(Reverse) Double Jeapoardy: Are Universities as Modern Complex Organisations becoming the New Target for Cybercriminals and Spies?

David S. Wall, Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds, UK. <d.s.wall@leeds.ac.uk> 16 September 2020

During their attempts to recover from the Covid-19 lockdown recent attacks on both Newcastle Universities and others in the UK have highlighted how exposed the university sector is to cyberattacks. They are particularly vulnerable to Ransomware, which encrypts operating systems and steals data before extorting ransom payments to return the system to normal.

An analysis of a database of over 1650 attacks illustrates the modern cybercrime problem  (EPSRC EP/M020576/1 / EP/P011772/1). It shows that there has been a suprising decline in attacks on the public sector this year during lockdown, especially healthcare. Yet, there has been a marked rise in attacks on the private sector. Interestingly, the analysis also indicates an increase in attacks upon large and complex businesses, which include Universities.

The graph below shows how attacks on larger organisations (multiples) have scaled their impact up and down the supply chain. They not only directly affect their clients, but also their client’s clients. We conservatively estimate that on average each attack impacts upon about 15 client organisations and in some cases many more.

Universities’ uniqueness exposes them to attack

Whilst Universities may operate on not-for-profit lines, they are still large complex business organisations, often with turnovers of £0.75 billion or more, so they are very attractive to economically motivated cybercriminals. University computer systems not only hold important trade secrets, which include research findings on Covid-19 vaccines amongst other large amounts of other research data, but they also hold important staff and student personal data, including exam results. So, they are attractive to both economic criminals and also spies. Furthermore, modern Universities are wholly dependent upon their IT systems to operate, so disruptions to the system can be economically damaging, which increases the leverage to pay the ransom when attacked. As mentioned earlier, their systems also have to be accessible quite deeply to staff and students, both locally and remotely.

Not only are Universities direct primary targets for attackers, but they also become secondary victims when their outsourced service suppliers are attacked. In May 2020 cloud computing provider Blackbaud was attacked by ransomware, and its many hundreds of clients (over 125 UK universities and NGOs and hundreds more worldwide) became secondary victims when their data, stored by Blackbaud, was potentially compromised.

A new generation of cybercrime

Ransomware attacks, such as this month’s Doppelpaymer attack on Newcastle, represent a new generation of cyberattacks. Since the second half of 2019, Ransomware groups (inc. Doppelpaymer which evolved from BitPaymer) have included the added fear tactic of ‘naming and shaming’ (or reverse double jeapoardy bis in idem). In contrast to the previous generation of ransomware, which relied on ‘spray and pray’ tactics, e.g. emailing millions of users with juicy subject lines in the expectation that a few would reply or open attachments, and in so doing, infect their computer, the new generation attacks are the result of careful research and planning by criminals and the targeting of senior managers to get their access. The new generation is strategically different from the old one.

Using stolen (or bought) login details, attackers enter the victim’s computing system and copy key organisational data before encrypting it. Reports suggest that attackers could have been in the system for a year to prepare the ground for the attack. In the past year they have also adopted a new tactic of publishing the victim’s name on a www site that they control along with some proof of attack. By publicly ‘naming and shaming’ victims, attackers can leverage the extortion of the ransom payment. Furthermore, attackers very often demand a ransom (sometimes in the £millions), which if not paid (in Bitcoin) within a set time period (such as 7 days) is doubled and more data is published. Some ransomware gangs ask for two ransoms, one for the encryption code to make the system work again and another to delete the sensitive data stolen. They also may even be prepared to negotiate down the final ransom amount to match the victim’s budget.

Protecting Universities

The question arises as to how Universities can protect themselves. Because of their known vulnerabilities Universities already undertake many additional measures to prevent attacks, for example, their attack prevention software repels millions of phishing attacks each month and stop malicious software entering their systems. Of course, being public and part of the UK they are also protected by the NCSC and the policing agencies.

