The user, the abuser and the cyber criminals
According to Europol’s fifth annual internet organised crime threat assessment, ransomware remained the biggest malware threat out there in 2018. Ransomware lockdowns can potentially result in outages, financial loss and reputational damage, so how can they be fought? Jason Walsh finds out
Imagine the scene: you sit down to work, log in and . . . are locked out.
Ransomware is the nightmare scenario for any business: work grinds to a halt, sales stop, and precious data is encrypted not to mention compromised — and the shadowy figures behind it say that they will delete it unless you cross their palm with cryptocoins.
US-based telco Verizon estimated this year that almost 40 per cent of all successful malware-based attacks involved some form of ransomware — and, worse still, the targets were changing, too, with databases and servers under attack, not just desktop PCs, meaning business critical applications were at risk.
Enda Cusack, head of advisory and professional services business at Hewlett Packard Enterprise (HPE) Pointnext, said that this development was very noticeable.
“Without a doubt, ransomware attacks are the primary cybersecurity threat to both SME and large organisations, and now cyber-attacks are now targeting business-critical systems in an attempt to cripple transactional activity until ransoms are paid,” he added.
Clearly this is something that businesses need to take seriously, and it is not the only malware out there.
In fact, by some metrics, ransomware appears to be in ‘decline’, or at least experiencing reduced growth — for now. And arguably the apparent decline is simply a result of the problem already being so massive: growth was explosive from 2016 to 2018, so while throughout 2018 it was dethroned by a new threat — cryptominers — ransomware is still out there.
In fact, though, it does remain the most pervasive cyber threat out there. And that threat is a very real one, with estimates that each single incident results in losses of over €2,000 due to downtime alone. In addition, some businesses have been known to fork out tens of thousands to decrypt data — often with no guarantee that the criminals will keep their word. And if you think about, why would they?
Europol, the European Union agency for law enforcement cooperation, said that in 2017 ransomware drained over €4.4 billion from the global economy.
Europol’s fifth annual internet organised crime threat assessment, published in September 2018 at the joint Interpol-Europol Cybercrime Conference in Singapore, stated that “ransomware remains the key malware threat in both law enforcement and industry reporting”.
The report did acknowledge the growth of cryptomining as a “low-risk revenue stream for cybercriminals”, but that despite the growth of ransomware slowing, it has still overtaken other threats including banking trojans.
The Europol report also noted that business in particular is under threat: “As we have seen with other cyber-attacks, as criminals become more adept and the tools more sophisticated yet easier to obtain, fewer attacks are directed towards [individual] citizens and more towards small businesses and larger targets, where greater potential profits lie.”
Of course, every business owner already knows that they must have lines of defence: strong financial controls, strong procedures, and, just as importantly strong, IT controls — but how do these play out in practice?
Was it me?
The most pernicious aspect of ransomware, though, is not at all technological. True, in many cases ransomware includes increasingly sophisticated exploitation of vulnerabilities, but that is not the defining part of how ransomware works.
In fact, the main vulnerability is not located in either the software or hardware. Instead it sits between the keyboard and the chair.
“We talk about ransomware, we talk about phishing, we talk about smishing, [but] the common denominator in all these security threats is a person: a person doing something that they shouldn’t, or not doing something that they probably should,” said Michael Conway, director at Dublin-based Renaissance Contingency Services.
For Conway, this human element is the most important thing to consider when dealing with ransomware — and there are humans at both ends of the process, victim and aggressor, mark and sharp.
“That’s the bottom line: when somebody says to me ‘It was a computer fraud’, well, it’s not a computer fraud. They’re frauds that make use of a computer. The fairground scams with the matchboxes and the peas, the pickpocket; they’re criminals also. Fundamentally, these are confidence tricks: they lull people into a false sense of security and then they zap you,” he said.
Conway said that ransomware has become a threat as the entire landscape of cyber threats and cybersecurity has changed. Ransomware’s key insight was to get around security by focusing on the how people think and act.
On the other hand, this can also be a defence against ransomware itself.
“Well, actually, why is ransomware a newer threat? Because [it is something on which] the traditional AV [anti-virus software] stuff doesn’t work anymore. Threats, responses to threats, the way you respond to an attack gets minimised and mitigated. Your traditional Irish county lad coming up to Dublin in the 1950s was a mark at large, and maybe had his money in his top pocket. After a while he will become more aware.
“Likewise, now we’re seeing that ransomware is being [more] wisely protected against [but] the one thing we always see is that the bad guys are ahead of the defences,” he said.
