David S. Wall, Centre for Criminal Justice Studies, University of Leeds, UK (d.s.wall@leeds.ac.uk)
Abstract—. The sudden disruption
of work, recreation and leisure practices caused by the COVID-19 lockdown
caught many organisations and their employees unaware, especially during the
move towards working from home. This led adaptive cybercriminals to shift their
own focus towards home workers as a way into organisational networks. The
upshot was a massive acceleration in major cyberattacks upon organisations and
a noticeable shift in offender tactics which scale up levels of fear in victims
to encourage payment of the ransom. Such tactics include a shift towards naming
and shaming victims, the theft of commercially sensitive data and attacks
targeting organisations which provide services to other organisations. These
developments have also led to changes in the organisation of offenders online.
Such attacks negatively impact upon national and international economies as
they try to recover from lockdown. Drawing upon an analysis of 4000+ cases of
ransomware attacks collected for the EPSRC EMPHASIS & CRITICAL research
projects, this article charts the evolution of ransomware as a modern
cybercrime and changes in the organisation of cyber-criminals as well as
highlighting some of the implications for transnational policing.
The first part of this article looks at how lockdown disrupted routine behaviours and changed cybercrime attack vectors. The second part explores the evolution of ransomware tactics to show how changes in cybercrime have accelerated because of lockdown. The third part shows how cybercrime actors are now supported by a ‘professional’ ecosystem incentivised by the high yield which facilitates modern cybercrime. Before concluding, the fourth part will briefly outline some of the new challenges that modern cybercrimes are posing for law makers and law enforcement, not least the need to focus different resources upon the various stages of the ransomware attack so that they can more effectively respond co-productively with cybersecurity stakeholders.
A preprint of the full article can be obtained from
Wall, D.S. (2021) ‘The Transnational Cybercrime Extortion Landscape and the Pandemic: changes in ransomware offender tactics, attack scalability and the organisation of offending’, European Law Enforcement Research Bulletin, 22, https://bulletin.cepol.europa.eu/index.php/bulletin/issue/archive (forthcoming).
In their Carbis Bay communique, the G7 announced their intention to work together to tackle ransomware groups. Days later, US president Joe Biden met with Russian president Vladimir Putin, where an extradition process to bring Russian cybercriminals to justice in the US was discussed. Putin reportedly agreed in principle, but insisted that extradition be reciprocal. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited – and what for?
The problem for law enforcement is that ransomware – a form of malware used to steal organisations’ data and hold it to ransom – is a very slippery fish. Not only is it a blended crime, including different offences across different bodies of law, but it’s also a crime that straddles the remit of different policing agencies and, in many cases, countries. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.
So it’s important to look at these attacks in detail to understand how the US and the G7 might go about tackling the increasing number of ransomware attacks we’ve seen during the pandemic, with at least 128 publicly disclosed incidents taking place globally in May 2021.
What we find when we connect the dots is a professional industry far removed from the organised crime playbook, which seemingly takes its inspiration straight from the pages of a business studies manual.
The ransomware industry is responsible for a huge amount of disruption in today’s world. Not only do these attacks have a crippling economic effect, costing billions of dollars in damage, but the stolen data acquired by attackers can continue to cascade down through the crime chain and fuel other cybercrimes.
Ransomware attacks are also changing. The criminal industry’s business model has shifted towards providing ransomware as a service. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the “brand”. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks.
This has resulted in an extensive distribution of criminal labour, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.
How do ransomware attacks work?
There are several stages to a ransomware attack, which I have teased out after analysing over 4,000 attacks from between 2012 and 2021.
First, there’s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining “initial access”, using log-in credentials bought on the dark web or obtained through deception.
Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organisational data that will cause the victim the most pain when stolen and held to ransom. This is why hospital medical records and police records are often the target of ransomware attacks. This key data is then extracted and saved by criminals – all before any ransomware is installed and activated.
Next comes the victim organisation’s first sign that they’ve been attacked: the ransomware is deployed, locking organisations from their key data. The victim is quickly named and shamed via the ransomware gang’s leak website, located on the dark web. That “press release” may also feature threats to share stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.
Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities – and to pay affiliates – so they don’t get caught.
The cybercrime ecosystem
While it’s feasible that a suitably skilled offender could perform each of the functions, it’s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage.
And there are plenty of specialisations in the cybercrime underworld. There are spammers, who hire out spamware-as-a-service software that phishers, scammers, and fraudsters use to steal people’s credentials, and databrokers who trade these stolen details on the dark web.
They might be purchased by “initial access brokers”, who specialise in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with crimeware-as-a-service brokers, who hire out ransomware-as-a-service software as well as other malicious malware.
To coordinate these groups, darkmarketeers provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. Monetisers are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.
This ecosystem is constantly evolving. For example, a recent development has been the emergence of the “ransomware consultant”, who collects a fee for advising offenders at key stages of an attack.
Arresting offenders
Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous CL0P ransomware gang. In the same week, Russian national Oleg Koshkin was convicted by a US court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.
While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals – even if an extradition treaty is struck between the US and Russia.
For an hour on the morning of June 8, dozens of the world’s most-visited websites went offline. Among those affected were Amazon, Reddit, PayPal and Spotify, as well as the Guardian, the New York Times and the UK government website, gov.uk. Together, these websites handle hundreds of millions of users.
The issue was quickly traced to Fastly, a cloud computing company which offers a content delivery network to the affected websites. Designed to alleviate performance bottlenecks, a content delivery network is essentially a system of computers or servers that hold copies of data across various points of a network. When it fails, the websites it supports cannot retrieve their data and are forced offline.
This case illustrates the fragility of an internet that’s being routed through fewer and fewer channels. When one of those major channels fails, in what is called a “single point of failure”, the results are dramatic, disruptive and incredibly costly.
This hasn’t been lost on cybercriminals, who know that one targeted hack can bring down or breach a number of organisations simultaneously. It’s urgent we address this significant vulnerability if we’re to avoid another global internet meltdown – but this time caused by criminals, not code.
Warning signs
Given that it came hot on the heels of the ransomware attack on the Colonial oil pipeline in the US, experts initially speculated that Fastly’s outage could have been caused by a cyberattack.
It’s easy to see why. Drawing upon an analysis of over 4,000 ransomware attacks, my research has revealed a massive acceleration in major cyberattacks that target organisations, conducted by ransomware gangs looking to extort cash from businesses they manage to hack.
These attacks are taking advantage of vulnerabilities caused by remote working arrangements. But there’s also been a noticeable shift in attacks upon organisations like Fastly, which provide core services to other organisations and their own clientele.
This trend is unlikely to stop. Ransomware has become a sophisticated billion-dollar business, and attackers are supported by an increasingly professional ecosystem that’s incentivised by the high yield generated by such attacks. A 2020 Verizon report found 86% of hacks are financially motivated, while less than 10% are motivated by espionage.
Two high-profile hacks that targeted organisations with access to thousands of other organisations have recently shown just how fragile centralised internet systems can be. The SolarWinds and Microsoft Exchange Server hacks, which took place in early 2020 and early 2021 respectively, breached tens of thousands of companies. Both have been attributed to state-backed hackers, rather than ransomware gangs.
But cybercriminals have deliberately targeted multiple service providers and critical supply chains too in order to upscale the impact, and therefore the potential payout, of their hacks. Blackbaud, Accellion and other key online service providers have been victim to such attacks.
Centralisation of the internet
All these particularly disruptive hacks are partially the result of the drive towards centralisation of online services, which may be efficient for businesses, but is counter to the founding principles of the internet.
The initial appeal of the internet was that it was a distributed network designed to resist attacks and censorship. When released for public use in the early 1990s, the internet became popular for commerce as well as being regarded as a beacon of free speech. But market logic, rather than free speech, has driven developments since the early days.
Today, cloud computing firms and multiple service providers manage large chunks of internet traffic, causing single points of failure where internet flows can be accidentally or deliberately disrupted. Even something as simple as a typo can cause significant disruption, as was the case in 2017 when several of Amazon’s servers – which power large swathes of the internet – went temporarily offline due to an inputting error.