The main problem lies in new and novel forms of attack, such as in Newcastle case, where the attackers enter the system and moved around it for some time preparing their eventual attack. Universities currently certainly manage their access account systems more effectively than before, but perhaps not enough. They also rigorously keep data backups. But backups do not necessarily get the operating system running again if it is damaged. The experience of many victims who have not paid the ransom is that they had to effectively pay for an entirely new IT system plus additional protection.

Should, then, victims ever pay ransom money to hackers?

Paying the ransom is not only frowned upon by policing agencies, but it is morally wrong and also feeds crime, thus encouraging criminals. Plus, there is not always the guarantee of a full return of data, despite assurances. But victims often face two dilemmas (in fact another double jeapoardy perhaps) the first is that paying the ransom can generally be much cheaper than not paying and having to reconstruct the entire system. The second dilemma is that the decision may be out of their hands as cyber-insurance companies often insist on paying and may even employ their own negotiators. With the knock-on effect that ransomware payments have risen.

The truth is that Universities, are not unique, like nearly all modern organisations which rely upon IT to operate, they regularly experience cyberattacks – to the point that university IT security staff are known to joke that DDoS attacks predictably increase during exam times. But the sobering fact of the modern age is that we are generally witnessing an increase in both the prevalence and also the enormity of cyberattacks via ransomware. In fact, any organisation that depends upon its IT systems to operate is vulnerable. In many ways the Newcastle Universities were simply unlucky in the lottery of cybervictimisation, however, they also have qualities, such as their openness, by nature of their constitution that leave them vulnerable.

The lesson from this and other recent ransomware attacks is to treat security like an arms race. Which means that security resources have to be applied, employing more staff who have uptodate skills in the field as the relevant IT skills sets change rapidly as the criminals become more skilled and practiced themselves. Any response has to be one step ahead of the continually shifting attack space, not alongside it.

The lesson from this and other recent ransomware attacks is to treat security like an arms race. Which means that security resources have to be applied, employing more staff who have uptodate skills in the field as the relevant IT skills sets change rapidly as the criminals become more skilled and practiced themselves. Any response has to be one step ahead of the continually shifting attack space, not alongside it.

Originally published as Wall, D.S. (2020) ‘Double Jeapoardy: Are Universities becoming the New Target for Cybercriminals and Spies?’, Computing, 11 Sept, https://www.computing.co.uk/opinion/4020075/double-jeopardy-universities-target-cybercriminals-spies (n.b. requires login) (this version contains additional information and links)

New paper: A Roadmap for Improving the Impact of Anti-Ransomware Research

A new paper on anti-ransomware research from the team at the University of Kent is now published:

Jamie Pont, Osama Abu Oun, Calvin Brierley, Budi Arief, Julio Hernandez-Castro, “A Roadmap for Improving the Impact of Anti-Ransomware Research”, In: A. Askarov, R. Hansen, W. Rafnsson (eds) Secure IT Systems, NordSec 2019, Lecture Notes in Computer Science, vol 11875, Springer, Cham, pp. 137-154, 2019.

The pdf of the paper (authors’ manuscript) is available at https://www.cs.kent.ac.uk/people/staff/ba284/Papers/NordSec2019.pdf.

The full proceedings of the conference can be downloaded for free within the next four weeks from the conference website: https://nordsec2019.cs.aau.dk.

Is ransomware driving up the price of Bitcoin?

By Jareth, EMISOFT Blog

(n.b.) Ed Cartwright and David Wall are cited in the following article.

Cybercriminals may be partially responsible for driving up the price of Bitcoin. It’s no secret that Bitcoin and other cryptocurrencies have had an enabling effect on cybercrime. Now, we believe the inverse may also be true – that cybercrime, and ransomware in particular, is helping stimulate the cryptocurrency economy and inflating the value of Bitcoin. Bitcoin: a key part of the ransomware model Bitcoin has proven to be a tempestuous creature, climbing to an all-time high value of almost $20,000 in December 2017, dropping to below $3,500 in January 2019 and bouncing back to around the $10,000 mark today. While there are many factors behind these extreme fluctuations, we believe ransomware may be fueling the growth of Bitcoin. Ransomware is a type of malware that encrypts a victim’s files. To regain access to the files, the victim has to pay a ransom, the cost of which can range from a few hundred dollars for home users, to hundreds of thousands of dollars for major corporations and public entities. The ransom is usually paid in cryptocurrency, and that cryptocurrency is usually Bitcoin. Bitcoin accounted for about 98 percent of ransomware payments made in the first quarter of 2019, according to figures from ransomware recovery specialists Coveware. As a result, Bitcoin has become an inextricable part of the ransomware model. . . . cont . . .

