Language switcher

You are here

Trends and observations in the cyberspace – Q2 2020

A new threat of ransomware attacks: data theft


Although ransomware attacks are no longer talked about as much as in 2017–2018, they have not disappeared. Incidents in recent months confirm that the attackers have made their tactics more brutal: in addition to encrypting data, it is also stolen and threatened to be disclosed. A classic ransomware attack usually had three steps: 1. The attacker installs ransomware on the victim’s computer or server. They increasingly use remote desktop applications with security vulnerabilities or weak or reusable passwords for it. Malware is also distributed in e-mailed files. 2. The ransomware encrypts some of the files on the computers or servers or the hard drives as a whole. After that, the victim can no longer open the files. 3. The attacker demands a ransom for data recovery, i.e. for a decryption key, usually in some cryptocurrency (such as Bitcoin). As organisations have become more aware of the importance of backup and better protect their data, they do not pay the ransom because encrypted data can be recovered without a decryption key. As a result, the perpetrators of the ransom attacks have added a fourth step: during the initial invasion, the data is stolen and the victim is threatened with disclosure if they are not paid. CERT-EE is aware that such a ransomware attack recently struck an international medical institution (not located in Estonia). When the victim refused to pay for the decryption key, the attackers announced that they would disclose the data stolen during the attack and carried out the threat. As a result, sensitive personal data of patients was leaked, such as names, dates of birth, notes on allergies, test results, etc. Data theft complicates and slows down ransomware attacks and increases the likelihood of early detection, but the ability to obtain ransom money also from organisations that use backups has increased the proportion of such attacks. According to the French cybersecurity agency ANSSI, attacks involving data theft and the threat of their disclosure account for almost a quarter of the ransomware attacks known to them.

RIA's assessment

All authorities should assume that, in the event of a ransomware attack, the data on their devices is not only encrypted but also stolen and disclosed as a growing trend. Therefore, backing up data is not enough to combat ransomware attacks. The amounts demanded by the criminals amount to millions of euros. Victims often pay the ransom due to the fear of fines under the European Data Protection Regulation (GDPR), should personal data held by the organisation leak. Criminals are also increasingly referring to fines for GDPR violations to persuade their victims to pay. Backups should certainly continue to be made, but it is no longer possible to defend oneself against ransomware attacks in this way. 

Consequence of the emergency situation: new accounts, old passwords


Due to the emergency situation created to prevent the spread of the COVID-19 pandemic, people were left to work and study at home, which meant that they urgently needed to create a new account on several platforms. In rare cases, they only had to use only a few new services, but in the case of parents of children attending several school levels, we have also heard of dozens of new accounts needed for work and study. Experience has shown that not enough time is devoted to creating the passwords of new accounts, and passwords already in use elsewhere are used (as confirmed by Google’s 2019 US study, which shows that 65% of people use the same password in several or all of their accounts). However, this means that if a password is leaked through one environment, all other accounts with the same password are automatically compromised. However, we see large-scale data leaks constantly and everywhere, from airlines to children’s virtual playrooms. It is probable that as a result of the data leak of the British airline Easyjet in May, the personal and banking information of several Estonian residents was also endangered. Although data theft is quite common, people’s behaviour in cyberspace remains risky – one of the main risks here is the re-use of passwords on different platforms.

RIA's assessment

We emphasise that a strong password is an important part of cyber hygiene, and we encourage everyone to take a moment and make sure their passwords are safe. During the emergency situation, the priority was to adapt to the situation and get used to different online environments. Now, however, people can think about your future internet habits calmly, organise their accounts, and make their use more secure.
The Information System Authority has provided recommendations for creating a secure user account. As many companies accelerated the process of moving their business online in the context of the emergency situation and are selling services through a website, it is also appropriate to review the reminder to the service provider. Both elsewhere in the world and in Estonia, we can see that leaked passwords and stolen data are often not realised immediately, but only after several months, sometimes even later. Therefore, users may not be aware that their user data has been leaked and personal data and accounts may be at risk. In terms of cyber hygiene, it is certainly safer to use a separate password for each account and to use two-step authentication in more important environments with sensitive information. It is possible to use a password manager, i.e. a special software for managing different passwords (there are many of them, but the best known are KeePass, LastPass, or 1Password).

The risk of denial-of-service attacks persists


In April and early May, we saw more denial-of-service (DDoS) attacks against Estonian websites than usual. There were about a dozen of them, lasting from a few minutes to almost a day. The longer attacks took place against two financial companies, as a result of which the use of both companies’ websites was disrupted for customers throughout the working day. Shorter-term attacks took place on the websites of the transport sector, public services, and vital service providers. Although services were quickly restored in the event of the short-term attacks, a half-hour service outage in a widely used e-learning environment, for example, caused quite a lot of inconvenience to nearly ten thousand users during the emergency situation. Although various denial-of-service attacks take place constantly, the attacks in the second quarter caught our attention for two reasons. Firstly, there were more attacks over a short period of time (approximately four weeks) than usual, and as this was also an emergency situation where people used all kinds of e-services more, some attacks also had a greater impact than usual. Secondly, the handwriting of some attacks was similar: HTTP Get queries were made, the attackers had the same or a similar user agent, and the objects of the attacks were popular and important websites in Estonia.

