The Transnational Cybercrime Extortion Landscape and the Pandemic: changes in ransomware offender tactics, attack scalability and the organisation of offending

David S. Wall, Centre for Criminal Justice Studies, University of Leeds, UK (

Abstract—. The sudden disruption of work, recreation and leisure practices caused by the COVID-19 lockdown caught many organisations and their employees unaware, especially during the move towards working from home. This led adaptive cybercriminals to shift their own focus towards home workers as a way into organisational networks. The upshot was a massive acceleration in major cyberattacks upon organisations and a noticeable shift in offender tactics which scale up levels of fear in victims to encourage payment of the ransom. Such tactics include a shift towards naming and shaming victims, the theft of commercially sensitive data and attacks targeting organisations which provide services to other organisations. These developments have also led to changes in the organisation of offenders online. Such attacks negatively impact upon national and international economies as they try to recover from lockdown. Drawing upon an analysis of 4000+ cases of ransomware attacks collected for the EPSRC EMPHASIS & CRITICAL research projects, this article charts the evolution of ransomware as a modern cybercrime and changes in the organisation of cyber-criminals as well as highlighting some of the implications for transnational policing.

The first part of this article looks at how lockdown disrupted routine behaviours and changed cybercrime attack vectors. The second part explores the evolution of ransomware tactics to show how changes in cybercrime have accelerated because of lockdown. The third part shows how cybercrime actors are now supported by a ‘professional’ ecosystem incentivised by the high yield which facilitates modern cybercrime. Before concluding, the fourth part will briefly outline some of the new challenges that modern cybercrimes are posing for law makers and law enforcement, not least the need to focus different resources upon the various stages of the ransomware attack so that they can more effectively respond co-productively with cybersecurity stakeholders.

A preprint of the full article can be obtained from

Wall, D.S. (2021) ‘The Transnational Cybercrime Extortion Landscape and the Pandemic: changes in ransomware offender tactics, attack scalability and the organisation of offending’, European Law Enforcement Research Bulletin, 22, (forthcoming).

A preprint version of the full article is available at:

Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull one off


David S. Wall, University of Leeds

In their Carbis Bay communique, the G7 announced their intention to work together to tackle ransomware groups. Days later, US president Joe Biden met with Russian president Vladimir Putin, where an extradition process to bring Russian cybercriminals to justice in the US was discussed. Putin reportedly agreed in principle, but insisted that extradition be reciprocal. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited – and what for?

The problem for law enforcement is that ransomware – a form of malware used to steal organisations’ data and hold it to ransom – is a very slippery fish. Not only is it a blended crime, including different offences across different bodies of law, but it’s also a crime that straddles the remit of different policing agencies and, in many cases, countries. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.

So it’s important to look at these attacks in detail to understand how the US and the G7 might go about tackling the increasing number of ransomware attacks we’ve seen during the pandemic, with at least 128 publicly disclosed incidents taking place globally in May 2021.

What we find when we connect the dots is a professional industry far removed from the organised crime playbook, which seemingly takes its inspiration straight from the pages of a business studies manual.

The ransomware industry is responsible for a huge amount of disruption in today’s world. Not only do these attacks have a crippling economic effect, costing billions of dollars in damage, but the stolen data acquired by attackers can continue to cascade down through the crime chain and fuel other cybercrimes.

Read more: Ransomware gangs are running riot – paying them off doesn’t help

Ransomware attacks are also changing. The criminal industry’s business model has shifted towards providing ransomware as a service. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the “brand”. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks.

This has resulted in an extensive distribution of criminal labour, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.

A hooded hacker
Even a lone hacker draws upon the criminal capabilities of others. trambler58/Shutterstock

How do ransomware attacks work?

There are several stages to a ransomware attack, which I have teased out after analysing over 4,000 attacks from between 2012 and 2021.

First, there’s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining “initial access”, using log-in credentials bought on the dark web or obtained through deception.

Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organisational data that will cause the victim the most pain when stolen and held to ransom. This is why hospital medical records and police records are often the target of ransomware attacks. This key data is then extracted and saved by criminals – all before any ransomware is installed and activated.