Please click here for the full article https://blog.emsisoft.com/en/33977/is-ransomware-driving-up-the-price-of-bitcoin/

Ransomware attacks on cities are rising – authorities must stop paying out

Ransomware attacks on cities are rising – authorities must stop paying out


David S. Wall, University of Leeds

A ransomware campaign that targeted 23 US cities across Texas has raised serious concerns about the vulnerability of local governments and public services to cyber-attacks. These events come not long after similar attacks on governmental and business organisations in Indiana, Florida and elsewhere. They reflect a general shift in ransomware tactics from “spray and pray” attacks on large numbers of individual consumers, to “big game hunting”, which targets organisations, usually through people in positions of power.

A recent report from cyber-security firm Malwarebytes found a 363% increase in ransomware detections against businesses and organisations (as opposed to individuals) from 2018 to 2019. Put simply, cyber-criminals see an opportunity to extort far more money from organisations than individuals. Although the majority of ransomware attacks were found to occur in the US, local governments around the world are equally vulnerable.

Ransomware usually spreads via phishing emails or links to infected websites, relying on human error to gain access to systems. As its name suggests, ransomware is designed to block access to data, systems or services until a ransom is paid. At a technical level, cities tend to be fairly easy targets because they often have bespoke operating systems, with parts that are old and out-of-date, as well as ineffective back-up measures.

Cities also tend to lack system-wide security policies, so if cyber-criminals gain entry through one system, they can then access others and wreak havoc by freezing essential data and preventing the delivery of services. But even if organisations have improved their technical security, my research with my colleague Lena Connolly has found that few put equal emphasis on training employees to identify and resist attacks.

Target acquired

Employees in many small and medium-sized organisations, like local governments, often do not recognise their organisation’s true commercial value to criminals, and commonly think they are unlikely to be targeted. As a result, they might also develop bad habits – such as using work systems for personal reasons – which can increase vulnerability.

Offenders will do their homework before launching an attack, in order to create the most severe disruption they possibly can. After all, the greater the pressure to pay the ransom, the higher they can set the tariff.

Held to ransom. Shutterstock.

Attackers identify key individuals to target and seek out vulnerabilities such as computers which have been left switched on outside of working hours, or have not been updated. Once they’ve worked out who to target, cyber-criminals deploy “social engineering” techniques, such as phishing, which psychologically manipulate victims into opening an email attachment or clicking on a link, which allows the ransomware programme into the organisation’s operating system.

To pay or not to pay?

Whether or not to pay the ransom is not a straightforward decision for city authorities with vital public services on the line. Most policing agencies instruct victims not to pay, but as Mayor Stephen Witt of Lake City, Florida, put it after his ward was targeted:

With your heart, you really don’t want to pay these guys. But, dollars and cents, representing the citizens, that was the right thing to do.

Another problem is that ransomware is not always deployed to extort money – so paying the ransom doesn’t guarantee that data will be restored. Attackers can have varying motives, skills and resources – working out their motive (often with very little information) is therefore crucial.

Rather than simply making money using ransomware, some cyber-criminals might seek to disable market competitors who provide competing goods or services. Or, they may use the attacks for political gain, to reduce public confidence in a local government’s ability to deliver essential services. In such cases, the data is unlikely ever to be restored, even if the ransom is paid.