We should take our hats off to Fastly for quickly rectifying the June 8 outage. But this case has revealed the dangers of consolidating key internet infrastructure, resulting in the emergence of costly single points of failure. It’s another stern wake-up call for law enforcement and the cybersecurity community, giving renewed emphasis to the mission of the US and European ransomware taskforces.
Avoiding internet meltdowns
But are taskforces enough to address this problem? What this event has really shown is how firms like Fastly are in effect privately-owned public spaces, which not only blur the lines between business and national infrastructure, but have, in effect, become “too big to fail”.
All this suggests that the solution to this dilemma must be found beyond multi-sector taskforces, requiring full-blown political debate over what we want the internet to look like in the latter three-quarters of the 21st century. If we fail to make that decision, then others will for us.
New research is questioning the popular notion that cybercriminals can make millions of dollars from the comfort of home — and without much effort.
Our paper, published in the journal Trends in Organised Crime, suggests offenders who illegally sell cybercrime tools to other groups aren’t promised automatic success.
Indeed, the “crimeware-as-a-service” market is a highly competitive one. To succeed, providers have to work hard to attract clients and build up their criminal business.
They must combine their skills and employ business acumen to attract (and profit from) other cybercriminals wanting their “services”. And the tactics they use more closely resemble a business practice playbook than a classic Mafia operation.
Specifically, we looked at a Distributed Denial of Service (DDoS) stresser. A “DDoS stresser”, also called an IP booter, is an online tool that offenders can rent to launch DDoS attacks against websites.
In such attacks, the targeted website is bombarded with numerous log-on attempts all at once. This clogs up the site’s traffic and leads to all users being denied access, effectively causing the site to crash.
Buy your VIP cybercrime membership today
The stresser we analysed was taken down by Dutch law enforcement after six months of operation. Since all the identities involved were anonymised, we’ve called it StressSquadZ.
We explored StressSquadZ’s service operations and payment systems to observe how its service provider interacted with customers. Contrary to the idea of organised cybercrime looking like a cyberpunk version of The Godfather, their strategies seemed to come straight from a business playbook.
StressSquadZ’s provider offered clients a range of marketing and subscription plans. These started at an introductory trial price of US$1.99 for ten minutes of limited service, through to pricier options. Clients wanting a “full power” attack could buy a VIP bespoke service for US$250.
Clearly, StressSquadZ’s provider had a hankering to maximise profit. And just as we all appreciate a good bargain, their customers aimed to pay as little as possible.
The communication data we analysed, mapped below, indicated the clientele compromised of three distinct groups of hackers: amateurs (red), professionals (green) and skilled non-professionals (yellow).
The low-impact trial plan was the most popular purchase. These users, which made up about 40% of the total customer pool, are very likely driven by the thrill of transgression rather than pure criminal intent.
A smaller group had more serious intentions, as their more expensive subscription levels indicated. Having invested more, they’d need a higher return on their investment.
Notably, we found the average yield for those involved was low, compared to yield obtained during other cybercrime operations studied. In fact, StressSquadZ operated at a loss for most of its life.
Two things help explain this. First, the service was short-lived. By the time it started gaining traction, it was shut down. Also, it was competing in a large market, losing potential customers to other similar service providers.
Complicit in the act
While stressers can be used legally to test the resilience of security systems, we found the main intent to use StressSquadZ’s was as an attack vehicle against websites.
There was no attempt by the service provider to prevent clients from illegal use, thus making them a facilitator of the crime. This in itself is a crime under computer misuse legislation in most Australian jurisdictions.
That said, the group of criminals tapping into StressSquadZ was very different to a more archetypal and hierarchical criminal group, such as the Mafia. Without a “boss” StressSquadZ was sometimes disorganised and duties and benefits were more equally distributed.
We now face fewer (but stronger) DDoS attacks
The emergence of DDoS stressers over the past decade has actually led to an overall reduction in the number of DDoS attacks.
