What has it cost? And who is behind it?
More and more Norwegian companies are experiencing hackers locking computer systems and asking for big money. Then huge amounts of internal information are leaked online.
Briefly explained:
- International hacker groups create ransomware viruses that give them access to encrypt computer systems so that they cannot be used.
- The attacks are usually triggered by users clicking on infected attachments in emails or by placing the virus on poorly protected machines.
- In the last three years, this has cost Norwegian companies billions.
- The hackers demand payment in cryptocurrency. But only a few pay.
1. What has happened?
The newspaper group Amedia, the Nordic Choice chain and Nortura are among those affected by the ransomware virus in recent months. Of the 31 incidents NRK Beta has identified the last three years, as many as 23 trials took place in 2021.
Østre Toten municipality was down with a number of its computer systems for several months in early 2021. The clean-up has cost more than NOK 33 million. In addition, the municipality was fined NOK 4 million by the Norwegian Data Protection Authority for not securing sensitive personal data well enough.
According to the audit, that fine would have been much higher if the cost of the clean-up had not been so great.
The hackers behind it posted tens of thousands of internal documents. Among other things, they were about social clients and asylum seekers in the municipality. Just before Christmas, another group released several gigabytes of documents about the operation of the hotel chain Nordic Choice.
2. How widespread is the ransomware virus?
It is difficult to put an exact number. The National Cyber Security Center at the National Security Authority states that they are not always directly involved in the handling of incidents. They are aware of dozens of incidents in the last year alone. In recent years, there has been a change of pace. There have been more and more cunning and well-executed attacks. The players understand that this form of digital blackmail can be very lucrative.
3. Are there large dark numbers?
Yes, not everyone wants to disclose this publicly for various reasons. This may be because they themselves, together with their supplier, solve the problem. They may not have perceived that the authorities still appreciate being notified so that a better national overview can be obtained.
4. How much has this cost Norwegian companies?
A review made by NRK Beta suggests that this may be close to NOK 1 billion in the last three years. For every business that has to deal with such an incident, we are quickly talking several million kroner. They must use resources to throw out the attacker and, in the worst case, build their IT systems from scratch. In addition, there are the costs of lost income.
The attack that took place against Hydro in 2019 cost the company NOK 800 million.
5. Who is behind it?
There are many who do this. The most advanced are well-organized criminal groups that operate internationally. They have efficient, well-run organizations. Investigation, which is mostly digital, is complicated across national borders.
6. What is the most common method of attack?
The most common is to attack in one way: Either by malicious attachments in emails or via computers that are poorly protected from the Internet. Nordic Choice has stated in the attack against them started through an email with a zip file, which apparently came from a known sender. Inside the zip file were several excel files.
7. How can you protect yourself?
Good preventive measures cost far less than being exposed to digital blackmail.
It is important to have good backups. These must be stored securely, separate from other systems. The backups are the first thing you attack and want to destroy. They do this to make sure that the offer can not just recover from the problem.
Whether the attacker wants to steal information, sabotage something or release a ransomware virus, they must first get in. Therefore, measures that make this difficult are important. A recurring theme here is the lack of multi-factor authentication on services that can be logged in from the outside.
On the website of National Security Authority there is more advice.
8. Does anyone pay a ransom?
The National Cyber Security Center strongly advises against paying ransom. The reason criminals do this is because they make money. Payment is the most important driving force. If the payments cease, the activity will also decrease. Several companies that have paid have experienced being exposed to new attacks afterwards. There is also no guarantee that you will actually get back what you have been promised.
9. How common are mass leaks of documents?
This has almost become standard. The attackers are not just encrypting the data. They also pick them up. When they then make their demands, they threaten to publish information. This gives you a double pressing agent. This is often business-sensitive information or personal and private details.
Sources: Section Manager Tom-André Røgden, National Cyber Security Center in NSM, department director Veronica Jarnskjold Buer, Datatilsynet, NRK Beta.