Next comes the victim organisation’s first sign that they’ve been attacked: the ransomware is deployed, locking organisations from their key data. The victim is quickly named and shamed via the ransomware gang’s leak website, located on the dark web. That “press release” may also feature threats to share stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.

A ransomware lockout screen
Victims of ransomware attacks are typically presented with a screen like this. TechnoLlama, CC BY

Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities – and to pay affiliates – so they don’t get caught.

The cybercrime ecosystem

While it’s feasible that a suitably skilled offender could perform each of the functions, it’s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage.

And there are plenty of specialisations in the cybercrime underworld. There are spammers, who hire out spamware-as-a-service software that phishers, scammers, and fraudsters use to steal people’s credentials, and databrokers who trade these stolen details on the dark web.

They might be purchased by “initial access brokers”, who specialise in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with crimeware-as-a-service brokers, who hire out ransomware-as-a-service software as well as other malicious malware.

To coordinate these groups, darkmarketeers provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. Monetisers are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.

This ecosystem is constantly evolving. For example, a recent development has been the emergence of the “ransomware consultant”, who collects a fee for advising offenders at key stages of an attack.

Arresting offenders

Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous CL0P ransomware gang. In the same week, Russian national Oleg Koshkin was convicted by a US court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.

While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals – even if an extradition treaty is struck between the US and Russia.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Fastly’s global internet meltdown could be a sign of things to come

Fastly’s global internet meltdown could be a sign of things to come

David S. Wall, University of Leeds

For an hour on the morning of June 8, dozens of the world’s most-visited websites went offline. Among those affected were Amazon, Reddit, PayPal and Spotify, as well as the Guardian, the New York Times and the UK government website, Together, these websites handle hundreds of millions of users.

The issue was quickly traced to Fastly, a cloud computing company which offers a content delivery network to the affected websites. Designed to alleviate performance bottlenecks, a content delivery network is essentially a system of computers or servers that hold copies of data across various points of a network. When it fails, the websites it supports cannot retrieve their data and are forced offline.

The outage to Fastly’s content delivery network appears to have been caused by an internal software bug that was triggered by one of their customers. Yet even though it was resolved within an hour, it’s estimated to have cost Fastly’s global clientele hundreds of millions of dollars.

Read more: Fastly global internet outage: why did so many sites go down — and what is a CDN, anyway?

This case illustrates the fragility of an internet that’s being routed through fewer and fewer channels. When one of those major channels fails, in what is called a “single point of failure”, the results are dramatic, disruptive and incredibly costly.

This hasn’t been lost on cybercriminals, who know that one targeted hack can bring down or breach a number of organisations simultaneously. It’s urgent we address this significant vulnerability if we’re to avoid another global internet meltdown – but this time caused by criminals, not code.

Warning signs

Given that it came hot on the heels of the ransomware attack on the Colonial oil pipeline in the US, experts initially speculated that Fastly’s outage could have been caused by a cyberattack.

It’s easy to see why. Drawing upon an analysis of over 4,000 ransomware attacks, my research has revealed a massive acceleration in major cyberattacks that target organisations, conducted by ransomware gangs looking to extort cash from businesses they manage to hack.

These attacks are taking advantage of vulnerabilities caused by remote working arrangements. But there’s also been a noticeable shift in attacks upon organisations like Fastly, which provide core services to other organisations and their own clientele.

A graph showing the increase in cyberattacks on multiple service organisations
Cyberattacks targeting platforms similar to Fastly have risen sharply since 2019. David S. Wall, Author provided

This trend is unlikely to stop. Ransomware has become a sophisticated billion-dollar business, and attackers are supported by an increasingly professional ecosystem that’s incentivised by the high yield generated by such attacks. A 2020 Verizon report found 86% of hacks are financially motivated, while less than 10% are motivated by espionage.

