We started Module 7 of C1b3rWall Academy 2021/2022 “Incident management. Good practices during a cybercrisis: a study of Ransomware” with a lecture given by Alberto Sánchez del Monte, head of operations at the Cybersecurity Coordination Office. The objective of the lecture was to analyze the impact of cyber-attacks on essential services and critical infrastructures, and specifically those of the ransomware type based on the encryption of information.

The Cybersecurity Coordination Office (OCC) is a body within the General Directorate for Coordination and Studies of the Secretary of State for Security. It is made up of members of the National Police and the Civil Guard. Its headquarters are at the Cybersecurity Technology Center (El Pardo).

Ransomware and frameworks

Ransomware is a type of malware that prevents users from accessing their system or personal files unless a ransom is paid for them.

There are several frameworks that explain each of the phases of a cyberattack. Some of the most famous frameworks are the CyberkillChain, which consists of seven phases, and the Diamond model, in which four different variables are considered. However, the one most commonly used in the OCC is the MITRE ATT&ACK model.

By analyzing the trail left in a cyberattack, it is possible to attribute authorship to a certain group on the basis of their modus operandi.

Essential service

A service that is provided through information networks and is essential for the functioning of basic social needs. That is, hydroelectric power plants, water purification plants, hospitals, and others.

NIS Directive

In Europe we are increasingly aware of this type of attacks and in 2016 we welcomed the NIS directive that entails an obligation of transposition to the national legislation of each member country and includes three main points:

  • Identification of operators of essential services in each country (OSE).
  • Supervision of obligations (security scheme).
  • Incident reporting.

In Spain we use the national notification guide. This is a very technical document with a homogeneous European taxonomy. It analyzes the level of impact and the level of danger and it is mandatory to make an initial, intermediate and final notification, and to do so when certain thresholds are exceeded.

The most targeted sector has been the financial sector as it handles huge sums of money and are very tempting for cyber criminals. In 2020, attacks on the healthcare sector increased dramatically.

Areas of origin and destination of attacks

It can be seen that a large number of attacks originate from China and focus on financial services. As for Russia, a large number of IPs originate from there, also targeting the financial sector. Iran carries out much more punctual and diversified attacks.

The ransomware as a service model tends to predominate, and depending on the organization, they may have different names, but are in the same groups.

These groups usually send messages that warn the victims they will be under serious threat if they report the crime to the authorities. They usually operate as a cartel and the top of the pyramid usually keeps 30-35% of the profits. They are usually located in Russia or China and are IT professionals who switch to a form of crime that they find easy.

Everything that Alberto said was very interesting, but this is just an introduction to all the information he provided in his lecture. I share the link with you so you can watch it.

Posted by Juan M. Corchado

Juan Manuel Corchado (15 de Mayo de 1971, Salamanca, España) Catedrático en la Universidad de Salamanca. Ha sido Vicerrector de Investigación desde el 2013 hasta el 2017 y Director del Parque Científico de la Universidad de Salamanca. Elegido dos veces como Decano de la Facultad de Ciencias, es Doctor en Ciencias de la Computación por la Universidad de Salamanca y, además, es Doctor en Inteligencia Artificial por la University of the West of Scotland. Dirige el Grupo de Investigación Reconocido BISITE (Bioinformática, Sistemas Inteligentes y Tecnología Educativa), creado en el año 2000. Director del IOT Digital Innovation Hub y presidente del AIR Institute, J. M. Corchado también es Profesor Visitante en el Instituto Tecnológico de Osaka desde enero de 2015, Profesor visitante en la Universiti Malaysia Kelantan y Miembro del Advisory Group on Online Terrorist Propaganda of the European Counter Terrorism Centre (EUROPOL). J. M. Corchado ha sido presidente de la asociación IEEE Systems, Man and Cybernetics, y coordinador académico del Instituto Universitario de Investigación en Arte y Tecnología de la Animación de la Universidad de Salamanca e investigador en las Universidades de Paisley (UK), Vigo (Spain) y en el Plymouth Marine Laboratory (UK). En la actualidad compagina toda su actividad con la dirección de los programas de Máster en Seguridad, Animación Digital, Telefonía Movil, Dirección de Sistemas de Información, Internet de las Cosas, Social Media, Diseño e Impresión 3D, Blockchain, Z System, Industria 4.0, Gestión de Proyectos Ágiles y Smart Cities & Intelligent Buildings​, en la Universidad de Salamanca y su trabajo como editor jefe de las revistas ADCAIJ (Advances in Distributed Computing and Artificial Intelligence Journal), OJCST (Oriental Journal of Computer Science and Technology) o Electronics MDPI (Computer Science & Engineering section). J. M. Corchado desarrolla principalmente trabajos en proyectos relacionados con Inteligencia Artificial, Machine Learning, Blockchain, IoT, Fog Computing, Edge Computing, Smart Cities, Smart Grids y Análisis de sentimiento.