According to CRITiCaL project, out of 10,000 cyberattacks between 2012 and 2019 – of which 800 were DDoS attacks – the number of attacks fell from 180 in 2012 to fewer than 50 last year.
This may be because individual attacks are now more powerful. Early DDoS attacks were weak and short in duration, so cyber security systems could overcome them. Attacks today carry out their purpose, which it to invalidate access to a system, for a longer duration.
There’s been a massive increase in the scope and intensity of attacks over the past decade. Damage once done on a megabyte scale has now become gigabytes and terabytes.
DDoS attacks can facilitate data theft or increase the intensity of ransomware attacks.
In February, they were used as a persistent threat to seek ransom payments from various Australian organisations, including banks.
Also in February we witnessed one of the most extreme DDoS attacks in recent memory. Amazon Web Services was hit by a sustained attack that lasted three days and reached up to 2.3 terabytes per second.
The threat from such assaults (and the networks sustaining them) is of huge concern — not least because DDoS attacks often come packaged with other crimes.
It’s helpful, however, to know stresser providers use a business model resembling any e-commerce website. Perhaps with this insight we can get down to business taking them down.
David S. Wall, Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds, UK. <d.s.wall@leeds.ac.uk> 16 September 2020
During their attempts to recover from the Covid-19 lockdown recent attacks on both Newcastle Universities and others in the UK have highlighted how exposed the university sector is to cyberattacks. They are particularly vulnerable to Ransomware, which encrypts operating systems and steals data before extorting ransom payments to return the system to normal.
An analysis of a database of over 1650 attacks illustrates the modern cybercrime problem (EPSRC EP/M020576/1/EP/P011772/1). It shows that there has been a suprising decline in attacks on the public sector this year during lockdown, especially healthcare. Yet, there has been a marked rise in attacks on the private sector. Interestingly, the analysis also indicates an increase in attacks upon large and complex businesses, which include Universities.
The graph below shows how attacks on larger organisations (multiples) have scaled their impact up and down the supply chain. They not only directly affect their clients, but also their client’s clients. We conservatively estimate that on average each attack impacts upon about 15 client organisations and in some cases many more.
Universities’
uniqueness exposes them to attack
Whilst
Universities may operate on not-for-profit lines, they are still large complex
business organisations, often with turnovers of £0.75 billion or more, so they
are very attractive to economically motivated cybercriminals. University
computer systems not only hold important trade secrets, which include research findings on Covid-19 vaccines amongst
other large amounts of other research data, but they also hold important staff
and student personal data, including exam results. So, they are attractive to
both economic criminals and also spies. Furthermore, modern Universities are
wholly dependent upon their IT systems to operate, so disruptions to the system
can be economically damaging, which increases the leverage to pay the ransom
when attacked. As mentioned earlier, their systems also have to be accessible
quite deeply to staff and students, both locally and remotely.
Using stolen (or bought) login details, attackers
enter the victim’s computing system and copy key organisational data before
encrypting it. Reports suggest that attackers could have been in the system for
a year to prepare the ground for the attack. In the past year they have also
adopted a new tactic of publishing the victim’s name on a www site that they
control along with some proof of attack. By publicly ‘naming and shaming’
victims, attackers can leverage the extortion of the ransom payment.
Furthermore, attackers very often demand a ransom (sometimes in the £millions),
which if not paid (in Bitcoin) within a set time period (such as 7
days) is doubled and more data is published. Some ransomware gangs ask for two ransoms, one
for the encryption code to make the system work again and another to delete the
sensitive data stolen. They also may even be prepared to negotiate down the
final ransom amount to match the victim’s budget.
Protecting
Universities
The
question arises as to how Universities can protect themselves. Because of their
known vulnerabilities Universities already undertake many additional measures
to prevent attacks, for example, their attack prevention software repels
millions of phishing attacks each month and stop malicious software entering
their systems. Of course, being public and part of the UK they are also
protected by the NCSC and the policing agencies.
