Kingsley Hayes, Head of Data Breach, discusses the increasing frequency and severity of ransomware attacks, in Fraud Intelligence.
The world has recently seen a surge in ransomware attacks. The slightest lapse in IT security, such as an employee unwisely clicking on a link, can lead to a business finding its entire IT system encrypted and held to ransom. Hackers then typically demand that millions be paid over in cryptocurrency for the encryption key. Thankfully, there are steps businesses can take to reduce the risk of such attacks. Nor are businesses altogether powerless should they fall victim to a ransomware attack.
Many cybersecurity experts now argue that significant and internationally coordinated governmental action is required in order to push back effectively against the current wave of ransomware attacks. A recent report, “Combatting Ransomware”, by the US Institute for Security and Technology, argues that the ransomware phenomenon is “no longer just a financial crime; it is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe”.
Several recent ransomware attacks have been linked to Russia, which accusation has made ransomware attacks a geopolitical issue. The recent 2021 G7 summit in Cornwall issued a final communique calling on Russia to “hold to account those within its borders who conduct ransomware attacks” while committing the G7 to collaborate in order “to urgently address the escalating shared threat”.
Ransomware attacks were also on the agenda when US President Joe Biden met Russian President Vladimir Putin in Switzerland on 16 June 2021. Russia has been accused of involvement in major cyberattacks, such as the SolarWinds hack of 2020, which accessed the computer systems of US government departments and major American corporations.
Since the WannaCry and NotPetya attacks of 2017 revealed the vulnerabilities of many networks, the frequency of ransomware attacks has escalated markedly. The dark web even now enables criminal gangs to purchase off-the-shelf ransomware software to conduct attacks.
The head of GCHQ’s National Cyber Security Centre Lindy Cameron recently said that her organisation “supports victims of ransomware every day” and said that, while state-sponsored hacking campaigns are a “malicious strategic threat to the UK’s national interests”, ransomware has become the most significant threat.
Ms Cameron recently told the Royal United Services Institute that “For the vast majority of UK citizens and businesses … the primary key threat is not state actors but cyber criminals.” She advised companies affected by ransomware attacks not to pay over the ransom demanded. The US authorities also advise against paying ransoms, but many companies simply pay up so that they can stay in business. In the US, there is no requirement to even report such an attack, which means that there could be many ransomware attacks which never see the light of day.
Ransomware attacks are growing in both frequency and severity. In England, in just the past two years, we have seen significant attacks upon organisations such as the PFEW of England and Wales and Hammersmith Medical Research, trading as London Trials. There have also been attacks aimed at securing sensitive medical data such as the hack on the Transform group. Medical data is extremely sensitive to the individual and can lead to extortion.
The Irish health system is still recovering from a major ransomware attack it suffered in May. In what was termed a “catastrophic” attack, the Irish health service had its data encrypted by a gang of criminal hackers, which then demanded US$20 million in Bitcoin for the encryption key. The attack caused serious disruption to services and put patients’ lives at risk. Nonetheless, the Irish government refused to pay the ransom and, perhaps unusually, the hackers then supplied the encryption key regardless, although it has since emerged that patient data has been leaked online. The hackers were perhaps content to profit from the illegal sale of the data, since patient medical data can fetch up to $1,000 dollars per record on the dark web and, when mixed with identity data, can cause great harm to the individuals affected. Hackers may seek ransoms from individual patients even if they cannot obtain one from the entity originally hacked.
Not all entities threatened by ransomware attacks refuse to pay on principle. In strictly economic terms, mitigating a ransomware attack is likely to cost much more than paying up. A major US insurer, CNA Financial Corp recently reportedly paid US$40 million to access to its network. The meat company JBS SA recently paid US$11 million to hackers. The Colonial Pipeline hack, which disrupted gas supplies in the US, resulted in a US$4.4 million ransom being paid over to hackers in Bitcoin. However, in this latter case US Department of Justice later announced that it had managed to recover most of the Bitcoin ransom paid. This shows that cryptocurrencies such as Bitcoin are not beyond the reach of the authorities.