RIA's assessment

In these cases, it is not possible to draw sufficient conclusions about the purpose of the attacks or the attacker, but this shows that the risk of denial-of-service attacks must continue to be taken very seriously. The attacks are usually carried out using either robotic networks (botnets) or networks of compromised devices, and in this wave of attacks, CERT-EE found that in some cases, compromised Miktrotik routers were used around the world (including in Estonia). The compromise could probably have been avoided if the router’s software had been updated in time – this is why we repeat the need to update the software of all devices connected to the Internet regularly. In the world as a whole, the trend of denial-of-service attacks this year seems to be on the rise, both in terms of numbers and impact. In addition to previously known vulnerabilities in both software and hardware, new ones are constantly being discovered through which to perform them. For example, in May, Israeli researchers discovered a vulnerability in the global Domain Name System (DNS) service that could potentially be used to carry out attacks with a very small number of devices with a very high leverage effect.


Going well:

Although the emergency situation that lasted from mid-March to mid-May put a greater strain on both e-service users and service providers, and international cybercriminals were vigilant in exploiting COVID-19, it did not lead to more cyber incidents or incidents with a higher impact than usual for Estonia. We did not have targeted attacks on the medical sector which took place in some European countries, and we were left untouched by COVID-19 scams, which caused great financial damage.

Could be better:

On June 30, support ended for the 1x version of the Magento software, which is a very widely used website and e-shop platform software in Estonia. According to CERT-EE, approximately three of four Estonian e-shops use Magento software, and to continue secure trading, it is necessary to switch to the new version 2x. CERT-EE also sent a respective notification to service providers in May. However, as at the beginning of July, many have not done so, including e-shops that supply food and consumer goods. This means that the customers’ credit card information may be at risk. Because hackers have successfully exploited Magento’s previous security vulnerabilities in other parts of the world, Visa and Mastercard have also raised the issue.


Incidents registered by CERT-EE in 2020


In 2020, Necurs and Avalanche infection reports accounted for 97%
of all robotic network incidents and 43% of all CERT-EE registered incidents.


Less noise, clearer risk picture

We intend to significantly change the way the number of cyber incidents is reflected in the statistics. Starting from July this year, we will stop reporting Avalanche and Necurs infections with robotic networks in the CERT-EE incident list. The Avalanche robot network was shut down as a result of an international police operation in December 2016 (but infections continued later), and Microsoft gained control of the Necurs network in March 2020. Thus, it can be estimated that these two networks are no longer actively threatening cyberspace. Infections with these two networks accounted for about 95% of all incidents with our robotic network in 2017–2019, and as we receive and send these notifications sometimes several times a day, they account for about 60% of all incidents. This does not mean that we will no longer deal with these infections. On the contrary, CERT-EE is sending out more and more notifications about infections of botnets (and other malware). Since the summer of 2019, CERT-EE has sent automated notifications to Estonian telecommunications companies, web service hosts, and institutions managing their own networks about various vulnerable devices/settings in the networks. Automated notifications mean that our servers receive machine-readable information from a trusted source that has built an infrastructure to detect vulnerabilities and infections around the world. Our systems automatically pass the information on to the owners of the networks in the Estonian Internet space. At the moment, CERT-EE receives information on about 3,000 infections a day, which affects more than 700 servers and computers. Some devices have been infected with multiple malware at once.

The more such sources we integrate into our systems, the better the picture of vulnerabilities and infections we can offer to the Estonian IP space customers. At the same time, it also means an increase in the frequency of notifications, the individual coverage of which does not help to clarify the risk picture. For example, from mid-May to mid-June, we have found out and thus notified service providers of 103,000 infections. However, analysing the numbers, we can see that about 86,000 of them were associated with only three IP addresses, and we know of a total of 1,701 different malicious IP addresses. There are many recurrences and many infections are also related to already neutralised malware infrastructure, so these numbers do not provide much clarity in the statistics. The change in the coverage of Avalanche and Necurs infections will initially be reflected in a sharp decline in incidents (estimated at 50–60%), but as a result of the change, our incident statistics will reflect the real risk picture more clearly. We plan to make summaries of robotic networks in the future, but in a different way, showing the trends of infections over a certain period of time and focusing on their dynamics.

More news on the same subject


Are you ready for convenient and carefree e-voting?

E-voting lasts from 11 to 16 October. If you wish to e-vote, you must check the certificates of your ID-card or mobile-ID and use the latest software.


Further explanation of the Information System Authority (RIA) on data theft

30.7.2021 – People whose document photo was illegally downloaded do not have to get a new document or a new photo. The incident has no impact on ID-cards, Mobile-ID, Smart-ID or e-services.