This, said Conway, is where the security industry needs to do more: at the very least fix the technical side of the problem.
“The innovative bad guys — and the bad guys are incredibly innovative — they can deviate from the norm and try something different, but the marketplace doesn’t respond until it becomes commonplace. This is where the industry needs to be there. It can’t pre-empt everything, but much ransomware comes via exploitable vulnerabilities that everyone already knew about. A lot of the [new] protections against ransomware are doing just that: addressing those vulnerabilities.”
For businesses themselves, an active strategy for dealing with malware, including ransomware, is always preferable to a reactive one.
“The first thing is to get anti-ransomware software, if you can,” Conway said.
“The second thing to do is to back the data up on a regular basis. The third is to patch the system. If you do all those you have a way past even chance of recovery.
“Think of it this way. If you lock the door you have a chance, if you have an alarm you have a better chance, if you have a security camera you have even more. Let the bad guys go next door.”
But if the user remains the biggest problem, then how can they be dealt with?
Conway said that explaining the threat and training people properly is essential, but it would be wise to avoid creating a prison-like atmosphere in a workplace.
“User awareness can never be raised to an appropriate level, but you also can’t have a paranoid situation where no one is every allowed to ever click on anything,” he said.
Steve Mulhearn of security consultancy Fortinet said that ransomware is a threat to corporate and enterprise IT, but one that is both part of the wider malware threat and also one that is changing more than many people realise.
“It’s one of many threats today. It’s actually changed quite considerably. Everybody [just] thinks of WannaCry,” he said.
Mulhearn, who is director of enhanced technology at Fortinet for Britain, Ireland, Germany, Austria and Switzerland, said that while WannaCry was a wake-up call, it is not true that it is representative of the typical ransomware threat.
“The WannaCry guys found a vulnerability that could automatically copy itself, it was in old OSes that were not supported. It was a perfect world for them. Let’s admit it, though: it’s not 100 per cent normal.”
Businesses are also now becoming more aware of the problem, he said.
“If you look at the corporate world, people are getting smart about it. They have deployed email detection or other sandboxing technology.”
The problem is most acute, Mulhearn said, where IT resources are lowest: among individuals and very small businesses.
“The corporate world and enterprise world roughly knows what to do, and it has back-ups: the ultimate response to ransomware is back-ups. ‘Okay, I lost a day’s work, but I can carry on.’ The consumer, on the other hand, doesn’t know what to do.”
Mulhearn said that the decision to click the button and make the payment had to be understood in psychological terms — and this is why attacks on individuals, including the threat of destroying treasured memories, is so serious.
“The ransomware guys are clever; they’re not stupid. If they can change a financial decision into an emotional decision that’s when they win. They take a path of least resistance: ‘Why work hard when I don’t have to?’”
The more it changes, the more it stays the same
Enda Cusack, at HPE Pointnext, said that while the underlying technology, from the vulnerabilities to the exploits, changes with time, the vector of attack has remained largely the same.
“The reason ransomware continues to proliferate utilising classic delivery methods such as email is that users have not been properly trained or made aware of the dangers of opening malicious email attachments. This trend highlights a need among organisations, cross sector, to improve web, email and user security awareness,” he said.
In many ways, this is surprising: given the press coverage of malware in general and ransomware in particular, it would be natural to assume that people today were more aware than ever of the threat to data.
Cusack said that businesses needed to take greater responsibility for their staff, and, indeed, that some were doing just that.
“Some businesses are better than others, for sure,” he said.
“Ransomware remains a significant threat for many Irish companies. Irish businesses [as a whole] are still not investing enough in suitable security strategies, such as education and tech, to combat ransomware attacks and as a result, end up with no option but to pay the ransom when they have been compromised.”
But employees’ businesses that end up in the firing line were not alone in their responsibilities, Cusack said. The tech sector must share the burden.
“We in the IT Industry have to take responsibility for some of that and work with our customers around advising and implementing strategies that will protect them,” said Cusack.
Cusack said that the IT sector must take responsibility even if user behaviour is at fault because there remains a technical component to the replication of malware attacks.
“Ransomware attacks are typically carried out using a trojan or some other type of malicious engineered software, entering a system through, for example, a malicious email attachment or embedded link in a phishing email or a vulnerability in a network service.
“At the network level, it has proved more difficult to mitigate and prevent the spread of ransomware. Firewalls that implement whitelisting or robust blacklisting will be a successful deterrent to lessening the likelihood of successful web-based malware downloads and may deter ransomware from connecting to command-and-control servers.”
