Posts Tagged :

ransomware

Who is behind the latest wave of UK ransomware attacks?

960 630 Stuart O'Brien

Ransomware attacks in the UK hit record levels last year, according to data by the Information Commissioner’s Office. These attacks potentially exposed the private information of over 5.3 million individuals across more than 700 organisations.

Unfortunately, this concerning trend has continued into this year, with prominent companies and public bodies falling victim to ransomware attacks in the UK including the Royal Mail, Capita, and the Barts Health NHS trust.

Just last month, the Police Service of Northern Ireland faced a significant data breach when the surnames and initials of 10,000 police employees were accidentally disclosed in response to a Freedom of Information request.

On Thursday, Greater Manchester Police became the latest target of a ransomware attack. The breach means thousands of police officers’ names, photos, and serial numbers are at risk of becoming public knowledge. While the names of many officers are publicly available, there is particular concern regarding the identities of undercover officers.

Ian Reynolds, Director and cybersecurity expert at SecureTeam, clears up the jargon and explains how businesses can prevent and respond to ransomware attacks…

What is a ransomware attack?

Ransomware is malicious software that infiltrates an organisation’s computer network, commonly gaining entry through a phishing attack. In this type of attack, victims are tricked – often via deceptive emails or downloadable files – into downloading malware. Cybercriminals may also exploit vulnerabilities within operating systems or software applications.

Once inside the network, the malware proceeds to encrypt the data on the affected computers, effectively locking the files and rendering them inaccessible.

The cybercriminals will then offer an ultimatum: pay a ransom, usually in cryptocurrency, in exchange for a decryption tool or key. This decryption tool is the only means by which the victim can regain access to their data. The ransom demand, usually delivered through a pop-up message or a text file, may be accompanied by threats and intimidation intended to coerce the victim into making the payment quicker.

According to the Information Commissioner’s Office (ICO), 706 ransomware incidents were reported in 2022, an increase from 694 reported in 2021.

Have police forces been targeted deliberately?

Ransomware attacks are prevalent across the public and private sectors, indiscriminately targeting businesses and organisations of all sizes. According to the Information Commissioner’s Office, the retail and manufacturing industry is more vulnerable than any other UK sector to ransomware attacks, with 14% of all reported attacks.

However, this incident serves as a stark reminder that organisations, particularly those where staff details can be extra sensitive, need to be careful in vetting third-party suppliers who handle their data. People need to consider that sensitive data can be exposed whether it’s in an attack on a harmless-seeming supplier.

Who is behind the attacks?

There are numerous criminal gangs actively engaged in ransomware activities; the majority of ransomware groups are associated with regions in Eastern Europe, former Soviet republics, and notably, Russia.

Earlier this year, several prominent organisations, including British Airways, the BBC, and Boots, fell victim to an attack orchestrated by the Clop group, based in Russia. These global threats highlight the need for international bodies to address cybersecurity

Is it legal to pay a ransomware group?

Paying ransomware gangs is heavily frowned upon by UK authorities. Last year, the Information Commissioner’s Office and the National Cyber Security Centre both clarified that they did “not encourage” the payment of ransoms. Nonetheless, UK firms are making payments. The average ransomware payment by UK organisations is higher than the global average, at £1.7m.

Paying ransomware attackers does not guarantee that a company will get their data back. There have been several cases where businesses have paid a ransom and still not received their data back. In July 2021, the Travelex currency exchange company paid a £4.6 million ransom to the LockBit ransomware group but did not recover its data, significantly reducing its share price, and eventually leading to the company’s forced administration.

Do the police forces face punishment from the data regulator?

The ICO has launched an investigation into whether Greater Manchester Police (GMP) selected their third-party supplier properly and carried out a proper contracting process.

The third-party supplier in question, Digital ID, will also be scrutinised. Digital ID manufactures identity cards and lanyards for various UK organisations including several NHS trusts and universities. The investigation will likely assess Digital ID’s handling of sensitive data and adherence to GDPR. However, it’s worth noting that the ICO said last year it was planning to reduce the use of fines on public sector organisations for GDPR breaches.

How can businesses protect themselves from ransomware attacks? 

Businesses can protect themselves by using strong passwords, enabling two-factor authentication, and keeping their software up to date. They may also want to consider implementing a mobile device management (MDM) solution to help them manage and secure remote workers’ devices. Secure cloud storage ensures data accessibility and protection.

Sensitive data should always be encrypted for secure communication, both in emails and websites using SSL. Local-drive encryption prevents unauthorised access in case of device loss or theft, making it much more difficult for hackers to access company data.

