Ransomware is a bigger problem now than it has ever been. Generally, in the past, the modus operandi of criminals using ransomware involved them getting into an organisation’s computer network, encrypting its files, then sending their victims a message saying something like, “We’ve encrypted your stuff – pay us a ransom and we’ll give it back.”
Their methods have evolved. Most big public and commercial organisations now have backups of their data. Because of that, cybercriminals are unlikely to get the payday they are looking for if they simply threaten to wipe hard drives unless some form of cryptocurrency transfer is completed. Nowadays, data exfiltration is the biggest problem: rather than encrypting and threatening to delete an institution’s data, malicious actors will threaten to leak it online.
Analysis has shown that over 80 per cent of today’s ransomware attacks now involve this kind of leak threat. It could involve publishing customer data on the dark web: names, addresses, passwords, medical records, credit card details or similar, in a way that irreparably damages a company’s reputation for data stewardship and makes them liable to huge fines from the European Union for breaches of the General Data Protection Regulation. Or cybercriminals could upload an institution’s digitally stored intellectual property, records, accounts, employee lists or other sensitive information in a way that threatens its commercial viability and erodes the trust of customers and investors.
For government departments and organisations such as the NHS, this kind of data leak by online criminals could cause serious political fallout as well as becoming a major headache in the provision of services, eroding people’s trust in the public sector’s ability to keep data safe and secure. The bad guys know and they do their research – they know who to target and what to select to release, because for some companies and institutions data release is more damaging than for others.
Unlike the more basic threats to encrypt and delete data, this kind of ransomware attack can’t be solved simply with backups. This has got a lot worse in the last few years. If 95 per cent of companies have backups then the encrypt and delete attacks can only affect the remaining 5 per cent. This newer threat to publish could destroy far more than 5 per cent of companies.
What’s more, it’s easy to forget that you are dealing with hardened criminals. We need to remember there are sophisticated and organised crime networks behind the messages you’ll see on your screens during an attack. There’s a whole criminal structure and marketplace where you can find people selling access to computer networks rather than carrying out ransomware attacks themselves. Gangs will gain access to a system and then they auction that access on the dark web.
[See also: Labour: Social media bosses should be held criminally liable for harmful content]
This is all part of the phenomenon we’ve seen of people offering ransomware or hacking as a service. It used to be the case that engaging in this kind of activity required real technical ability, a knowledge of networks, coding and a good brain for working your way around complex digital infrastructures. Nowadays you can just go on the dark web and order these services like you would from any other online marketplace. It really is that simple. So the field has been opened up to all sorts of bad actors. You also see some examples of rogue insiders being a problem, with employees selling network access to cybercriminals.
And there’s no honour among thieves: so-called “double-dipping” is common. That means you pay the ransom, they assure you that the threat has been rescinded post-payment, but then six months later they come back to get paid again, announcing that they still have your data and that they plan to leak it once more. Then a ransomware attack becomes the start of long-term extortion. There are also plenty of examples of cybercriminals leaking data even after they’ve been paid.
So how do we counter these threats? A lot of the solutions are about isolating something bad, like ransomware, and ensuring it doesn’t spread through a network. But it’s better not to have the bad thing gain access to any part of your network in the first place. As always, prevention is better than cure, so there’s a balance to be struck between control and protection. A lot of organisations have a lot of eggs in the protection basket: that’s detection tools and tools that detect and isolate bad things. The problem is that those protection tools sometimes only kick in once it’s too late; protection software can have holes and vulnerabilities in it, and it needs to be constantly updated.
Having controls rather than just protections makes you much safer. Controls are preventative and proactive rather than reactive. Controls are hard and fast rules about what can run and what can’t run: stopping software from accessing data; stopping it talking to other applications; stopping it from using command prompts to copy data from elsewhere; stopping applications communicating with each other, or what applications can have access to files or photos or lists. It’s about limiting applications and making sure there are things that are allowed and things that aren’t. When your phone asks for permission to access your photo library it’s asking you to override a type of control. And that’s where educating your people and maintaining digital safety skills comes into play because you can’t depend on humans or users to do the right thing every time. This is especially true in a post-Covid era when working from home has become the norm and there’s been a dissolution of perimeters, from self-contained office spaces to potentially worldwide shared networks.
That’s why you need to have a balance between educated users, protections and controls. That way you’re shoring yourself up well against all contemporary threats.
[See also: NHS Digital’s Mike Fell: “Cybersecurity can sound bizarre, but getting it wrong puts patients at risk”]