Read more: Ransomware gangs are running riot – paying them off doesn’t help

Two high-profile hacks that targeted organisations with access to thousands of other organisations have recently shown just how fragile centralised internet systems can be. The SolarWinds and Microsoft Exchange Server hacks, which took place in early 2020 and early 2021 respectively, breached tens of thousands of companies. Both have been attributed to state-backed hackers, rather than ransomware gangs.

But cybercriminals have deliberately targeted multiple service providers and critical supply chains too in order to upscale the impact, and therefore the potential payout, of their hacks. Blackbaud, Accellion and other key online service providers have been victim to such attacks.

Centralisation of the internet

All these particularly disruptive hacks are partially the result of the drive towards centralisation of online services, which may be efficient for businesses, but is counter to the founding principles of the internet.

The initial appeal of the internet was that it was a distributed network designed to resist attacks and censorship. When released for public use in the early 1990s, the internet became popular for commerce as well as being regarded as a beacon of free speech. But market logic, rather than free speech, has driven developments since the early days.

Today, cloud computing firms and multiple service providers manage large chunks of internet traffic, causing single points of failure where internet flows can be accidentally or deliberately disrupted. Even something as simple as a typo can cause significant disruption, as was the case in 2017 when several of Amazon’s servers – which power large swathes of the internet – went temporarily offline due to an inputting error.

We should take our hats off to Fastly for quickly rectifying the June 8 outage. But this case has revealed the dangers of consolidating key internet infrastructure, resulting in the emergence of costly single points of failure. It’s another stern wake-up call for law enforcement and the cybersecurity community, giving renewed emphasis to the mission of the US and European ransomware taskforces.

Avoiding internet meltdowns

But are taskforces enough to address this problem? What this event has really shown is how firms like Fastly are in effect privately-owned public spaces, which not only blur the lines between business and national infrastructure, but have, in effect, become “too big to fail”.

All this suggests that the solution to this dilemma must be found beyond multi-sector taskforces, requiring full-blown political debate over what we want the internet to look like in the latter three-quarters of the 21st century. If we fail to make that decision, then others will for us.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Nothing like the mafia: cybercriminals are much like the everyday, poorly paid business worker

Nothing like the mafia: cybercriminals are much like the everyday, poorly paid business worker


Roberto Musotto, Edith Cowan University and David S. Wall, University of Leeds

New research is questioning the popular notion that cybercriminals can make millions of dollars from the comfort of home — and without much effort.

Our paper, published in the journal Trends in Organised Crime, suggests offenders who illegally sell cybercrime tools to other groups aren’t promised automatic success.

Indeed, the “crimeware-as-a-service” market is a highly competitive one. To succeed, providers have to work hard to attract clients and build up their criminal business.

They must combine their skills and employ business acumen to attract (and profit from) other cybercriminals wanting their “services”. And the tactics they use more closely resemble a business practice playbook than a classic Mafia operation.

The online trade of DDoS stressers

Using social network analysis, we studied crimeware-as-a-service payment patterns online.

Read more: Prosecuting within complex criminal networks is hard. Data analysis could save the courts precious time and money

Specifically, we looked at a Distributed Denial of Service (DDoS) stresser. A “DDoS stresser”, also called an IP booter, is an online tool that offenders can rent to launch DDoS attacks against websites.

In such attacks, the targeted website is bombarded with numerous log-on attempts all at once. This clogs up the site’s traffic and leads to all users being denied access, effectively causing the site to crash.

Buy your VIP cybercrime membership today

The stresser we analysed was taken down by Dutch law enforcement after six months of operation. Since all the identities involved were anonymised, we’ve called it StressSquadZ.

We explored StressSquadZ’s service operations and payment systems to observe how its service provider interacted with customers. Contrary to the idea of organised cybercrime looking like a cyberpunk version of The Godfather, their strategies seemed to come straight from a business playbook.

StressSquadZ’s provider offered clients a range of marketing and subscription plans. These started at an introductory trial price of US$1.99 for ten minutes of limited service, through to pricier options. Clients wanting a “full power” attack could buy a VIP bespoke service for US$250.

Clearly, StressSquadZ’s provider had a hankering to maximise profit. And just as we all appreciate a good bargain, their customers aimed to pay as little as possible.