The main
problem lies in new and novel forms of attack, such as in Newcastle case, where
the attackers enter the system and moved around it for some time preparing
their eventual attack. Universities currently certainly manage their access
account systems more effectively than before, but perhaps not enough. They also
rigorously keep data backups. But backups do not necessarily get the operating system
running again if it is damaged. The experience of many victims who
have not paid the ransom is that they had to effectively pay for an entirely
new IT system plus additional protection.
Should,
then, victims ever pay ransom money to hackers?
Paying the ransom is not only frowned upon by policing
agencies, but it is morally wrong and also feeds crime, thus
encouraging criminals. Plus, there is not always the guarantee of a full return of
data, despite assurances. But victims often face two dilemmas (in
fact another double jeapoardy perhaps) the first is that paying the ransom can
generally be much cheaper than not paying and having to reconstruct the entire
system. The second dilemma is that the decision may be out of their hands as
cyber-insurance companies often insist on paying and may even employ their own
negotiators. With the knock-on effect that ransomware payments have risen.
The truth
is that Universities, are not unique, like nearly all modern organisations
which rely upon IT to operate, they regularly experience cyberattacks – to the
point that university IT security staff are known to joke that DDoS attacks
predictably increase during exam times. But the sobering fact of the modern age
is that we are generally witnessing an increase in both the prevalence and also
the enormity of cyberattacks via ransomware. In fact, any organisation that
depends upon its IT systems to operate is vulnerable. In many ways the
Newcastle Universities were simply unlucky in the lottery of cybervictimisation,
however, they also have qualities, such as their openness, by nature of their
constitution that leave them vulnerable.
The
lesson from this and other recent ransomware attacks is to treat security like
an arms race. Which means that security resources have to be applied, employing
more staff who have uptodate skills in the field as the relevant IT skills sets
change rapidly as the criminals become more skilled and practiced themselves.
Any response has to be one step ahead of the continually shifting attack space,
not alongside it.
The
lesson from this and other recent ransomware attacks is to treat security like
an arms race. Which means that security resources have to be applied, employing
more staff who have uptodate skills in the field as the relevant IT skills sets
change rapidly as the criminals become more skilled and practiced themselves.
Any response has to be one step ahead of the continually shifting attack space,
not alongside it.
These attacks have quickly become commonplace. US cities, in particular, have regularly been subjected to ransomware, disrupting their operations on a massive scale.
Elsewhere, an attack on Redcar council in North Yorkshire affected 135,000 people and reminded the UK as to how devastating ransomware attacks on city service providers can be.
Restoring services after ransomware attacks is always financially and
reputationally expensive because of the cost of downtime during
recovery, calculated to be about $10,000 per day.
This is the case even when restoring backup systems or decrypting
following payment of the ransom, because flaws in the malware often mean
that data is not always returned in its previous state and requires
further work. The City of Baltimore estimated that its 2019 attack cost $18.2 million.
Cities under siege
Our research on ransomware attacks
against organisations has found that their scale and intensity
escalated since the last quarter of 2018. In addition, there has been a
dramatic increase in attacks on entities that provide services to or
manage organisations, like cities. These entities are known as multiple
service deliverers.
The following graph shows the rise in the number of attacks against
multiple service deliverers, like cities, as compared with single
service deliverers, such as a specific department or business.
This raises important questions about how cities and municipalities
and the services provided by them can fight back against hackers.
My colleague, Lena Connolly, and I found that organisations need to continually improve their security game and be as adaptive as the criminals when responding to attacks. We developed a classification
of response tools that organisations must implement in order to respond
to crypto-ransomware effectively. We then identified key groups of
employees such as front-line managers and senior management who must
take an active role in ensuring the organisation is prepared for
cyber-attacks.
Practical approaches to defence against ransomware can be taken.
These include regularly keeping different formats of backup data in
different places, alongside a data restoration plan, and having good
ransomware malware protection in place.
Cities should also encourage good cybersecurity hygiene practices by
staff. This includes training against social engineering attacks like
phishing, which rely on psychological manipulation. We found
cybersecurity measures often focused on technical issues and neglected
these social aspects.
Fighting back
Other, less formulaic ways of fighting back against ransomware are
also being adopted. One option is taking legal action against ransomware
facilitators.
