• About us
  • Newsroom
  • Careers
  • Become a partner
  • Search
Compute
High-performance, scalable computing resources for your critical workloads. Orchestrate your cloud-native applications with our modern container solutions.
Discover the Compute offer
Virtual machines
VM Instances
An on-demand, flexible and secure virtual machine solution on a shared infrastructure.
Dedicated servers
OpenSource IaaS
Open source virtualised infrastructure in a trusted SecNumCloud-qualified cloud environment for complete technological sovereignty.
VMWare IaaS
Your VMware virtual machines in a trusted SecNumCloud-qualified and HDS-certified cloud environment.
Bare Metal
Dedicated, fully customisable servers for total autonomy over your sovereign infrastructure.
Containers
PaaS OpenShift
The unified platform for creating, modernising and deploying your large-scale applications in a sovereign cloud.
Managed Kubernetes
Managed container orchestration solution offering security, resilience and advanced automation on sovereign infrastructure.
Storage
Adaptable, high-performance storage solutions for all your needs. Optimise your data with our highly available block and object solutions.
Discover our Storage offer
Storage
Block storage
The adaptable block storage solution for optimum storage performance in a sovereign cloud.
Object storage
The scalable, cost-effective storage solution for your unstructured data in a sovereign cloud.
Backup
Backup solutions
Differentiated backup solutions tailored to your challenges and environments
Network
Advanced network solutions to connect and secure your infrastructures. Deploy your private networks automatically and securely.
Discover the Network offer
Network
Virtual Private Cloud
Deploy and manage your private networks 100% automatically and securely.
Private Backbone
Take full control of your network with extended Layer 2 connectivity, designed for hybrid architectures and bespoke configurations.
Firewall
Managed Firewall
Advanced security solutions for complete insulation and enhanced protection
Accommodation Dry
Housing - Dedicated space
Secure hosting for your equipment in a dedicated or shared environment, depending on your needs.
Security
Advanced security solutions to protect your critical infrastructures. Control access and defend against online threats.
Discover the Security offer
Security
Anti DDoS
The shield against online attacks
Bastion host
Transparent, centralised access control for robust protection of your infrastructure
Managed KMS
Sovereign cryptographic key management, with HSM hardware root of trust, to protect your most sensitive data on SecNumCloud infrastructure.
Managed SIEM
A centralised platform for collecting and correlating security logs, combining AI-based automation and advanced detection rules (MITRE ATT&CK).
AI
Artificial intelligence solutions to transform your data into insights and accelerate your business processes.
Discover the AI offer
AI
LLMaaS
Access cutting-edge language models on a sovereign, SecNumCloud-qualified and HDS-certified infrastructure for high-performance, secure AI applications.
GPU
NVIDIA GPU instances to accelerate your artificial intelligence and high-performance computing in a sovereign cloud.
Data
Data solutions to manage, analyse and exploit your critical data.
Discover the Data offer
Databases
Managed MariaDB
A fully managed MariaDB relational database and PITR backup on SecNumCloud sovereign infrastructure.
Managed PostGreSQL
The fully managed relational database solution on SecNumCloud sovereign infrastructure
Big Data
Managed Kafka
The open-source distributed platform for streaming data in real time
Managed File System
A managed, sovereign, high-availability distributed file system, accessible via NFS and SMB on the SecNumCloud infrastructure.
Management & Governance
Coaching and support services to help you with your cloud transformation.
Find out about our support services
Support
Support levels
Discover the 3 levels of support available to help you meet your challenges.
Professional services
From design to optimisation, Cloud Temple is with you every step of the way.
Governance
Console - API - Terraform Provider
A single interface for viewing and managing your products and services
Observability
Infrastructure metrics available in market standards
About us
The company
Who are we?
Management team
Locations
CSR commitments
Sectors
Public sector
Healthcare
Financial sector
Industry
Our approach
Our compliance procedures
Our SecNumCloud approach
Trusted AI
Interoperability & hybridity
Transparency in the processing of health data
Newsroom
The magazine
Events & Webinars
Press releases
In the media
Knowledge database
Careers
Working at Cloud Temple
Join us
Become a partner
Software publishers
Managed Services Providers
FR AT FROM IT
Contact
The magazine > Ransomware: the hostage-taker of your data

Every week, a new ransomware appears that can paralyse a company's activity in less than a day. Similar to viruses in the way they work, ransomware's aim of extorting money makes it more harmful. To protect yourself, there are a few rules to follow.

The mechanics are classic. A lawyer's office, one morning, an attachment, the person opens it. Nothing happens. At the end of the morning, a user complains to support that he can't access his files. Support identified the source of the malfunction, a cryptolocker called Locky. The company found itself frozen due to an IT failure. The IT department tried to unblock the paralysed servers by encrypting each file and restarting the business. All that remains is to call CERT to try and find out the source of the infection.