Seeking cover

Many cities are insured against attacks, and insurers often pay the ransom to retrieve stolen data – sometimes employing third party negotiators, against national advice. Ironically, the knowledge that cyber-criminals are likely to get paid justifies the time they spend researching their target’s weaknesses, and leaves the door open for repeat attacks. This was one of the reasons why cyber-criminals changed tactics and started targeting organisations in the first place.

This leaves city authorities a difficult choice, between paying to restore essential data and services (and encouraging cybercriminals) or admitting their systems have been compromised and facing up to social and political backlash. Even so, there are some measures city authorities can take to protect themselves, and their citizens, from ransomware.

Today, authorities need to assume that it’s a matter of when – not if – an attack will happen. They should install back up systems for protected data that have the capacity to replace infected operating systems and databases if need be. For example, in the UK, research found that 27% of local government organisations were targets of ransomware in 2017. Yet 70% of their 430 respondents had backup systems in place, in preparation for the EU’s General Data Protection Regulation (GDPR), and could therefore recover from a ransomware attack much faster than their counterparts in the US.

Local authorities need to separate their data systems where possible and install appropriate levels of security. They also need to train employees about the nature of the threat and the impacts of their own actions when working within the organisation’s systems. They should also be aware of international schemes to prevent and mitigate ransomware (such as nomoreransom.org) – which provide advice and publish the keys to some ransomware online.

Public organisations must be able to think quickly and adapt to these new security threats – especially since cyber-criminals are always coming up with new techniques. Local governments need to be prepared to simultaneously prevent cyber-attacks, mitigate their effects when they do happen and bring cyber-criminals to justice.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

‘Ransomware Preys On All Aspects of Our Social, Economic, Political, Even Sexual Lives’

David Wall talked to Radio Sputnik about the problem of Ransomware and the sucesses of the ‘No More Ransomware’ project. Run by a collaboration of cybersecurity organisations (inc EUROPOL) ‘No More Ransomware.org’ offers advice and software to recover computer files encrypted by ransomware and is claimed to have saved over 200,000 victims up to £86 million ($108 million).

Cyber security: Think like the enemy

Lena Connolly and David S. Wall,

The news out this week is that twenty-two US cities have been targeted so far in 2019 and that 170 county, city, or state government systems have been targeted by ransomware attacks since 2013. This is in addition to attacks on many thousands of corporate businesses. In response, 227 city mayors at the 2019 annual US Conference of Mayors pledged that they will not pay a ransom. The crippling crypto-ransomware attacks upon Baltimore, Lake City and Riviera Beach and various large multi-nationals such as Maersk, illustrate the increasing resilience of cybercriminals to maintain ransomware’s position as a major cybersecurity threat. It also illustrates that Cyber-security professionals need to get more cybercrime savvy about crypto-ransomware.

N.B. Links to The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape

Connolly, A. and Wall, D.S. (2019) ‘Cyber security: Think like the enemy’,Computing , 16th July, https://www.computing.co.uk/ctg/opinion/3078977/cyber-security-think-like-the-enemy

The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures

A new paper under this title has just been published by Lena Connolly and David Wall in the journal Computers and Security.

Here is a summary of Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security. Available online, https://doi.org/10.1016/j.cose.2019.101568

Each year the increasing adaptivity of cybercriminals maintains ransomware’s position as a major cybersecurity threat. Evidence of this shift can be seen in its evolution from ‘scareware’ and ‘locker’ scams through to crypto-ransomware attacks. Whereas ‘scareware’ used to bully victims into paying a fee to remove bad files, ‘lockers’ froze the computer until a ransom payment was made for a release code. Crypto-ransomware, in contrast, encrypts the actual data on the victim’s computer until a ransom payment is made (usually in bitcoin) to release it. In more recent malicious cases there is no release key, it is used as an attack weapon to permanently fry and disable the victims’ data, which can be devastating for the organisation involved and even more disastrous if it delivers national infrastructure.