In a recent development, the MAZE group and other ransomware groups
have begun carrying out attacks by stealing data, then encrypting the
computer system and naming and shaming victims on their public websites.
The groups then threaten to publish data on the website if payment
deadlines are not met. The City of Pensacola in Florida, for example,
was hit by a MAZE ransomware attack and a ransom demand of $1 million in December 2019. Some of their data was later released after non-payment.
The response of US company Southwire provides an example for cities facing these attacks. Southwire was a victim of MAZE ransomware and was named on the group’s website. The company took out a US civil injunction
against the hosting web provider in the Irish Republic which named the
hoster (and shamed them). This led to the offending website being taken
down, although it reappeared a few days later on a different web host –
which, at the time of writing, no longer appears to be accessible. The
action bought some breathing space and also sent a symbolic message to
web hosters to act responsibly.
Other positive news is that cybersecurity research is using artificial intelligence to identify and mitigate ransomware attacks as they happen. Darktrace, for example, is one of a number of firms using AI against ransomware.
On the other hand, obstacles to fighting ransomware remain that need
to be resolved quickly. In the US, there is confusion over funding
measures against ransomware as it falls between federal and state authorities.
In the UK, the problem of reporting serious ransomware attacks is
exacerbated because they are in effect two separate crimes, the “ransom”
which is an economic crime and the “ware” (malicious software) which is
a computer misuse crime. They therefore fall under the responsibilities
of different policing agencies.
Prevention is the main order of the day. A number of cities and
organisations have so far managed to remain safe or mitigate the impact
of attacks. These cases appear to have had robust business continuity plans which combined tried and tested social and technical measures.
Lena Connolly was cited in an article by James Francis called ‘People Power’, page 22 of the September 2019 edition of Financial Mail Office. Threats from Cybercrime are escalating. Humans are the weakest link, but they don’t have to be. Click on the link to read on. http://online.anyflip.com/enio/udax/mobile/index.html#p=24
(n.b.) Ed Cartwright and David Wall are cited in the following article.
Cybercriminals may be partially responsible for driving up the price of Bitcoin. It’s no secret that Bitcoin and other cryptocurrencies have had an enabling effect on cybercrime. Now, we believe the inverse may also be true – that cybercrime, and ransomware in particular, is helping stimulate the cryptocurrency economy and inflating the value of Bitcoin. Bitcoin: a key part of the ransomware model Bitcoin has proven to be a tempestuous creature, climbing to an all-time high value of almost $20,000 in December 2017, dropping to below $3,500 in January 2019 and bouncing back to around the $10,000 mark today. While there are many factors behind these extreme fluctuations, we believe ransomware may be fueling the growth of Bitcoin. Ransomware is a type of malware that encrypts a victim’s files. To regain access to the files, the victim has to pay a ransom, the cost of which can range from a few hundred dollars for home users, to hundreds of thousands of dollars for major corporations and public entities. The ransom is usually paid in cryptocurrency, and that cryptocurrency is usually Bitcoin. Bitcoin accounted for about 98 percent of ransomware payments made in the first quarter of 2019, according to figures from ransomware recovery specialists Coveware. As a result, Bitcoin has become an inextricable part of the ransomware model. . . . cont . . .
A ransomware campaign that targeted 23 US cities across Texas has raised serious concerns about the vulnerability of local governments and public services to cyber-attacks. These events come not long after similar attacks on governmental and business organisations in Indiana, Florida and elsewhere. They reflect a general shift in ransomware tactics from “spray and pray” attacks on large numbers of individual consumers, to “big game hunting”, which targets organisations, usually through people in positions of power.
A recent report from cyber-security firm Malwarebytes found a 363% increase in ransomware detections against businesses and organisations (as opposed to individuals) from 2018 to 2019. Put simply, cyber-criminals see an opportunity to extort far more money from organisations than individuals. Although the majority of ransomware attacks were found to occur in the US, local governments around the world are equally vulnerable.
