Ransomware attacks can be incredibly costly to businesses and states. On the 11th of October, the head of the UK National Cyber Security Centre warned that ransomware posed ‘the most immediate danger’ to UK businesses in cyber-space. This renews the conversation as to what this type of crime entails, and how organisations can become more resilient.
What is Ransomware?
Ransomware is a type of malicious software that prevents a user from accessing their data and demands a ransom to regain access. Generally, the ransom increases over time, and is payable in cryptocurrencies such as Bitcoin to protect the criminal’s anonymity.
How Does Ransomware Work?
Threat actors can gain access to a device or a network through a variety of means, including:
- Phishing attempts – Emails with malicious attachments or links
- Password guessing – Software that systematically attempts to access an account through trial and error
- Exploiting software weaknesses – Weaknesses or vulnerabilities in software, networks, security features can all allow the threat actor access
- Social engineering
Once the threat actor gains access to a device or software, it can then use asymmetric encryption to lock the victim’s data. Generally, the threat actor encrypts the data using a public key. However, a private key is required to decrypt the data. As a result, paying the ransom demanded is the only option to regain access.
Ransomware became mainstream news in 2017 with the rapid expansion of the WannaCry attack. As one of the largest recorded ransomware attacks in history, WannaCry spread quickly through emails, which encouraged recipients to open infected attachments or links. As a result, the WannaCry ransomware attack impacted around 230,000 devices globally in over 150 countries. Overall, analysis suggests this cost around US$4 billion globally.
WannaCry exploited a software vulnerability in the Windows implementation of the Server Message Block (SMB) protocol. Windows has discovered this vulnerability several months prior to the WannaCry attack; however, many devices had not been updated, or older systems (such as Windows XP and older) were no longer supported with security patches.
The attack was particularly high profile due to the impacted private organisations, including Telefonica, FedEx, and LATAM Airlines. In particular, the NHS in the UK ceased to function for several days from the 12th of May 2017. This cost the UK government around GBP £92 million.
The National Heath Service
The timeline of the attack and how it impacted the NHS:
- 14th March 2017 – Windows releases update, patching the SMB Protocol vulnerability (MS17-010)
- 17th March 2017 – NHS Digital sends first notification to NHS trusts, advising sites to update their systems
- 28th April 2018 – NHS Digital sends second notification to NHS trusts, advising sites to update their systems
- 12th May 2017 – Late Morning – NHS sites begin to report problems with accessing network
- 12th May 2017 – 4pm – NHS England declared the cyber attack as a major national incident. Trusts divert patients to non-impacted sites, causing significant delays to treatments
- 13th May & 14th May 2017 – NHS England produce formal instructions and circulate these to impacted sites
- 14th May 2017 – Evening – NHS Digital report that 44% of impacted sites had applied necessary patches to their systems
- 15th May 2017 – NHS England procure emergency IT suppliers to patch the remaining impacted IT systems
- 16th May 2017 – NHS England report that only 2 remaining trusts are diverting patients to alternative services
- 19th May 2017 – 5:30pm – Wannacry Incident declared as resolved by NHS England
- 18th December 2017 – Evening – Trump Administration officially attribute WannaCry attack to North Korea
- 25th April 2018 – Full WannaCry Incident Report published by the National Audit Office
Windows patched the relevant software vulnerabilities before the WannaCry attack began. In addition, an investigation by the UK National Audit Office showed that over 90% of NHS equipment was running Windows 7, which was at the time supported by the released Windows update. Similarly, NHS Digital had issued multiple alerts asking sites to apply the updates.
However, most NHS trusts did not update systems regularly or adhere to the NHS Digital cybersecurity protocols, effectively meaning the devices were impacted unnecessarily.
Scope and Impacts
Ransomware attacks are increasingly sophisticated and difficult to negate due to the complexity of the technology involved. Similarly, analysis by Grey Dynamics illustrates that the frequency of type of cybercrime is accelerating. In addition to the fact that the cost of an average ransomware attack has more than doubled from 2020 to 2021, threat actors are able to make significant financial gain.
Recently, ransomware-as-a-service (RAAS) has become far more common – this means that anyone can pay to use pre-developed ransomware tools to undertake ransomware attacks. With this context in mind, it is highly likely that ransomware attacks will only continue at an even more rapid rate.
Although prevention of all ransomware attacks is almost impossible, organisations can negate the impacts with the use and enforcement of robust cybersecurity protocols. This includes:
- Regularly create backups of required data
- Keeping devices up to date
- Segregating networks based on functionality and the principle of least privilege
Ransomware is a lucrative business due to the difficulty in tracking the perpetrators of such malware, as well as the significant financial gain possible.