Cybersecurity: an audacious attack

Should there still be any companies that have still to promote cybersecurity to the top of their risk management agenda, Friday’s global attack on organisations and companies across nearly 100 countries will have sounded alarm bells.

Cybersecurity firm Kaspersky Lab identified more than 75,000 ransomware attacks – in which the perpetrators seize control of computers and demand money before they will release it – in 99 countries, with the majority targeting Russia, Ukraine and Taiwan.

However, victims also included UK hospitals in the country’s National Health Service (NHS) network, US courier company Fedex, French carmaker Renault, Germany’s national rail service Deutsche Bahn, Spain’s Telefonica mobile phone network and utilities Iberdrola and Gas Natural, Chinese universities and hospitals in Indonesia.

The attack coincided with a summit meeting of finance ministers from the G7 group of leading economies to discuss the threat of cyber-attacks, at which they pledged to work more closely on spotting vulnerabilities and assessing security measures.

Ransomwear is malicious software that locks down files on an infected computer and demands payment from the computer’s administrator in order to regain control of them. In last Friday’s attack, the initial demand was relatively modest at US$300 (£230), suggesting that the perpetrators believed that many victims would pay up to avoid the resulting disruption, particularly as the ransom was accompanies by a warning that the price would steadily increase.

As in this case, the attempt at extortion demanded that payment of the ransom be in the digital currency bitcoin. Latest reports suggest that in total no more than US$53,000 in ransom payments have been made since the attack was launched on Friday.

Mark Hawksworth, global technology specialist practice group leader at claims management service firm Cunningham Lindsey, said that the attack on the NHS Trusts “demonstrate how something as simple as ransomware can have a large impact on the ability of an organisation to function no matter what its size”.

Press reports suggested that NHS trusts have been routinely targeted by cybercriminals, despite being less financially attractive as a major bank, because of their relatively poor levels of security. The majority continue to use Microsoft’s veteran Windows XP operating system, which has become largely obsolete for corporates and contains a vulnerability exploited by the ransomware.

Three years ago, GTNews ran a series of articles on Microsoft’s withdrawal of general support for Windows XP in April 2014  and the repercussions for corporate treasury departments still reliant on XP.

Michelle Crorie, a partner at the law firm of Clyde & Co, commented shortly after Friday’s attack was publicised: “Data breaches and cyber hacks are now one of the biggest threats large businesses are facing around the world.

“There are two mains ways hackers routinely seek to hold a business to ransom. The first is by extracting data and threatening to release it unless a ransom is paid. This leaves businesses in a very tough situation as there are data protection consequences to allowing a release.

“The second technique, which the NHS appears to be facing, is a ‘lock-out’. The hacker blocks the company from accessing its own data, which of course stops nearly all business activity, especially when the business relies heavily on access to digital data.

“Businesses need to ensure they have procedures in place if such a situation occurs and understand the legal consequences of the options available.”

Ransomwear readiness

The insurance market has responded to the growing incidence of cyberattacks, launching a range of policy coverages to mitigate the impact. A commentary issued by Lloyd’s of London insurer Beazley Group noted:

  • Cyber is a relatively new type of insurance cover and penetration into the public sector is likely to be low.
  • Public sector organisations have historically under-invested in technology and security.
  • Ransomware attacks are very difficult to defend against and backups are really the only defence.
  • The NHS is unlikely to pay any ransom demands; both due to UK public policy and the complications of the Terrorism Act.
  • There is unlikely to be much in the way of third-party claims against the NHS even for data loss under UK laws.
  • The main costs of such an attack are business interruption, costs of recovering from backups.

Bitcoin intelligence firm Elliptic, which is based in London and Washington DC, has issued a four-step response plan for “ransomwear readiness”.

“Most ransomware attacks follow the same general pattern,” said Elliptic co-founder and lead investigator Dr Tom Robinson. “The victim is given a bitcoin – or other cryptocurrency – payment address, and a deadline to make payment. Most people incorrectly assume there is nothing that can be done to identify the perpetrator after payment is made.”

The four-step plan recommended by the company is as follows-and includes scenarios in which a company decides to make payment:

  1. Assess the risk
    Not all ransomware payments are worth making; experts may be able to decrypt it or there may be indications that the attacker will not decrypt the computer even after payment is made. Since Friday’s attack, there has been no evidence that the attacker will ever decrypt the computers targeted.
  2. Obtain the Bitcoins
    Ransomware operations usually demand payment quickly, sometimes in as little as 24 hours. It can be difficult for a company to secure large quantities of bitcoins at short notice.
    “Most Bitcoin exchanges have know your customer (KYC) policies that prohibit them from selling new clients a significant amount of bitcoins,” said Dr Robinson. “Often a company will have the cash ready to purchase Bitcoins, but the exchange cannot legally open an account and complete the transaction before the ransom is due.”
  1. Make the payment
    Large bitcoin payments can be confusing for companies that are not used to dealing in cryptocurrencies. “Constructing a large Bitcoin transaction is a technical process. You need to define the right transaction fee, verify the destination, and sign the transaction appropriately,” said Dr Robinson. “Too low a fee and your transaction might never clear; send it to the wrong address and your bitcoins are gone forever. It’s also important that the ransomer knows which of their victims is making the payment.”
  1. Identify the attacker
    Bitcoin transactions are difficult but not impossible to trace according to Elliptic, which has developed advanced bitcoin investigation software and whose team of invetigators have delivered actionable intelligence to identify ransomware and cyber-extortion attackers on both sides of the Atlantic “We are able to connect the dots between Bitcoin activity and real world actors,” says Dr. Smith. “We only provide our forensic investigation services in collaboration with law enforcement, and we have a very high success rate in delivering actionable intelligence on complex bitcoin investigations.”

“We actively trace proceeds of ransomware and cyber extortion, and we alert our bitcoin exchange customers if they receive illegal funds,” adds Dr Robinson. “Our goal is to defeat ransomware by making it extremely difficult to launder the proceeds of these crimes.”

More to come

A UK security blogger known by the pseudonym MalwareTech, has been credited with accidentally halting the further spread of Friday’s attack by locating what appeared to be a ‘kill switch’ in the rogue software’s code. Although this did not undo the damage already caused, it was sufficient to prevent the contagion spreading to further organisations.

However, he told the BBC: “We have stopped this one, but there will be another one coming and it will not be stoppable by us. There’s a lot of money in this, there is no reason for them to stop. It’s not much effort for them to change the code and start over.”

His prediction is likely to be supported by Kaspersky Lab has warned about the vulnerability of utilities to cyberattacks, as per this April 2016 report in GTNews.

336 views

Related reading