A new paper under this title has just been published by Lena Connolly and David Wall in the journal Computers and Security.
Here is a summary of Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security. Available online, https://doi.org/10.1016/j.cose.2019.101568
Each year the
increasing adaptivity of cybercriminals maintains ransomware’s position as a
major cybersecurity threat. Evidence of this shift can be seen in its evolution
from ‘scareware’ and ‘locker’ scams through to crypto-ransomware attacks. Whereas
‘scareware’ used to bully victims into paying a fee to remove bad files, ‘lockers’
froze the computer until a ransom payment was made for a release code. Crypto-ransomware,
in contrast, encrypts the actual data on the victim’s computer until a ransom
payment is made (usually in bitcoin) to release it. In more recent malicious
cases there is no release key, it is used as an attack weapon to permanently
fry and disable the victims’ data, which can be devastating for the
organisation involved and even more disastrous if it delivers national infrastructure.
Using primary
and secondary empirical sources, this article draws upon candid in-depth
interviews with 26 victims, practitioners and policy makers to explore their reactions
to the shift in the ransomware landscape. Our research indicates that a subtle ecosystem
of social and technical factors makes crypto-ransomware especially harmful, as
a consequence there is no simple remedy, no silver bullet, for such a complex
threat like crypto-ransomware. The attackers are increasingly doing their
homework on organisations before they attack and hence, are extremely adaptive
in both delivering their ever-developing ransomware. They are also tailoring
their attack vectors to exploit existing weaknesses within organisations.
Successful attacks combine scientific and social methods to employ a variety of
‘social’ techniques to get the malware onto the victims operating system. Techniques
that include, for example, psychological trickery, profiling staff, exploiting technical
shortcomings, areas of neglect by senior management and a shortage of skilled,
dedicated and adaptive front-line managers – basically any opportunity available.
Our findings
illustrate the nuanced relationship between technological and social aspects of
crypto-ransomware and the organisational setting, indicating that a
multi-layered approach is required to protect organisations and make them more
resilient to ransomware attacks. Attacks, which are increasingly shifting from
simple economic crimes of extortion, to disrupting and even destroying
organisations and the services they provide. While the cybersecurity industry
has responded to progressively serious ransomware threats with a similar degree
of adaptiveness to the offenders, they have tended to focus more upon
scientific ‘technical’ factors than the ‘non-technical’, social, aspects of
ransomware. So, these observations suggest that organisations need to continually
improve their security game more frequently and be as adaptive as the criminals
in their responses to attacks. In order to achieve this goal, we developed a taxonomy
of crypto-ransomware countermeasures that identifies a range of response tools, which arethe socio-technical
measures and controls necessary for organisations to implement in order to
respond to crypto-ransomware effectively. We then, identified the enablers
of change, the groups of employees, such as front-line managers and senior
management, who must implement the response tools to ensure the organisation is
prepared for cyber-attacks.
Our research
findings, therefore, will not only assist Police Officers working in Cybercrime
Units in further understanding the perspective of the victims and also the
impacts of crypto-ransomware. But, they have important practical implications
for IT and Security managers and their organisations more generally (some of
which are police). The taxonomy provides a blueprint for systematising security
measures to protect organisations against crypto-ransomware attacks. Managers need
to select controls appropriate to their specific organisational settings, for
example, the ‘business-use only’ of IT resources is necessary in some
organisations, such as commercial organisations, while not practical in others
such as research institutions. Also, face-to-face security training, for
example, may be more possible and effective in smaller organisations than large
ones. The taxonomy also underlines the importance of embedding appropriate ‘social’
based controls in organisational cultures rather than simply focus upon
technical measures. This is because, as indicated above, inappropriate
measures, skills and support led to incidents occurring, some of which were
particularly devastating. Furthermore, the taxonomy underlines the crucial role
that mid-level managers play in responding to crypto-ransomware threats.
The skills
set for competent front-line management also goes beyond being security and
IT-savvy, to becoming organisationally adaptive and to think like ‘the enemy’. Security
professionals are not only required to be influential mid-level leaders who can
change attitudes and behaviours in organisations by cultivating certain
cultural traits. They have to understand both cultural factors and human
behaviour and express this understanding in practice to succeed in their role. In
return, senior management must be IT-competent and be effective in overseeing the
IT functions of their organisation. Senior managers represent an important part
of the security chain in organisations and need to support the efforts of
mid-managers. Ultimately, both levels have to respect each other’s position to
work together co-own the problem to co-produce the solution – something that is
easy to say but hard to put into practice. Our future plan is to convert the
taxonomy into a more user-friendly tool, similar to the Cyber Essentials
self-assessment instrument.