The best way to protect workers from cyberattacks is to make sure they are aware of the risks and how to protect themselves. Educating employees on the dangers of phishing emails will prevent them from occurring.

My system has been infiltrated by a ransomware attack, how should I respond? 

  • Isolate the infection: Disconnect the compromised computer from the network immediately to prevent further spread. Disable Wi-Fi and unplug network cables to ensure the isolation is effective.
  • Alert relevant parties: Your IT team must be notified, as must the incident response team, senior management, and, if relevant, the legal counsel. Contact your local police force and report the ransomware incident.
  • Consider bringing in a cybersecurity expert: Engaging a cybersecurity expert will likely help you avoid more significant issues later on.
  • Do NOT pay the ransom: Remember, paying does not guarantee that you will receive your data back.

Image by Pete Linforth from Pixabay

Paying a ransom ‘doubles stolen data recovery costs’

960 630 Stuart O'Brien

76% of ransomware attacks against organisations resulted in adversaries succeeding in encrypting data – and when a ransom is paid to get data decrypted, victims end up doubling their recovery costs ($750,000 in recovery costs versus $375,000 for organisations that used backups to get data back).

That’s according to the latest annual State of Ransomware 2023 report from IT security specialist Sophos, which has revealed the highest rate of data encryption from ransomware since it started publishing the data in 2020.

Moreover, paying the ransom usually means longer recovery times, with 45% of those organisations that used backups recovering within a week, compared to 39% of those that paid the ransom.

Overall, 66% of the organisations surveyed were attacked by ransomware—the same percentage as the previous year. This suggests that the rate of ransomware attacks has remained steady, despite any perceived reduction in attacks.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes,” said Chester Wisniewski, field CTO, Sophos.

“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation,” said Wisniewski.

When analysing the root cause of ransomware attacks, the most common was an exploited vulnerability (involved in 36% of cases), followed by compromised credentials (involved in 29% of cases). This is in line with recent, in-the-field incident response findings from Sophos’ 2023 Active Adversary Report for Business Leaders.

Additional key findings from the report include:

  • In 30% of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace
  • The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed reporting that they were victims of ransomware
  • Overall, 46% of organizations surveyed that had their data encrypted paid the ransom. However, larger organizations were far more likely to pay. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments

“With two thirds of organizations reporting that they have been victimized by ransomware criminals for the second year in a row, we’ve likely reached a plateau. The key to lowering this number is to work to aggressively lower both time to detect and time to respond. Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24×7 to mount an effective defense these days,” said Wisniewski.

Data for the State of Ransomware 2023 report comes from a vendor-agnostic survey of 3,000 cybersecurity/IT leaders conducted between January and March 2023. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Financial, retail, healthcare and manufacturing suffer revenue losses following ransomware attacks

960 630 Stuart O'Brien

More than half of organisations have been the victim of a ransomware attack – In the UK specifically, 305 companies were contacted and 84% of businesses that chose to pay a ransom demand suffered a second ransomware attack, often at the hands of the same threat actor group (53%).

The research, conducted by Cybereason, also divulged that of the organisations in the UK who opted to pay a ransom demand to regain access to their encrypted systems, 43% reported that some or all of the data was corrupted during the recovery process.

These findings underscore why it does not pay to pay ransomware attackers, and that organisations should focus on early detection and prevention strategies to end ransomware attacks at the earliest stages before critical systems and data are put in jeopardy.

Key findings (UK-specific) in the research include:

  • Loss of Business: 47 percent of organisations reported significant loss of business following a ransomware attack. Of these individuals, 61% admitted to losing revenue.
  • Ransom Demands Increasing: 51percent of businesses that paid a ransom demand shelled out between £250,000 – £1 million, while 4 percent paid ransoms exceeding £1 million.
  • Brand and Reputation Damage: 63percent of organisations who admitted to losing business indicated that their brand and reputation were damaged as a result of a successful attack
  • C-Level Talent Loss: 45 percent of organisations who admitted to losing business reported losing C-Level talent as a direct result of ransomware attacks
  • Employee Layoffs: 31 percent of those who admitted to losing business reported being forced to layoff employees due to financial pressures following a ransomware attack
  • Business Closures: A startling 34 percent of organisations who admitted to losing business reported that a ransomware attack forced the business to close down operations entirely

Other key findings included in the full report reveal the extent to which losses to the business may be covered by cyber insurance, how prepared organisations are to address ransomware threats to the business with regard to adequate security policies and staffing, and more granular information on the impact of ransomware attacks by region, company size and industry vertical. In addition, the report provides actionable data on the types of security solutions organisations had in place prior to an attack, as well as which solutions were most often implemented by organisations after they experienced a ransomware attack.

