Social engineering is the exploitation of human error to deceive end users. Ransomware is a type of malware (malicious software) often used in social engineering attacks. When attacked with ransomware, businesses are literally held for ransom while being denied the ability to carry out their usual business operations.
The UK Government has recently released its Cyber Security Breaches Survey 2017 (PDF) revealing that all sectors and sizes of businesses are being affected by cybercrime, causing significant damage to their finances and reputation. The use of ransomware combined with social engineering has increased significantly over the last few years, although the first cases emerged as long ago as the late 1980s and early 1990s.
As its name suggests, this type of malware demands that the target pays a ransom to “unlock” their computers and other devices once they have been taken over by an attacker. Early variants, such as GPCode and Archiveus, used unsophisticated and primitive forms of encryption. Their aim was to lock users’ computers until a ransom was paid, after which the unlock code (key) would be provided. However, these keys could be easily cracked, and any well-run anti-malware product or skilled IT technician could successfully remove the infection.
This changed significantly in 2013 with the release of the “CryptoLocker” variant. It is often delivered via malicious links embedded in email messages, and it encrypts files with a strong, unbreakable encryption. It acts like its forerunners in type but not functionality, with the key to decrypt the seized files kept on remote servers controlled by the attackers. After the business’s data has been taken, a message is displayed on affected devices requesting a ransom payment. This ransom can typically only be paid with Bitcoin (an online-only currency), a MoneyPak voucher to be sent abroad, or another method that is difficult to trace.
How does ransomware infect its targets?
As already explained, ransomware damages or destroys computer files, causing loss of business for organisations whilst compromising their information systems. The following are common methods of infection:
- A malicious link in an email attachment, social media message, or text message;
- A pay-per-install income attack, where computers that have already been compromised and are part of a group of infected computers (a Botnet) under the control of criminals (Botmasters-kingpins) are infected with additional malware. In such cases, Botherders, the criminals who look for security vulnerabilities within software, are paid to find these opportunities. This method is based on revenue-sharing and commission where the Botherders use the Botmasters’ resources to infect computers and systems;
- Drive-by downloads, where malware is installed through the user visiting a compromised website.
Ransomware is particularly hard to track down because many businesses do not immediately realise that they are victims of crime and additionally are unwilling to report it to the authorities. Many prefer to keep quiet and pay up, motivated by the wish to preserve reputation and maintain client confidence in their abilities.
Why are non-profit firms in danger?
Ransomware has become a global cybercrime issue with a high number of targets and victims. No business is exempt from this type of attack. Sector and size are not mitigating factors because attackers are usually purely motivated by money. Organised crime gangs often with an international reach lie behind many attacks and have the single aim of making money. If they can gain access to a system, they can exploit it using ransomware with the minimum of effort for financial profit.
Of the 155,000 non-profits registered in the UK, 73% have an annual income of under £100,000. Of these, just under 40% have an annual income of less than £10,000. Faced with this low level of funding, many simply do not have the time or financial resources to keep up-to-date with the latest cyber-security advice, wipe the hard drives of donated equipment, or in some cases even run background checks on volunteers or temporary staff.
The UK Comic Relief non-profit, for example, was a target in October 2016 in an attack that forced the charity to take some of their systems off-line for several days while they remedied the situation by restoring backups and installing new security measures.
Hospitals and universities have also recently been targeted by ransomware attacks. Out-law.com reported in February this year that 88 out of 260 health trusts in England, Scotland and Wales had experienced a ransomware attack. NHS trusts are a prized target because of the value of their data; hospitals need constant access to their patients’ records so will need to pay up or risk harming patients’ health.
What can be done?
The best defence is prevention. There are many layers of protective measures that will help to make an attack harder and reduce its impact. The second-best defence is to have response plans in place in order to react effectively without delay.
In terms of prevention, routine and simple technical controls will make it significantly harder for attackers to succeed. We outline our recommendations for best practice at the end of this article.
In terms of response plans, a workable and regularly tested incident management and response plan is also critical. Taking simple steps such as disconnecting devices from the network can often prevent more damage being done. These plans should also include a strategy to manage communications with the media and customers in the event of an attack.
The Charity Commission has in recent years consolidated its role as regulator to ensure non-profits have sufficient policies in place which are effectively communicated to and understood by staff and trustees. Given the constraints of time and money, however, producing, implementing, and updating these can place a substantial burden on non-profits that may be perceived as less important than the organisation’s core work.
The ICO also issued guidance in December 2016, noting that in the case of an attack resulting in a data loss, the ICO’s investigators would need to decide whether appropriate measures had been in place that could have prevented the attack from succeeding. They also signpost organisations to other resources such as the Government’s Cyber Essentials accreditation scheme and guidance from the National Cyber Security Centre.
There is no obligation under current Data Protection regulations to notify the ICO of an attack. This situation will, however, change in May 2018 when the new General Data Protection Regulations are introduced. After this, non-profits and other organisations will have 72 hours within which to notify the ICO of breaches. Failure to do so is likely to result in financial penalties and condemnation. The ICO is widely expected to impose more lenient penalties on organisations that can demonstrate they had plans in place. It is therefore crucial to take steps now to introduce simple cybersecurity measures and put plans in place and test them well ahead of time.
For organisations with larger budgets, there are many security products on the market. These solutions are costly as they provide off-site backups in three different geographical locations. Kaspersky provides a reputable anti-virus software that ranked as one of the best solutions. Staff should be trained and tested by a contractor for a social engineering test, with companies such as Rapid7 or LIFARS.
Conclusions and Recommendations
The increasing prevalence of ransomware cyber attacks has heightened awareness and made cyber security a more urgent issue for a wider range of businesses. The impact is particularly severe because of their ability to affect multiple devices silently and speedily. Even with backups available, the clean-up operation takes time and has an associated cost. Even where protective measures are in place, the time spent restoring data and devices is a financial loss to the business.
In conclusion, we recommend organisations act in a timely manner to respond effectively to the threat of ransomware and to address the risks to the organisation. We recommend the following minimum technical measures:
- Up-to-date antivirus software should be installed across all endpoints (devices with network or internet access). In addition, a multi-faceted security solution that provides heuristics, firewalls, and advanced behavioural-based threat prevention in a set of protection rules should be used. In addition, Data Leakage Prevention (DLP) and anomaly detection should be established.
- Applying an extensive global patch management system in which all desktop clients are completely patched.
- Regular and off-site backup of data.
- Providing training and awareness programmes for employees and restricting administrative rights. Consider developing an incentive policy to encourage people to report anomalies and behave responsibly.
About the Authors:
Reza Alavi has been working in various IT positions in the last 15 years and currently working as an information Security Consultant, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Previously, Reza was working for a number of business consultancy firms which specialise in wide range of consultancy services such as information and IT security, risk management, business continuity, security governance and strategy in the Middle East.
Juliet Flavell formerly worked in the high pressure environment of IT project management and service provision within the legal sector. In 2016 she became accredited as a Chartered IT Professional and currently runs a technology non-profit organisation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.