Read more: MyGov’s ill-timed meltdown could have been avoided with ‘elastic computing’

(Cyber)crime doesn’t always pay

The communication data we analysed, mapped below, indicated the clientele compromised of three distinct groups of hackers: amateurs (red), professionals (green) and skilled non-professionals (yellow).

Some users who started with buying trials later graduated to more expensive premium services, which were pathways into more powerful attacks. The lines in this figure represent payments for DDoS stresser services.

The low-impact trial plan was the most popular purchase. These users, which made up about 40% of the total customer pool, are very likely driven by the thrill of transgression rather than pure criminal intent.

A smaller group had more serious intentions, as their more expensive subscription levels indicated. Having invested more, they’d need a higher return on their investment.

Notably, we found the average yield for those involved was low, compared to yield obtained during other cybercrime operations studied. In fact, StressSquadZ operated at a loss for most of its life.

Two things help explain this. First, the service was short-lived. By the time it started gaining traction, it was shut down. Also, it was competing in a large market, losing potential customers to other similar service providers.

Complicit in the act

While stressers can be used legally to test the resilience of security systems, we found the main intent to use StressSquadZ’s was as an attack vehicle against websites.

There was no attempt by the service provider to prevent clients from illegal use, thus making them a facilitator of the crime. This in itself is a crime under computer misuse legislation in most Australian jurisdictions.

That said, the group of criminals tapping into StressSquadZ was very different to a more archetypal and hierarchical criminal group, such as the Mafia. Without a “boss” StressSquadZ was sometimes disorganised and duties and benefits were more equally distributed.

We now face fewer (but stronger) DDoS attacks

The emergence of DDoS stressers over the past decade has actually led to an overall reduction in the number of DDoS attacks.

According to CRITiCaL project, out of 10,000 cyberattacks between 2012 and 2019 – of which 800 were DDoS attacks – the number of attacks fell from 180 in 2012 to fewer than 50 last year.

This may be because individual attacks are now more powerful. Early DDoS attacks were weak and short in duration, so cyber security systems could overcome them. Attacks today carry out their purpose, which it to invalidate access to a system, for a longer duration.

There’s been a massive increase in the scope and intensity of attacks over the past decade. Damage once done on a megabyte scale has now become gigabytes and terabytes.

This graph shows the increase in size of DDoS attacks, in megabytes, from 2007 to 2018.
This graph shows the increase in size of DDoS attacks in megabytes from 2007 to 2018. Carlos Morales/Arbor Network

DDoS attacks can facilitate data theft or increase the intensity of ransomware attacks.

In February, they were used as a persistent threat to seek ransom payments from various Australian organisations, including banks.

Read more: Australia is under sustained cyber attack, warns the government. What’s going on, and what should businesses do?

Also in February we witnessed one of the most extreme DDoS attacks in recent memory. Amazon Web Services was hit by a sustained attack that lasted three days and reached up to 2.3 terabytes per second.

The threat from such assaults (and the networks sustaining them) is of huge concern — not least because DDoS attacks often come packaged with other crimes.

It’s helpful, however, to know stresser providers use a business model resembling any e-commerce website. Perhaps with this insight we can get down to business taking them down.

Roberto Musotto, Research fellow, Edith Cowan University and David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.

(Reverse) Double Jeapoardy: Are Universities as Modern Complex Organisations becoming the New Target for Cybercriminals and Spies?

David S. Wall, Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds, UK. <> 16 September 2020

During their attempts to recover from the Covid-19 lockdown recent attacks on both Newcastle Universities and others in the UK have highlighted how exposed the university sector is to cyberattacks. They are particularly vulnerable to Ransomware, which encrypts operating systems and steals data before extorting ransom payments to return the system to normal.

An analysis of a database of over 1650 attacks illustrates the modern cybercrime problem  (EPSRC EP/M020576/1 / EP/P011772/1). It shows that there has been a suprising decline in attacks on the public sector this year during lockdown, especially healthcare. Yet, there has been a marked rise in attacks on the private sector. Interestingly, the analysis also indicates an increase in attacks upon large and complex businesses, which include Universities.