Using primary and secondary empirical sources, this article draws upon candid in-depth interviews with 26 victims, practitioners and policy makers to explore their reactions to the shift in the ransomware landscape. Our research indicates that a subtle ecosystem of social and technical factors makes crypto-ransomware especially harmful, as a consequence there is no simple remedy, no silver bullet, for such a complex threat like crypto-ransomware. The attackers are increasingly doing their homework on organisations before they attack and hence, are extremely adaptive in both delivering their ever-developing ransomware. They are also tailoring their attack vectors to exploit existing weaknesses within organisations. Successful attacks combine scientific and social methods to employ a variety of ‘social’ techniques to get the malware onto the victims operating system. Techniques that include, for example, psychological trickery, profiling staff, exploiting technical shortcomings, areas of neglect by senior management and a shortage of skilled, dedicated and adaptive front-line managers – basically any opportunity available.

Our findings illustrate the nuanced relationship between technological and social aspects of crypto-ransomware and the organisational setting, indicating that a multi-layered approach is required to protect organisations and make them more resilient to ransomware attacks. Attacks, which are increasingly shifting from simple economic crimes of extortion, to disrupting and even destroying organisations and the services they provide. While the cybersecurity industry has responded to progressively serious ransomware threats with a similar degree of adaptiveness to the offenders, they have tended to focus more upon scientific ‘technical’ factors than the ‘non-technical’, social, aspects of ransomware. So, these observations suggest that organisations need to continually improve their security game more frequently and be as adaptive as the criminals in their responses to attacks. In order to achieve this goal, we developed a taxonomy of crypto-ransomware countermeasures that identifies a range of response tools, which arethe socio-technical measures and controls necessary for organisations to implement in order to respond to crypto-ransomware effectively. We then, identified the enablers of change, the groups of employees, such as front-line managers and senior management, who must implement the response tools to ensure the organisation is prepared for cyber-attacks.

Our research findings, therefore, will not only assist Police Officers working in Cybercrime Units in further understanding the perspective of the victims and also the impacts of crypto-ransomware. But, they have important practical implications for IT and Security managers and their organisations more generally (some of which are police). The taxonomy provides a blueprint for systematising security measures to protect organisations against crypto-ransomware attacks. Managers need to select controls appropriate to their specific organisational settings, for example, the ‘business-use only’ of IT resources is necessary in some organisations, such as commercial organisations, while not practical in others such as research institutions. Also, face-to-face security training, for example, may be more possible and effective in smaller organisations than large ones. The taxonomy also underlines the importance of embedding appropriate ‘social’ based controls in organisational cultures rather than simply focus upon technical measures. This is because, as indicated above, inappropriate measures, skills and support led to incidents occurring, some of which were particularly devastating. Furthermore, the taxonomy underlines the crucial role that mid-level managers play in responding to crypto-ransomware threats.

The skills set for competent front-line management also goes beyond being security and IT-savvy, to becoming organisationally adaptive and to think like ‘the enemy’. Security professionals are not only required to be influential mid-level leaders who can change attitudes and behaviours in organisations by cultivating certain cultural traits. They have to understand both cultural factors and human behaviour and express this understanding in practice to succeed in their role. In return, senior management must be IT-competent and be effective in overseeing the IT functions of their organisation. Senior managers represent an important part of the security chain in organisations and need to support the efforts of mid-managers. Ultimately, both levels have to respect each other’s position to work together co-own the problem to co-produce the solution – something that is easy to say but hard to put into practice. Our future plan is to convert the taxonomy into a more user-friendly tool, similar to the Cyber Essentials self-assessment instrument.

Hackers are making personalised ransomware to target the most profitable and vulnerable

File 20190315 28492 smzv0c.jpg?ixlib=rb 1.1
Andrey Popov/Shutterstock

Lena Connolly, University of Leeds and David Wall, University of Leeds

Once a piece of ransomware has got hold of your valuable information, there is very little you can do to get it back other than accede to the attacker’s demands. Ransomware, a type of malware that holds a computer to ransom, has become particularly prevalent in the past few years and virtually unbreakable encryption has made it an even more powerful force.