Ransomware usually spreads via phishing emails or links to infected websites, relying on human error to gain access to systems. As its name suggests, ransomware is designed to block access to data, systems or services until a ransom is paid. At a technical level, cities tend to be fairly easy targets because they often have bespoke operating systems, with parts that are old and out-of-date, as well as ineffective back-up measures.
Cities also tend to lack system-wide security policies, so if cyber-criminals gain entry through one system, they can then access others and wreak havoc by freezing essential data and preventing the delivery of services. But even if organisations have improved their technical security, my research with my colleague Lena Connolly has found that few put equal emphasis on training employees to identify and resist attacks.
Target acquired
Employees in many small and medium-sized organisations, like local governments, often do not recognise their organisation’s true commercial value to criminals, and commonly think they are unlikely to be targeted. As a result, they might also develop bad habits – such as using work systems for personal reasons – which can increase vulnerability.
Offenders will do their homework before launching an attack, in order to create the most severe disruption they possibly can. After all, the greater the pressure to pay the ransom, the higher they can set the tariff.
Attackers identify key individuals to target and seek out vulnerabilities such as computers which have been left switched on outside of working hours, or have not been updated. Once they’ve worked out who to target, cyber-criminals deploy “social engineering” techniques, such as phishing, which psychologically manipulate victims into opening an email attachment or clicking on a link, which allows the ransomware programme into the organisation’s operating system.
To pay or not to pay?
Whether or not to pay the ransom is not a straightforward decision for city authorities with vital public services on the line. Most policing agencies instruct victims not to pay, but as Mayor Stephen Witt of Lake City, Florida, put it after his ward was targeted:
With your heart, you really don’t want to pay these guys. But, dollars and cents, representing the citizens, that was the right thing to do.
Another problem is that ransomware is not always deployed to extort money – so paying the ransom doesn’t guarantee that data will be restored. Attackers can have varying motives, skills and resources – working out their motive (often with very little information) is therefore crucial.
Rather than simply making money using ransomware, some cyber-criminals might seek to disable market competitors who provide competing goods or services. Or, they may use the attacks for political gain, to reduce public confidence in a local government’s ability to deliver essential services. In such cases, the data is unlikely ever to be restored, even if the ransom is paid.
Seeking cover
Many cities are insured against attacks, and insurers often pay the ransom to retrieve stolen data – sometimes employing third party negotiators, against national advice. Ironically, the knowledge that cyber-criminals are likely to get paid justifies the time they spend researching their target’s weaknesses, and leaves the door open for repeat attacks. This was one of the reasons why cyber-criminals changed tactics and started targeting organisations in the first place.
This leaves city authorities a difficult choice, between paying to restore essential data and services (and encouraging cybercriminals) or admitting their systems have been compromised and facing up to social and political backlash. Even so, there are some measures city authorities can take to protect themselves, and their citizens, from ransomware.
Today, authorities need to assume that it’s a matter of when – not if – an attack will happen. They should install back up systems for protected data that have the capacity to replace infected operating systems and databases if need be. For example, in the UK, research found that 27% of local government organisations were targets of ransomware in 2017. Yet 70% of their 430 respondents had backup systems in place, in preparation for the EU’s General Data Protection Regulation (GDPR), and could therefore recover from a ransomware attack much faster than their counterparts in the US.
Local authorities need to separate their data systems where possible and install appropriate levels of security. They also need to train employees about the nature of the threat and the impacts of their own actions when working within the organisation’s systems. They should also be aware of international schemes to prevent and mitigate ransomware (such as nomoreransom.org) – which provide advice and publish the keys to some ransomware online.
Public organisations must be able to think quickly and adapt to these new security threats – especially since cyber-criminals are always coming up with new techniques. Local governments need to be prepared to simultaneously prevent cyber-attacks, mitigate their effects when they do happen and bring cyber-criminals to justice.
David Wall talked to Radio Sputnik about the problem of Ransomware and the sucesses of the ‘No More Ransomware’ project. Run by a collaboration of cybersecurity organisations (inc EUROPOL) ‘No More Ransomware.org’ offers advice and software to recover computer files encrypted by ransomware and is claimed to have saved over 200,000 victims up to £86 million ($108 million).