precautions, you enter a web address that looks like this: http://lockbitapt6vx809tezeeqjofwgh4ds879dslmutr3675nygvokja5uuccip4ykjdsd.onion/
The name “LockBit” in the address is that of the star ransomware group. Based in Russia, he is the author of recent large-scale attacks, including in France against hospitals.
A list boasts 14 billion files accessible via a search engine as sophisticated as those of the best online sellers. Filters allow sorting by type of data available, country, city, price (10 dollars for a modest file, 100,000 dollars for a few million complete identities). A query on France lists access to BlaBlaCar, La Poste, and even Pôle emploi accounts.
Sometimes companies refuse to pay, leading to the disclosure of their data. We therefore find everything on the town hall of a suburb, of a high school. The catalog is extensive: minutes of meetings, contracts, calls for tenders, deliberations, employee contact details.
Another page entitled “leaked data” exposes the attacks in progress: the countdown to an assault on a New Zealand insurer indicates in white letters on a red background “9D10H30S”, he has nine days left to negotiate or postpone the offensive. The line below offers three possibilities: an immediate payment (in bitcoins) of 1,000 dollars allows the victim to gain twenty-four hours; or else for 99,999 dollars, a “client” has the choice between purely and simply destroying the victim’s data or appropriating it. For this last eventuality, we can preview a sample: driver’s license, identity card, bank details, social security number, tax form. An identity theft dream. Prices are often negotiable, as are additional services such as delegating an attack to professionals. All you have to do is contact the site with the ad hoc form.
The course of an attack
Return to Redmond near Seattle, at Microsoft headquarters, for an explanation of the hackers’ modus operandi. Once the company or the administration has been identified, explains Rob Lefferts, one of Microsoft’s security managers, the attacker finds the right person to target. The framework of a financial department will receive a familiar-looking email (easy to fool him, we know everything about him). The employee clicks on the attachment that looks like a report or a conference invitation and presto the worm is in the fruit. “From there, everything goes very quickly, continues Vasu Jakkal, the engineer of Microsoft Security. In the past, a complete incursion could take months. Today, the average time to act is seventy-two minutes.” Last phase, the virus is activated; more often than not, it blocks all the machines it finds.
How does Microsoft go about countering these attacks? Every day, the company analyzes 43 trillion signals from users. By signal, we mean a classic interaction, the sending of files or the creation of a spreadsheet. Layers of artificial intelligence (AI) continuously examine each element: provenance, structure, movement. If an anomaly is detected, for example during the passage through an antivirus, the element is marked. If it is subject to abnormal replication, its contents will be dissected. If any suspicious code is detected, it will be blocked and marked as dangerous.
Above all, these findings are correlated in real time to determine unusual behavior. These clues are interconnected, and allow emergency measures to be taken: block IP addresses from which attacks originate, divert flows to traffic sinks.
Microsoft, global legal aid
And then there is the American judicial machine of which Microsoft is the zealous partner. One of the buildings on Microsoft’s campus houses the firm’s Digital Crime Unit, its forensic investigation center. Industry is directed by Amy Hogan-Burney, old of the FBI. His division has an eye on everything. Not without pride, she shows a planisphere updated in real time with all suspicious movements in cyber space. On a touch screen, a zoom on France and Paris shows that in the Trocadero district where the headquarters of L’Express is located, several business networks are “approached” by dangerous groups, fortunately well listed.
A few steps away in the DCU, a large work room is protected by bay windows reinforced with a fine metal mesh intended to contain electromagnetic radiation – “this is where we carry out material analyzes of attacks”, limits itself. to say the head of the DCU without providing more details.
The role of Amy Hogan-Burney and her team of around 30 analysts and lawyers is to provide American – but also global – legal authorities with tangible evidence. Since the speed of reaction is a critical element in counter-attacks, Microsoft’s criminal investigations division has created its own circuit to speed up the judicial machine with its appointed magistrate: issuance of warrants, international procedures, seizure of Internet domains, wallets of cryptocurrencies.
Again, the trend does not bode well. On both sides of the Atlantic, experts note that the attacks are becoming more and more sophisticated: not long ago, the firefighters of cyberattacks managed to find the encryption key allowing them to unlock blocked computers, it is no longer the case today. Microsoft estimates that the average company takes 287 days to fully recover from a cyber attack.
Most surprising in the conversations with Microsoft Security executives is the admission of their concern. They claim to still have a technical superiority conferred by their mastery of AI and their unparalleled detection capacity. But experience also shows that technologies relentlessly migrate towards the criminal sphere.