Ransomware is typically delivered by powerful botnets used to send out millions of malicious emails to randomly targeted victims. These aim to extort relatively small amounts of money (normally £300-£500, but more in recent times) from as many victims as possible. But according to police officers we have interviewed from UK cybercrime units, ransomware attacks are becoming increasingly targeted at high-value victims. These are usually businesses that can afford to pay very large sums of money, up to £1,000,000 to get their data back.

In 2017 and 2018 there was a rise in such targeted ransomware attacks on UK businesses. Attackers increasingly use software to search for vulnerable computers and servers and then use various techniques to penetrate them. Most commonly, perpetrators use brute force attacks (using software to repeatedly try different passwords to find the right one), often on systems that let you operate computers remotely.

If the attackers gain access, they will try to infect other machines on the network and gather essential information about the company’s business operations, IT infrastructure and further potential vulnerabilities. These vulnerabilities can include when networks are not effectively segregated into different parts, or are not designed in a way that makes them easy to monitor (network visibility), or have weak administration passwords.

They then upload the ransomware, which encrypts valuable data and sends a ransom note. Using information such as the firm’s size, turnover and profits, the attackers will then estimate the amount the company can afford and tailor their ransom demand accordingly. Payment is typically requested in cryptocurrency and usually between 35 and 100 bitcoins (value at time of publication £100,000–£288,000).

Personalised attacks often target financial employees. 2p2play/Shutterstock

According to the police officers we spoke to, another popular attack method is “spear phishing” or “big game hunting”. This involves researching specific people who handle finances in a company and sending them an email that pretends to be from another employee. The email will fabricate a story that encourages the recipient to open an attachment, normally a Word or Excel document containing malicious code.

These kind of targeted attacks are typically carried out by professional groups solely motivated by profit, though some attacks seek to disrupt businesses or infrastructure. These criminal groups are highly organised and their activities constantly evolve. They are methodical, meticulous and creative in extorting money.

For example, traditional ransomware attacks ask for a fixed amount as part of an initial intimidating message, sometimes accompanied by a countdown clock. But in more targeted attacks, perpetrators typically drop a “proof of life” file onto the victim’s computer to demonstrate that they control the data. They will also send contact and payment details for release of the data, but also open up a tough negotiation process, which is sometimes automated, to extract as much money as possible.

According to the police, the criminals usually prefer to target fully-digitised businesses that rely highly on IT and data. They tend to favour small and medium-sized companies and avoid large corporations that have more advanced security. Big firms are also more likely to attract media attention, which could lead to increased police interest and significant disruptions to the criminal operations.

How to protect yourself

So what can be done to fight back against these attacks? Our work is part of the multi-university research project EMPHASIS, which studies the economic, social and psychological impact of ransomware. (As yet unpublished) data collected by EMPHASIS indicates that weak cybersecurity in the affected organisations is the main reason why cybercriminals have been so successful in extorting money from them.

One way to improve this situation would be to better protect remote computer access. This could be done by disabling the system when it’s not in use, and using stronger passwords and two-step authentication (when a second, specially generated code is needed to login alongside a password). Or alternatively switching to a virtual private network, which connects machines via the internet as if they were in a private network.

When we interviewed cybercrime researcher Bob McArdle from IT security firm Trend Micro, he advised that email filters and anti-virus software containing dedicated ransomware protection are vital. Companies should also regularly backup their data so it doesn’t matter if someone seizes the original. Backups must be tested and stored in locations that are inaccessible to ransomware.

These kind of controls are crucial because ransomware attacks tend to leave very little evidence and so are inherently difficult to investigate. As such, targeted ransomware attacks are not going to stop any time soon, and attackers are only likely to get more sophisticated in their methods. Attackers are highly adaptive so companies will have to respond just as smartly.

Lena Connolly, Research Fellow in Cyber Security., University of Leeds and David Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

A new ransomware article published

A new article based on the EMPHASIS work has been published in the Crime Science journal:

Gavin Hull, Henna John, Budi Arief, “Ransomware Deployment Methods and Analysis: Views from a Predictive Model and Human Responses”, Crime Science 8(2), 2019.
The full article can be found at https://rdcu.be/bmtVa