Some businesses and business sectors, however, are ahead of the pack — and as it often the case with security and compliance issues, it is usually because they have to be.
“I think the FSI sector is one that is ahead of most because traditionally these are the institutions that have the most significant resources to invest and possibly have the most to lose should a breach occur,” said Cusack.
On the technical side, some alarming developments have occurred, including the weaponisation of extremely new technologies. As a result, even more of the latest technology must be deployed in return.
“Hackers are definitely becoming more sophisticated in their attacks, which is why more intelligence is required to combat them,” said Eilish O’Connor, director of cloud solutions at Viatel.
“One of the big advances in this space is in machine learning and AI [artificial intelligence], which we are looking to leverage in our cyber security and threat analytics solution in the Viatel Flexi Cloud.
“With regards to what kinds of businesses are targeted: [it happens to] any business where technology plays a part in any area of its supply chain. And it’s not just the company that has been targeted that feels the effects. For example, the (Not)Petya attack took down Maersk shipping IT for ten days, having a knock-on effect on any company that depended on them for importing or exporting goods.”
Reputational damage is very real and, said O’Connor, may not be fully appreciated by everybody.
“There are plenty of studies that document different factors which affect reputation after a breach, such as the size of the breach and the nature of it; internal or external. Incidents that are viewed to be caused by a failure of a company’s security systems have a much more detrimental effect on reputation. The speed at which a company reacts will also have an effect on the damage,” she said.
“It is very important for all companies to consider the risk to reputation that could be caused by a security breach — the cost of which may not be immediately obvious, from lost business to missed investment. You can’t avoid investing in security, a significant part of which needs to be on back-up and disaster recovery. This is where you see the value of resiliency by taking a proactive approach to limiting the damage to your reputation.”
O’Connor said that whether ransomware is the predominant security threat today is a point that can be debated. However, it has become one of the most widely known — and this is significant.
“By its very nature, it invokes a lot of emotion and fear in people,” she said.
It is this emotional response that drives the ransom payout.
“The data that is encrypted is mostly of no use or interest to the ransomware attacker. However, it could be of a very sensitive, sentimental or business-critical nature to the person or business affected,” she said.
O’Connor said that this is where business continuity planning and disaster recovery come into play — and that starts with back-ups.
“While it’s very important to do all that you can to prevent it from happening, it’s equally important to have the ability to pick yourself up quickly if it ever does happen,” she said.
Seeing the bigger picture
In the rush to deal with malware, however, some think that other, greater problems are being ignored or sidelined.
“Ransomware is quite low down, I have to say, in terms of the things that actually derail a business,” said Dr Sandra Bell, head of resilience at Sungard Availability Services.
Instead, said Bell, more prosaic problems dominate.
“What we find is that nearly 70 per cent is [composed of] power failure, hardware failure and communications failure. The difference [between malware and other forms of outage] is that you have a sentient adversary. The really important thing that you have to have is strong leadership that can adapt to things,” she said.
Bell said that malware in general, and ransomware in particular, play on a particular kind of risk awareness.
“I tend to think of risks falling into three buckets. The first is risks that you voluntarily take: I used to get into a small plastic boat and throw myself down white water rivers, for example. Then you’ve got the ‘benign’ type, where you just happen to get in the way: severe weather, flooding and so on. Finally, there are those that are imposed on you. Some are imposed on you for financial gain, such as malware or criminal activity, and then there are those like terrorism,” Bell said.
Humans as a whole, she said, perform hidden psychological calculations — and not always correctly — when it comes to assessing these kinds of risks.
“We’re far more accepting of the risk that we take on ourselves, but our perception is the other way round. We perceive those that are done to us as far larger compared to those that we have voluntary taken. Naturally, that puts malware into the very high category,” she said.
Nonetheless, Bell is not saying that malware can be ignored.
“It is absolutely a case of ‘when’, rather than ‘if’,” she said.
“Organisations we are dealing with are hit every day by malware, but it is generally not of the level where it is so disruptive that everything falls apart. There is the odd one, but usually it’s not on that scale.”
However, work stoppages are trouble enough — and ransomware can often be only the first part of a wider cyberattack on a business.
“I frequently get called into organisations were they’re in the process of having a malware attack. It’s usually ransomware, and that’s where is starts. When you get into working out where it comes from, you usually find that somebody noticed something six or seven months ago but didn’t say anything [to the IT department].”
For Bell, the good news is that, with the proper protections in place, the ‘ransom’ in ransomware can be a misnomer.