The graph below shows how attacks on larger organisations (multiples) have scaled their impact up and down the supply chain. They not only directly affect their clients, but also their client’s clients. We conservatively estimate that on average each attack impacts upon about 15 client organisations and in some cases many more.

Universities’ uniqueness exposes them to attack

Whilst Universities may operate on not-for-profit lines, they are still large complex business organisations, often with turnovers of £0.75 billion or more, so they are very attractive to economically motivated cybercriminals. University computer systems not only hold important trade secrets, which include research findings on Covid-19 vaccines amongst other large amounts of other research data, but they also hold important staff and student personal data, including exam results. So, they are attractive to both economic criminals and also spies. Furthermore, modern Universities are wholly dependent upon their IT systems to operate, so disruptions to the system can be economically damaging, which increases the leverage to pay the ransom when attacked. As mentioned earlier, their systems also have to be accessible quite deeply to staff and students, both locally and remotely.

Not only are Universities direct primary targets for attackers, but they also become secondary victims when their outsourced service suppliers are attacked. In May 2020 cloud computing provider Blackbaud was attacked by ransomware, and its many hundreds of clients (over 125 UK universities and NGOs and hundreds more worldwide) became secondary victims when their data, stored by Blackbaud, was potentially compromised.

A new generation of cybercrime

Ransomware attacks, such as this month’s Doppelpaymer attack on Newcastle, represent a new generation of cyberattacks. Since the second half of 2019, Ransomware groups (inc. Doppelpaymer which evolved from BitPaymer) have included the added fear tactic of ‘naming and shaming’ (or reverse double jeapoardy bis in idem). In contrast to the previous generation of ransomware, which relied on ‘spray and pray’ tactics, e.g. emailing millions of users with juicy subject lines in the expectation that a few would reply or open attachments, and in so doing, infect their computer, the new generation attacks are the result of careful research and planning by criminals and the targeting of senior managers to get their access. The new generation is strategically different from the old one.

Using stolen (or bought) login details, attackers enter the victim’s computing system and copy key organisational data before encrypting it. Reports suggest that attackers could have been in the system for a year to prepare the ground for the attack. In the past year they have also adopted a new tactic of publishing the victim’s name on a www site that they control along with some proof of attack. By publicly ‘naming and shaming’ victims, attackers can leverage the extortion of the ransom payment. Furthermore, attackers very often demand a ransom (sometimes in the £millions), which if not paid (in Bitcoin) within a set time period (such as 7 days) is doubled and more data is published. Some ransomware gangs ask for two ransoms, one for the encryption code to make the system work again and another to delete the sensitive data stolen. They also may even be prepared to negotiate down the final ransom amount to match the victim’s budget.

Protecting Universities

The question arises as to how Universities can protect themselves. Because of their known vulnerabilities Universities already undertake many additional measures to prevent attacks, for example, their attack prevention software repels millions of phishing attacks each month and stop malicious software entering their systems. Of course, being public and part of the UK they are also protected by the NCSC and the policing agencies.

The main problem lies in new and novel forms of attack, such as in Newcastle case, where the attackers enter the system and moved around it for some time preparing their eventual attack. Universities currently certainly manage their access account systems more effectively than before, but perhaps not enough. They also rigorously keep data backups. But backups do not necessarily get the operating system running again if it is damaged. The experience of many victims who have not paid the ransom is that they had to effectively pay for an entirely new IT system plus additional protection.

Should, then, victims ever pay ransom money to hackers?

Paying the ransom is not only frowned upon by policing agencies, but it is morally wrong and also feeds crime, thus encouraging criminals. Plus, there is not always the guarantee of a full return of data, despite assurances. But victims often face two dilemmas (in fact another double jeapoardy perhaps) the first is that paying the ransom can generally be much cheaper than not paying and having to reconstruct the entire system. The second dilemma is that the decision may be out of their hands as cyber-insurance companies often insist on paying and may even employ their own negotiators. With the knock-on effect that ransomware payments have risen.

