Cyber security: Think like the enemy

Lena Connolly and David S. Wall,

The news out this week is that twenty-two US cities have been targeted so far in 2019 and that 170 county, city, or state government systems have been targeted by ransomware attacks since 2013. This is in addition to attacks on many thousands of corporate businesses. In response, 227 city mayors at the 2019 annual US Conference of Mayors pledged that they will not pay a ransom. The crippling crypto-ransomware attacks upon Baltimore, Lake City and Riviera Beach and various large multi-nationals such as Maersk, illustrate the increasing resilience of cybercriminals to maintain ransomware’s position as a major cybersecurity threat. It also illustrates that Cyber-security professionals need to get more cybercrime savvy about crypto-ransomware.

N.B. Links to The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape

Connolly, A. and Wall, D.S. (2019) ‘Cyber security: Think like the enemy’,Computing , 16th July, https://www.computing.co.uk/ctg/opinion/3078977/cyber-security-think-like-the-enemy

The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures

A new paper under this title has just been published by Lena Connolly and David Wall in the journal Computers and Security.

Here is a summary of Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security. Available online, https://doi.org/10.1016/j.cose.2019.101568

Each year the increasing adaptivity of cybercriminals maintains ransomware’s position as a major cybersecurity threat. Evidence of this shift can be seen in its evolution from ‘scareware’ and ‘locker’ scams through to crypto-ransomware attacks. Whereas ‘scareware’ used to bully victims into paying a fee to remove bad files, ‘lockers’ froze the computer until a ransom payment was made for a release code. Crypto-ransomware, in contrast, encrypts the actual data on the victim’s computer until a ransom payment is made (usually in bitcoin) to release it. In more recent malicious cases there is no release key, it is used as an attack weapon to permanently fry and disable the victims’ data, which can be devastating for the organisation involved and even more disastrous if it delivers national infrastructure.

Using primary and secondary empirical sources, this article draws upon candid in-depth interviews with 26 victims, practitioners and policy makers to explore their reactions to the shift in the ransomware landscape. Our research indicates that a subtle ecosystem of social and technical factors makes crypto-ransomware especially harmful, as a consequence there is no simple remedy, no silver bullet, for such a complex threat like crypto-ransomware. The attackers are increasingly doing their homework on organisations before they attack and hence, are extremely adaptive in both delivering their ever-developing ransomware. They are also tailoring their attack vectors to exploit existing weaknesses within organisations. Successful attacks combine scientific and social methods to employ a variety of ‘social’ techniques to get the malware onto the victims operating system. Techniques that include, for example, psychological trickery, profiling staff, exploiting technical shortcomings, areas of neglect by senior management and a shortage of skilled, dedicated and adaptive front-line managers – basically any opportunity available.

Our findings illustrate the nuanced relationship between technological and social aspects of crypto-ransomware and the organisational setting, indicating that a multi-layered approach is required to protect organisations and make them more resilient to ransomware attacks. Attacks, which are increasingly shifting from simple economic crimes of extortion, to disrupting and even destroying organisations and the services they provide. While the cybersecurity industry has responded to progressively serious ransomware threats with a similar degree of adaptiveness to the offenders, they have tended to focus more upon scientific ‘technical’ factors than the ‘non-technical’, social, aspects of ransomware. So, these observations suggest that organisations need to continually improve their security game more frequently and be as adaptive as the criminals in their responses to attacks. In order to achieve this goal, we developed a taxonomy of crypto-ransomware countermeasures that identifies a range of response tools, which arethe socio-technical measures and controls necessary for organisations to implement in order to respond to crypto-ransomware effectively. We then, identified the enablers of change, the groups of employees, such as front-line managers and senior management, who must implement the response tools to ensure the organisation is prepared for cyber-attacks.

Our research findings, therefore, will not only assist Police Officers working in Cybercrime Units in further understanding the perspective of the victims and also the impacts of crypto-ransomware. But, they have important practical implications for IT and Security managers and their organisations more generally (some of which are police). The taxonomy provides a blueprint for systematising security measures to protect organisations against crypto-ransomware attacks. Managers need to select controls appropriate to their specific organisational settings, for example, the ‘business-use only’ of IT resources is necessary in some organisations, such as commercial organisations, while not practical in others such as research institutions. Also, face-to-face security training, for example, may be more possible and effective in smaller organisations than large ones. The taxonomy also underlines the importance of embedding appropriate ‘social’ based controls in organisational cultures rather than simply focus upon technical measures. This is because, as indicated above, inappropriate measures, skills and support led to incidents occurring, some of which were particularly devastating. Furthermore, the taxonomy underlines the crucial role that mid-level managers play in responding to crypto-ransomware threats.

The skills set for competent front-line management also goes beyond being security and IT-savvy, to becoming organisationally adaptive and to think like ‘the enemy’. Security professionals are not only required to be influential mid-level leaders who can change attitudes and behaviours in organisations by cultivating certain cultural traits. They have to understand both cultural factors and human behaviour and express this understanding in practice to succeed in their role. In return, senior management must be IT-competent and be effective in overseeing the IT functions of their organisation. Senior managers represent an important part of the security chain in organisations and need to support the efforts of mid-managers. Ultimately, both levels have to respect each other’s position to work together co-own the problem to co-produce the solution – something that is easy to say but hard to put into practice. Our future plan is to convert the taxonomy into a more user-friendly tool, similar to the Cyber Essentials self-assessment instrument.