Held to cyber ransom

Ransomware is one of the most keenly recognised threats in the cyber security landscape.

Figures from SonicWall suggest there were 638 million related attacks in 2016, a 167-fold increase on the 3.8 million seen in the previous year which was only mildly up from 3.2 million in 2014.

But while it is getting a lot of attention following the WannaCry and NotPetya incidents of 2017, ransomware itself is far from a new threat.

In 1989, a physical worldwide mailing of 20,000 floppy disks claimed to contain a database about the AIDS virus. It was not called ransomware at the time, but the principle was very much the same.

Ironically, it is not only the threat that is old – so too are the three basic safeguards that can help defend against ransomware attacks.

Just like learning the ABC is fundamental to learning the alphabet, these measures – Anti-malware, Back-up and Critical patching – ought to be fundamental to cyber security.

The aforementioned AIDS Trojan took place in a pre-web age, where financial transactions operated in the real world and trying to monetise such attacks was almost impossible.

By contrast, today’s environment offers plenty of scope for people to launch attacks, collect the money and get away with it.

Therefore, it is unsurprising that the scale of ransomware today far surpasses earlier attempts to extort money using computers.

The re-emergence of ransomware began in the mid-2000s and the Government’s Cyber Security Breaches Survey 2017 indicated that 17 per cent of respondent organisations had experienced ransomware in the prior 12 months, making it the fourth most frequently encountered type of identified breach.

Of course, the reason that ransomware has grown is because it has proven effective and victims are often willing to pay in the hope of getting their data back. Unfortunately, whether they actually get it is sometimes another matter.

Perhaps unsurprisingly, the standard advice is not to pay anyway, because it serves to reward the attackers and encourages the growth of the problem.

That was evidenced, for example, by the case of Kansas Heart Hospital, which paid up only to find the cyber-criminals returning with a further demand.

However, attackers can be virtually assured that some proportion of victims will pay and even a small percentage will be enough for the economics to work in their favour.

The ABC of ransomware protection

  • Anti-malware: This is the direct defence against ransomware if it arrives on a target system. The protection may not be perfect and its effectiveness will depend upon signatures and other detection techniques having been kept up to date.
  • Back-up: Back-ups have a key role to play if the master copy of the data is encrypted (or indeed lost or damaged). Again, simply ticking the box that back-ups are taken is not a panacea; consideration also needs to be given to how and where they are stored.
  • Critical patching: Much of the opportunity for ransomware has come from systems that have not been updated to run the latest versions of operating systems and other key software. Timely application of security-related patches and migrating away from platforms no longer supported is therefore another important step in reducing the opportunity to fall victim.

In May 2017, there was a massive global incident as a result of the WannaCry ransomware, which caused a major outage that affected thousands of NHS systems.

Reports suggested it infected 200,000 computers across 150 countries, linked to a vulnerability first publicised by Microsoft two months previously.

The sad fact is that there is nothing new here and the core advice that would have safeguarded the systems has all been offered many times before.

The fact that unpatched systems are vulnerable to exploitation is very well known and so perhaps the only thing that would not have been predicted was the scale of the vulnerability and the impacts that would result.

Towards the end of June 2017, we saw reports of a new wave of attacks.

On the face of it, NotPetya seemed like yet another ransomware attack, with the attackers demanding £300 in bitcoins for the key to decrypt data.

However, unlike WannaCry, it was not possible for the attackers to decrypt the victim’s disks, even if the ransom demand was met.

With such incidents offering no prospect of even paying to recover data, it is of even greater importance that the basics of preventative protection – the ABC list – are rigorously followed.

Ransomware bucks the trend by being obvious, whereas most other malware is now deliberately unobtrusive. With a different type of attack, there might be no form of ‘heads-up’ at all, so if systems are unpatched they will be wide open and you will not know it.

For all the hype and even investment that surrounds cyber-security, what hit people with WannaCry in particular was a lack of updating and not having back-ups.

However, it was at least based on a known vulnerability, giving potential victims at least the opportunity to have patched their systems – future incidents may not offer this luxury.

The Cyber Security Breaches Survey concluded that “the prevalence of ransomware in particular has heightened awareness and made cyber-security a more urgent issue for a wider range of businesses”.

In that sense, it is potentially the trigger for action that organisations have otherwise been neglecting or underprioritising.

However, it is unfortunate that we continue to need such wake-up calls in order to address protection matters that ought now to be standard and routine.

Research in computer and information security

This programme is closely linked with research activities within the Centre for Security, Communications and Network Research (CSCAN).

Find out more about our research in this area