The truth is that Universities, are not unique, like nearly all modern organisations which rely upon IT to operate, they regularly experience cyberattacks – to the point that university IT security staff are known to joke that DDoS attacks predictably increase during exam times. But the sobering fact of the modern age is that we are generally witnessing an increase in both the prevalence and also the enormity of cyberattacks via ransomware. In fact, any organisation that depends upon its IT systems to operate is vulnerable. In many ways the Newcastle Universities were simply unlucky in the lottery of cybervictimisation, however, they also have qualities, such as their openness, by nature of their constitution that leave them vulnerable.

The lesson from this and other recent ransomware attacks is to treat security like an arms race. Which means that security resources have to be applied, employing more staff who have uptodate skills in the field as the relevant IT skills sets change rapidly as the criminals become more skilled and practiced themselves. Any response has to be one step ahead of the continually shifting attack space, not alongside it.

The lesson from this and other recent ransomware attacks is to treat security like an arms race. Which means that security resources have to be applied, employing more staff who have uptodate skills in the field as the relevant IT skills sets change rapidly as the criminals become more skilled and practiced themselves. Any response has to be one step ahead of the continually shifting attack space, not alongside it.

Originally published as Wall, D.S. (2020) ‘Double Jeapoardy: Are Universities becoming the New Target for Cybercriminals and Spies?’, Computing, 11 Sept, (n.b. requires login) (this version contains additional information and links)

How cities can fight back against ransomware attacks

During the past year, ransomware gangs have shifted their focus towards cities and councils.

These attacks have quickly become commonplace. US cities, in particular, have regularly been subjected to ransomware, disrupting their operations on a massive scale.

Elsewhere, an attack on Redcar council in North Yorkshire affected 135,000 people and reminded the UK as to how devastating ransomware attacks on city service providers can be.

Restoring services after ransomware attacks is always financially and reputationally expensive because of the cost of downtime during recovery, calculated to be about $10,000 per day. This is the case even when restoring backup systems or decrypting following payment of the ransom, because flaws in the malware often mean that data is not always returned in its previous state and requires further work. The City of Baltimore estimated that its 2019 attack cost $18.2 million.

Cities under siege

Our research on ransomware attacks against organisations has found that their scale and intensity escalated since the last quarter of 2018. In addition, there has been a dramatic increase in attacks on entities that provide services to or manage organisations, like cities. These entities are known as multiple service deliverers.

The following graph shows the rise in the number of attacks against multiple service deliverers, like cities, as compared with single service deliverers, such as a specific department or business.

Year quarter by number of attacks, based upon open source data and 690 cases (affecting about 7000 organisations) David Wall, CC BY-ND

This raises important questions about how cities and municipalities and the services provided by them can fight back against hackers.

My colleague, Lena Connolly, and I found that organisations need to continually improve their security game and be as adaptive as the criminals when responding to attacks. We developed a classification of response tools that organisations must implement in order to respond to crypto-ransomware effectively. We then identified key groups of employees such as front-line managers and senior management who must take an active role in ensuring the organisation is prepared for cyber-attacks.

Practical approaches to defence against ransomware can be taken. These include regularly keeping different formats of backup data in different places, alongside a data restoration plan, and having good ransomware malware protection in place.

Cities should also encourage good cybersecurity hygiene practices by staff. This includes training against social engineering attacks like phishing, which rely on psychological manipulation. We found cybersecurity measures often focused on technical issues and neglected these social aspects.

Fighting back

Other, less formulaic ways of fighting back against ransomware are also being adopted. One option is taking legal action against ransomware facilitators.

In a recent development, the MAZE group and other ransomware groups have begun carrying out attacks by stealing data, then encrypting the computer system and naming and shaming victims on their public websites. The groups then threaten to publish data on the website if payment deadlines are not met. The City of Pensacola in Florida, for example, was hit by a MAZE ransomware attack and a ransom demand of $1 million in December 2019. Some of their data was later released after non-payment.