“It’s a form of ransom. However, it’s not like holding a person to ransom. You must back everything up, so you shouldn’t have things that allow you to be held to ransom.”
However, a bunch of databases floating around on RAID arrays, or even 8mm tapes, are not going to cut it. Apart from the time — and hence cost — involved in restoring, these days there is often more to be backed up than just the data alone.
“Back-ups have to be the primary response, not just of data but of entire systems, and also multiple access such as holding it in another area, or the cloud. There isn’t anything of value to hold to random in that case,” said Bell.
Proper back-ups and disaster recovery plans allow for business to recover almost immediately — and, said Bell, doing this is as people-centric as user-awareness training because it recognises the reality faced by business today.
“We keep doing more and better defences form a technology point of view, but we’re not doing those people-centric things. We need to concentrate more on the psychological triggers, and on how to response quickly on a strategic level. That would at least force the criminals to change their business model,” she said.
Talk to IT
Sandra Bell of Sungard Availability Systems says that when it comes to the malware threat in general, businesses need a culture of openness rather than a punitive one.
“The old law enforcement type culture doesn’t work,” she said.
But there are also specific situations that make developing that culture more difficult. Home working throws up very particular problems, for instance, because it tends to result in weaker links with the IT department.
“It is really difficult,” she said. “If I was to get something flashed up on my screen in the office, I’m more likely to walk along to the IT dept and say ‘I’ve been an idiot, can you do something about this’, and it will not be a big deal.
“But if I don’t have that relationship, and I’m working from home, I’m more likely to click the button to pay, which may even download more malware.”
Do you want to cry now?
Ransomware shot into the public’s awareness with ‘Wannacry’. In May 2017, a worldwide attack took place, with infected Windows computers locking up and demanding payments — in BitCoin form, of course — in order to unlock the data.
Microsoft managed to patch Windows within a few days, but not before shockwaves had reverberated around the world.
And it really was a global phenomenon: victims included Britain’s National Health Service, Honda, Spanish telco giant Telefónica, the University of Montréal in Canada, FedEx, Renault, German rail company Deutsche Bahn, FedEx and police and governments in China, India and Brazil.
In all, it is estimated that more than 200,000 computers in 150 countries were infected.
British and US authorities have said that they believe the culprits to be North Koreans, and as North Korea has no real private activity they are, presumably, pointing the finger at the government.
The British Foreign and Commonwealth Office ‘minister for cyber’ Tariq Ahmad issued a statement in mid-December last year, saying: “It is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign”, and that WannaCry was one of the most significant cyber attacks to ever hit the country.
WannaCry is classified as a network worm because not only does it encrypt data, it is capable of replicating itself by transporting itself across networks.
Those who got infected had not applied Microsoft’s April 2017 security update, including users of now-unsupported older versions of Windows such as XP and Sever 2003. Within a day, Microsoft released a new patch, which also covered older, unsupported OSes.
But WannaCry is still out there causing chaos. Last March, Boeing announced it had been hit, and last August, Taiwan’s Semiconductor Manufacturing Company made a similar announcement.
All security experts agree: technical fixes, while important, can only take you so far. At the end of the day, the real vector for attack is users and, as a result, user awareness training is essential.
“User awareness is a critical piece of the puzzle, and can go a long way towards improving security posture and providing part of the lines of defence,” said Eilish O’Connor of Viatel, echoing Michael Conway of Renaissance, who counselled against creating a needlessly paranoid workplace culture.
Sandra Bell of Sungard AS said that training, while essential, cannot be allowed to mask the sophistication of the attackers.
“It’s not going to be: ‘We’re going to tell people not to click on things’. That really doesn’t work. It takes you so far to be aware, but it’s not going to work in the long term. These people use really complex psychological tools to make people do the wrong thing,” she said.
In addition, O’Connor said that it was unrealistic to expect all staff members to become IT security specialists.
“Training all users to be cyber security experts is usually far less cost effective than being prepared, both proactively and reactively, for an incident,” she said.
Enda Cusack, head of advisory and professional services business at HPE Pointnext, took a similar view. “It’s both [an issue for software and hardware] and its advisory services. Technology can only take you so far. Vigilance on behalf of employees is also key to ensuring you minimise your exposure,” he said.
“We try to help our customers understand that it is not just about a technology fix. It’s broader than that. The key to dealing with ransomware is vigilance on the part of enterprises and that vigilance starts at the top.
“In addition to educating employees on security best practices, enterprises need to ensure that data is regularly backed up and securely stored in different media types, or indeed to the cloud.”