Bitcoin as a facilitator 

This story, told by Luc Roudé of Intrinsec, is a real one, and is echoed almost every week by companies and individuals. The cause is the now infamous ransomware, a kind of pseudo virus designed to encrypt information held by companies or individuals. The encryption is removed in return for a "ransom" paid in Bitcoins to a temporary address. "Attacks are multiplying and are made easier with the advent of Bitcoin," explains Luc Roudé. The ease of use and lack of traceability of this virtual currency have accelerated the development of this new type of attack. While most of the time the sums demanded are "small" and the payment procedure is well established, other times the attacks are more dangerous, such as the one suffered by a Los Angeles hospital last February, which was forced to pay $17,000 to unblock its computer system.

Rapid evolution of ransomware

From a technical point of view, all ransomware looks the same, but none of it is the same. They evolve very quickly, and there are many variations on how they slip through the cracks of antivirus software. With 30 new families in 2015 and already 15 since the start of 2016, the number of attacks and programmes is multiplying, as are the points of contagion. The most common is an attachment, often a CV or invoice from a supposedly trustworthy sender, sent to a functional email such as contact@entreprise.fr or rh@entreprise.fr. Once opened, modifying the document activates a "macro" that executes the encryption program. In addition to attachments, these cryptolockers can also be transmitted via an institutional website or a website considered to be trustworthy. "Another important vector is what is known as "drive by download". A user goes to a news site that has been attacked - either directly or via its advertising network. In this case, it's the site itself that spreads the virus", explains Luc Roudé. Recently, the Pathé.fr website fell victim to this type of virus.

capture of a ransom note
In the event of a ransom demand, the payment procedure is explained step by step.

Identify patient zero

Once activated, it takes between one and three days on average to eradicate the plague. The aim is to find patient zero. See where the ransomware has gone to execute itself from a logical point of view. Most of the time, it's an email that is the source of the contagion. Then you need to find out who is behind it, who is affected, whether or not the attachment has been opened and by whom. In a standard case, it takes a few hours to identify the source. The work consists of analysing the malicious programme, tracking down the contaminated IP addresses and, above all, communicating with the systems supervision team to check that no e-mail has been transferred, in order to prevent widespread superinfection of the organisation and third parties.

Prevention: offline back-ups and organisational awareness-raising

Preventing this type of attack starts, of course, with a backup infrastructure and associated processes. Backups must be offline and tested regularly. An obvious but always necessary reminder. Cases where the activation of the backup requires part of the IS to be blocked are not uncommon. As far as the response is concerned, the scenario is similar to a service continuity plan, with the IS being restarted via the backups.

To counter viruses, apart from prohibiting the activation of macros, there is no need to revolutionise the security plan. Ransomware does not seek to exploit vulnerabilities or replicate itself, and encrypting files on volumes is effective in itself. However, the encryption itself can pose a real problem, as Luc Roudé explains: "Of all the families of ransomware, some are poorly designed. This makes it possible to recover files without paying the ransom. But these are marginal cases, because most of the time it's impossible to counter them. They use AES to encrypt files and an RSA key to protect the encryption. On average, less than 10 % of ransomware volumes are decryptable."

A predominantly organisational aspect

The faster the response, the more damage we can limit," explains Jean-Raphaël Frydman, security consultant at Intrinsec. Feedback is an important point. The user is the company's best probe. On the other hand, employees need to be taught the right reflexes and awareness campaigns need to be conducted. When we carry out phishing exercises, which involve sending fake e-mails from the IT or human resources departments to users, for example, we see a real change in user behaviour, as they gradually become able to detect increasingly targeted malicious messages.

This awareness also provides a lever to facilitate change management. Indeed, blocking attachments can have an organisational impact and be badly perceived if the introduction of this type of restrictive measure does not respond to a risk that is understood by everyone. Finally, incident management involves notifying support and possibly calling in an external service provider with end-to-end expertise in managing this type of attack. "A company that is the victim of malicious software can find itself in a crisis situation. Operating losses can run into the hundreds of thousands of euros, putting the company at risk. As well as crisis management, it's not unreasonable to lodge a complaint to report the problem, even if the chances of success are virtually nil today."

Source and information

The case of the Los Angeles hospital

Awareness and best practice sheet offered by the Intrinsec Incident Response Centre

Symantec measures the growth of ransomware 

Catégories
Cybersecurity & Compliance
The magazine
Cookie policy

We use cookies to give you the best possible experience on our site, but we do not collect any personal data.

Audience measurement services, which are necessary for the operation and improvement of our site, do not allow you to be identified personally. However, you have the option of objecting to their use.

For more information, see our privacy policy.

Authorise Refuse