Pensacola in the US has been the victim of a MAZE ransomware attack. Bobby R Lee/Shutterstock

The response of US company Southwire provides an example for cities facing these attacks. Southwire was a victim of MAZE ransomware and was named on the group’s website. The company took out a US civil injunction against the hosting web provider in the Irish Republic which named the hoster (and shamed them). This led to the offending website being taken down, although it reappeared a few days later on a different web host – which, at the time of writing, no longer appears to be accessible. The action bought some breathing space and also sent a symbolic message to web hosters to act responsibly.

Other positive news is that cybersecurity research is using artificial intelligence to identify and mitigate ransomware attacks as they happen. Darktrace, for example, is one of a number of firms using AI against ransomware.

On the other hand, obstacles to fighting ransomware remain that need to be resolved quickly. In the US, there is confusion over funding measures against ransomware as it falls between federal and state authorities.

In the UK, the problem of reporting serious ransomware attacks is exacerbated because they are in effect two separate crimes, the “ransom” which is an economic crime and the “ware” (malicious software) which is a computer misuse crime. They therefore fall under the responsibilities of different policing agencies.

Prevention is the main order of the day. A number of cities and organisations have so far managed to remain safe or mitigate the impact of attacks. These cases appear to have had robust business continuity plans which combined tried and tested social and technical measures.

New paper: A Roadmap for Improving the Impact of Anti-Ransomware Research

A new paper on anti-ransomware research from the team at the University of Kent is now published:

Jamie Pont, Osama Abu Oun, Calvin Brierley, Budi Arief, Julio Hernandez-Castro, “A Roadmap for Improving the Impact of Anti-Ransomware Research”, In: A. Askarov, R. Hansen, W. Rafnsson (eds) Secure IT Systems, NordSec 2019, Lecture Notes in Computer Science, vol 11875, Springer, Cham, pp. 137-154, 2019.

The pdf of the paper (authors’ manuscript) is available at

The full proceedings of the conference can be downloaded for free within the next four weeks from the conference website:

Is ransomware driving up the price of Bitcoin?

By Jareth, EMISOFT Blog

(n.b.) Ed Cartwright and David Wall are cited in the following article.

Cybercriminals may be partially responsible for driving up the price of Bitcoin. It’s no secret that Bitcoin and other cryptocurrencies have had an enabling effect on cybercrime. Now, we believe the inverse may also be true – that cybercrime, and ransomware in particular, is helping stimulate the cryptocurrency economy and inflating the value of Bitcoin. Bitcoin: a key part of the ransomware model Bitcoin has proven to be a tempestuous creature, climbing to an all-time high value of almost $20,000 in December 2017, dropping to below $3,500 in January 2019 and bouncing back to around the $10,000 mark today. While there are many factors behind these extreme fluctuations, we believe ransomware may be fueling the growth of Bitcoin. Ransomware is a type of malware that encrypts a victim’s files. To regain access to the files, the victim has to pay a ransom, the cost of which can range from a few hundred dollars for home users, to hundreds of thousands of dollars for major corporations and public entities. The ransom is usually paid in cryptocurrency, and that cryptocurrency is usually Bitcoin. Bitcoin accounted for about 98 percent of ransomware payments made in the first quarter of 2019, according to figures from ransomware recovery specialists Coveware. As a result, Bitcoin has become an inextricable part of the ransomware model. . . . cont . . .

Please click here for the full article

Ransomware attacks on cities are rising – authorities must stop paying out

Ransomware attacks on cities are rising – authorities must stop paying out


David S. Wall, University of Leeds

A ransomware campaign that targeted 23 US cities across Texas has raised serious concerns about the vulnerability of local governments and public services to cyber-attacks. These events come not long after similar attacks on governmental and business organisations in Indiana, Florida and elsewhere. They reflect a general shift in ransomware tactics from “spray and pray” attacks on large numbers of individual consumers, to “big game hunting”, which targets organisations, usually through people in positions of power.

A recent report from cyber-security firm Malwarebytes found a 363% increase in ransomware detections against businesses and organisations (as opposed to individuals) from 2018 to 2019. Put simply, cyber-criminals see an opportunity to extort far more money from organisations than individuals. Although the majority of ransomware attacks were found to occur in the US, local governments around the world are equally vulnerable.