“Ransomware attacks are a major concern for organisations across the globe, often causing massive business disruptions including the loss of income and valuable human resources as a direct result. In the case of the recent Colonial Pipeline ransomware attack, disruptions were felt up and down the East Coast of the United States and negatively impacted other businesses who are dependent on Colonial’s operations,” said Chief Executive Officer and Co-founder of Cybereason, Lior Div.

“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organisation again, and in the end only exacerbates the problem by encouraging more attacks. Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”

Biggest ransomware attack in history cripples NHS

960 428 Stuart O'Brien

The Government and NHS bosses have been called upon to answer questions as to how hospitals were allowed to become victims of a global cyber attack that took down services and caused chaos during the weekend.

Hackers demanding a ransom managed to infiltrate the NHS’ computer systems, forcing operations and appointments to be cancelled, as over 40 hospital trusts became the victims of a ransomware attack, demanding payment to regain access to patient medical records.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history,” with over 57,000 infections in 99 countries.

The NHS has said that at this point there is no evidence to suggest that the hackers had managed to access patient records.

It is thought that a computer hacking group, going under the name ‘Shadow Brokers’, was partly responsible for the attack after it leaked a hacking tool called ‘Eternal Blue’ online in April, developed by the US National Security Agency (NSA) as a weapon to gain access to computers used by terrorists. Other online criminals are thought to have picked up the information online and modified it for their own monetary gains.

Experts have questioned why the health service hadn’t updated its security effectively to prevent the ransomeware from taking hold, with suggestions that 90% of NHS trusts in the UK were using Windows XP, an operating system over 16 years old. Computers using operating software introduced before 2007 were particularly vulnerable. Other computers using newer systems may have failed to apply recent security updates which would have offered better protection.
Writing on his blog, Brad Smith, chief legal officer at Microsoft, said that Governments across the world should treat the attack as a “wake-up call” and feel a “renewed determination for more urgent collective action.” Microsoft had provided free software to protect computers back in March and would be pushing out automatic Windows updates to defend clients from WannaCry ransomware.

“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Smith said. “Otherwise they’re literally fighting the problems of the present with tools from the past.

“We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”

Shadow health secretary Jonathan Ashworth said the attack was “terrible news and a real worry for patients” and urged the Government to be “clear about what’s happened.”

The Prime Minister said: “We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack. This is not targeted at the NHS, it’s an international attack and a number of countries and organisations have been affected.

“The National Cyber Security Centre is working closely with NHS digital to ensure that they support the organisations concerned and that they protect patient safety. And, we are not aware of any evidence that patient data has been compromised.”

WannaCry, also known as Wanna Decryptor, demands each user affected pay $300 in the internet currency Bitcoin to release and restore files. Thousands of computers across the NHS have been affected, potentially costing taxpayers millions of pounds.

Ransomware risk to businesses ‘significant and growing’, says the NCA

960 640 Stuart O'Brien

A joint report by the National Crime Agency (NCA) and National Cyber Security Centre (NSCC) has declared that the risk to businesses from ransomware is “significant and growing” as criminals find new ways to target companies and individuals for money.

Ransomware is a computer malware that installs covertly on a victim’s device that either holds the victims data hostage, or threatens to publish the victims data until a ransom is paid. Smartphones, watches, televisions and fitness trackers could all be targeted by criminals, along with any other device containing personal data such as photos.

The report warns that the rise in devices connecting to the internet meant more opportunities for criminals, with cyber crime becoming more aggressive. Many of these devices have limited, if at all, security built in.

“Ransomware on connected watches, fitness trackers and TVs will present a challenge to manufacturers, and it is not yet known whether customer support will extend to assisting with unlocking devices and providing advice on whether to pay a ransom.”

There are also major concerns regarding sophisticated criminal activity using such high-tech tools against financial institutions, plus basic software that can be downloaded to carry out similar attacks on the general public and smaller businesses.

The chief executive of the NSCC, Ciaran Martin, said that cyber attacks would continue to evolve and the publicans private sectors must continue to work at pace to reduce the threat to critical services and deter would-be attackers.

It is estimated that by the year 2020 as many as 21 billion devices will be connected to the internet by businesses and consumers around the world.

www.ncsc.gov.uk