Ransomware: the scale of the threat – and how not to pay

Chris Allen, consultant, lecturer and researcher in organised crime, has seen ransomware explode in this year of the pandemic… and has a sustainable answer to avoid payment

The hideous ‘new normal’ phrase that forced itself into our national consciousness during this year’s you-know-what crisis may have come from a public health context but it is equally applicable in the world of ransomware, where attacks on corporate systems have become a depressing reality of modern life.

In July, Blackbaud – a leading cloud software company contracted to manage the data of at least seven UK universities – was subject to a ransomware attack, resulting in staff and students at York, Oxford Brookes, Loughborough, Leeds, London, Reading, University College Oxford and Exeter unable to access files until a ransom had been paid.

A statement from Blackbaud admitted that the cybercriminal removed a copy of a subset of data from their system, prior to being locked out, adding that they’d not accessed any financial information. They added: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

Just last month fitness brand Garmin were reported to have paid $10 million via a negation company to release its systems from the grip of a Russian ransomware WastedLocker.

Covering the cost

These attacks indicate a new trend towards targeting larger companies who, with larger turnovers and more complete insurance policies, attackers have deduced are more likely to pay out significant sums.

In 2017, the WannaCry malware infected more than 230,000 computers across 150 countries, paralysing vast sections of the global economy, including the NHS, through a vulnerability in Windows that allowed the program to sneak into systems providing companies hadn’t installed updates.

Ransomware first emerged in 1989, with the Aids Trojan, by 2013 a particularly vicious variant named CryptoLocker made $5 million in four months. 

Currently, there are now more than 50 families of ransomware in circulation with each new strand increasing in encryption strength.

A report last year by Sonic Wall suggested that the UK had become the biggest target experiencing around 13 million attacks a year.

Their latest update for the last six months suggests a slight downturn with 5.9 million ransomware attacks (-6%) which they attribute to a growing preference of criminals for ransomware as a service (RaaS), as well as open-source malware kits becoming cheaper and more readily available.

The report says: “Globally ransomware continues to be the most concerning threat to corporations and the preferred tool for cybercriminals, increasing a staggering 20%… globally in the first half of 2020.”

One experienced IT professional told SC Media that ransomware is by far the most dangerous threat to high profile individuals and organisations. He said: “It generally combines with other types of malware. When used to full effect ransomware can bring entire organisations to their knees locking data and systems behind impenetrable encryption.”

“Hackers make incredible amounts of money from individuals and organisations by using phishing techniques to install ransomware on unsuspecting PCs and servers.”

How not to pay

The sheer scale of this threat has prompted the cyber security industry, alongside law enforcement, to bind together like never before.

The best example of this is the No More Ransom initiative, led  by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee. The collaboration aims to help victims retrieve data without paying the criminals.

Launched in 2016, the initiative has helped more than 200,000 victims of ransomware recover their files free of charge in the first three years of operation.

It is now able to decrypt more than 100 different types of ransomware infections, including GrandCrab, one of the most aggressive ransomware attacks last year. As a result of the development of a specific toolkit to combat GrandCrab nearly 40,000 people have successfully decrypted their files, saving roughly $50 million in ransom payments.

Aside from checking No More Ransom should your files becoming encrypted, there are several actions CISOs can take to prevent this

  • Regularly back up data stored on your computer. Keep at least one copy offline 

  • Do not click on links in unexpected or suspicious emails

  • Only browse and download official versions of software from trusted websites

  • Ensure that your security software and operating system are up to date