Ransomware usually spreads via phishing emails or links to infected websites, relying on human error to gain access to systems. As its name suggests, ransomware is designed to block access to data, systems or services until a ransom is paid. At a technical level, cities tend to be fairly easy targets because they often have bespoke operating systems, with parts that are old and out-of-date, as well as ineffective back-up measures.

Cities also tend to lack system-wide security policies, so if cyber-criminals gain entry through one system, they can then access others and wreak havoc by freezing essential data and preventing the delivery of services. But even if organisations have improved their technical security, my research with my colleague Lena Connolly has found that few put equal emphasis on training employees to identify and resist attacks.

Target acquired

Employees in many small and medium-sized organisations, like local governments, often do not recognise their organisation’s true commercial value to criminals, and commonly think they are unlikely to be targeted. As a result, they might also develop bad habits – such as using work systems for personal reasons – which can increase vulnerability.

Offenders will do their homework before launching an attack, in order to create the most severe disruption they possibly can. After all, the greater the pressure to pay the ransom, the higher they can set the tariff.

Held to ransom. Shutterstock.

Attackers identify key individuals to target and seek out vulnerabilities such as computers which have been left switched on outside of working hours, or have not been updated. Once they’ve worked out who to target, cyber-criminals deploy “social engineering” techniques, such as phishing, which psychologically manipulate victims into opening an email attachment or clicking on a link, which allows the ransomware programme into the organisation’s operating system.

To pay or not to pay?

Whether or not to pay the ransom is not a straightforward decision for city authorities with vital public services on the line. Most policing agencies instruct victims not to pay, but as Mayor Stephen Witt of Lake City, Florida, put it after his ward was targeted:

With your heart, you really don’t want to pay these guys. But, dollars and cents, representing the citizens, that was the right thing to do.

Another problem is that ransomware is not always deployed to extort money – so paying the ransom doesn’t guarantee that data will be restored. Attackers can have varying motives, skills and resources – working out their motive (often with very little information) is therefore crucial.

Rather than simply making money using ransomware, some cyber-criminals might seek to disable market competitors who provide competing goods or services. Or, they may use the attacks for political gain, to reduce public confidence in a local government’s ability to deliver essential services. In such cases, the data is unlikely ever to be restored, even if the ransom is paid.

Seeking cover

Many cities are insured against attacks, and insurers often pay the ransom to retrieve stolen data – sometimes employing third party negotiators, against national advice. Ironically, the knowledge that cyber-criminals are likely to get paid justifies the time they spend researching their target’s weaknesses, and leaves the door open for repeat attacks. This was one of the reasons why cyber-criminals changed tactics and started targeting organisations in the first place.

This leaves city authorities a difficult choice, between paying to restore essential data and services (and encouraging cybercriminals) or admitting their systems have been compromised and facing up to social and political backlash. Even so, there are some measures city authorities can take to protect themselves, and their citizens, from ransomware.

Today, authorities need to assume that it’s a matter of when – not if – an attack will happen. They should install back up systems for protected data that have the capacity to replace infected operating systems and databases if need be. For example, in the UK, research found that 27% of local government organisations were targets of ransomware in 2017. Yet 70% of their 430 respondents had backup systems in place, in preparation for the EU’s General Data Protection Regulation (GDPR), and could therefore recover from a ransomware attack much faster than their counterparts in the US.

Local authorities need to separate their data systems where possible and install appropriate levels of security. They also need to train employees about the nature of the threat and the impacts of their own actions when working within the organisation’s systems. They should also be aware of international schemes to prevent and mitigate ransomware (such as – which provide advice and publish the keys to some ransomware online.

Public organisations must be able to think quickly and adapt to these new security threats – especially since cyber-criminals are always coming up with new techniques. Local governments need to be prepared to simultaneously prevent cyber-attacks, mitigate their effects when they do happen and bring cyber-criminals to justice.

David S. Wall, Professor of Criminology, University of Leeds

This article is republished from The Conversation under a Creative Commons license. Read the original article.