A key way to undermine the viability of ransomware attacks would be to limit access to untraceable methods of payment, such as cryptocurrencies. Major governments are now planning to aggressively regulate cryptocurrencies to prevent their use in fraud, money laundering and ransomware attacks. In January 2021, Janet Yellen, now the US Secretary of the Treasury, told the US Senate Finance Committee that many cryptocurrencies, “are used, at least in a transaction sense, mainly for illicit financing. And I think we really need to examine ways in which we can curtail their use”.
The EU has also announced a plan to regulate blockchain and digital currencies, alongside plans to launch a digital euro, which will provide users with privacy, but which also looks set to be traceable if used for criminal purposes. ECB President Christine Lagarde said that the proposed new digital euro would enable “people to make payments without sharing their data with third parties, other than what is required by regulation.” A new digital Yuan is currently being trialled. It is hoped that the advent state-backed digital currencies and the tighter regulation of cryptocurrencies will disrupt the business model underpinning ransomware attacks.
We do not yet know what precise form the promised governmental efforts to tackle ransomware attacks will take. New and more stringent regulatory regimes and legal enforcement powers are likely to be created. More severe criminal penalties may be introduced to deter cybercriminals. Sanctions may be imposed on countries seen as safe harbours for cybercriminals. Governments may consider making it illegal to pay ransoms to cybercriminals. What’s more, it seems likely that the introduction and enforcement of such measures will be closely coordinated internationally, given the borderless nature of the threat. It’s clear that the introduction of such measures will take time.
For now, we can only hope that the international effort to clamp down on ransomware and the illicit use of cryptocurrencies will ultimately prove effective. In the meantime, what can businesses do to protect themselves from the growing risk of ransomware attacks?
How to protect your business against ransomware attacks
Ransomware is malware which can wreak havoc once it gets inside an organisation’s system.
To prevent it gaining access, all the standard IT security advice applies: all systems kept should be up to date and ideally they should be encrypted. Appropriate firewalls and antivirus software should be used. Complex passwords should be required and and changed regularly. Daily backups should be made and these should ideally be kept secure and separate from the main system. Close attention should be paid to wifi security and the use of public wifi should be avoided.
Many IT security experts recommend using only company devices, and not allowing the use of employees own devices. The use of personal devices can make it easier for ransomware to get into systems. The use of VPNs in tandem with endpoint encryption across all company devices should also be considered.
Training employees in IT security and on spotting phishing attacks is also critical. The best IT security in the world can be circumvented if employees are not on their guard against fake emails or calls purporting to be from the IT department asking them for their password details.
How to respond to a ransomware attack
If the worst happens, and a ransomware attack succeeds, organisations often deploy security investigation services and business critical continuity plans. In some cases, if a recent backup has survived, the system can be restored quite quickly. Other times, the authorities may be able to assist affected businesses.
Sometimes, strategies can be deployed to regain access while also seeking to immediately recover any extorted payments. A landmark 2019 English High Court case held that Bitcoins are legally capable of being regarded as property and so can by the subject of proprietary injunctions.
The judgment in AA v Persons Unknown [2019] EWHC 3556 (Comm) arose in the context of a ransomware attack on a Canadian insurance company. Having encrypted the company’s system, the hackers then demanded of US$1.2 million in Bitcoin for the encryption key. The Canadian company’s English insurer provided cover against such attacks. The insurer quickly appointed a specialist cyberattack incident response company, which communicated with the hackers. A ransom payment in Bitcoin of $950,000 was paid. The decryption key was sent to the data was retrieved.
However, English insurer was working rapidly to recover the Bitcoins paid. It hired consultants who identified the Bitcoins paid at a particular exchange. They found that 96 of the 109.25 Bitcoins paid were still in an account there. The insurer rapidly brought legal proceedings to recover the Bitcoins, as they were paid under extortion. The court granted a proprietary injunction over the remaining 96 Bitcoins and they were recovered. Cryptoassets are clearly coming within the control of some of the world’s legal systems. However, it is vital to act with all speed.
Businesses are not powerless in the face of the current wave of ransomware attacks. However, in order to avoid becoming the next victim of these increasingly sophisticated attacks, businesses need to take meaningful action now to bolster their IT defences while also updating their risk assessments, their staff training and developing plans as to how to respond should an attack get through.
Kingsley’s article was published in Fraud Intelligence, 21 July 2021, and can be found here.