The NCSC has published a new report looking at the threat of ransomware to UK organisations, how these threats are evolving and how to mitigate them.
Cyber criminals target organisations for money, for information and for the potential to cause widespread disruption. These attacks are evolving, both in terms of scale and harm. In 2022, there were 745,000 computer misuse offences. The cyber offences often further other criminal activity, including fraud and stalking.
The latest Ransomware, extortion and the cybercrime ecosystem report, compiled by the National Cyber Security Centre (NCSC) and the National Crime Agency, sets out how these threats are evolving and how to mitigate them.
The NCSC explains that “ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A cyber criminal will then demand a ransom in exchange for the decryption. The computer itself may become locked or that data on it may be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.”
The report highlights the tactic of damaging a large organisation’s network, instead of targeting smaller organisations or individual users. This is known as “big game hunting”. The potential for the cyber criminals to make larger ransom demands makes larger organisations attractive targets.
The report warns that “combining data theft with extortion in big game hunting attacks increases the pressure on victims to pay, who will often be presented with short deadlines (a tactic used in legitimate sales campaigns).”
The NCSC warns against paying ransom demands following a ransomware attack. Any monies you pay are likely to finance further criminal activity – and there is no guarantee you will get access to your systems and data back.
This report makes it clear that “ransomware groups are often aware of western laws and regulations and use that knowledge to shape their criminal activity. Data leak sites became popular in the hope of pressuring victims that could face larger fines under laws such as GDPR.”
However, it counsels that organisations should not allow this type of tactic to make them more willing to pay the criminals. It emphasises that even if you were to pay an exorbitant fee to the criminals to prevent the data stolen from you ending up on data leak sites, it does not mean that you are absolved of your responsibilities under GDPR. You could still be subsequently fined for failing to adequately protect the data you hold.
Another development highlighted in the report is how ransomware activity is evolving into an entire ecosystem of criminal activity.
It says, “the ransomware business model seen most frequently is ‘ransomware as a service’ (RaaS). In this model, ransomware groups typically provide a web portal to enable affiliates and customers to customise their ransomware and obtain new builds with unique encryption keys per customer. Many include a communications platform to make the ransom negotiation easier and more anonymous for the affiliate. Most ransomware will also include features to delete local backups and hider recovery.”
RaaS is sold in online forums by criminal groups. Different tools are deployed for gaining initial access, exploiting that access to deliver ransomware, demanding payment and anonymising communications. The report highlights how this flexibility makes it challenging for threat intelligence companies and defenders to understand which parts of the attack were conducted by which actor group. However, it does say that the biggest threat to the UK comes from the Russian-speaking world.
Access to company networks might be gained by access brokers and sold via online marketplaces or undertaken by the ransomware groups themselves.
The report says, “Most criminals take the opportunities presented to them, either through buying accesses that they deem likely profitable or by scanning for a vulnerability in a product likely used in corporate networks.”
These opportunities are identified and exploited in a number of ways, including:
• Scanning the Internet for devices with known vulnerabilities: despite patches being available, they are not being consistently applied and there are still rich pickings for cyber criminals to use as an initial access.
• Brute force attacks which test common passwords, default passwords that are widely known and shared, and passwords identified in previous breaches that have not been changed (since password reuse is still relatively common).
• Using a type of malware called a “stealer”. Available on criminal forums and often adapted to evade antivirus software, stealers might take screenshots, log keystrokes, steal passwords stored in web browsers, cookies and other configuration details, steal data entry forms and credit card details from web browsers and/or capture antivirus details.
• Using a type of malware called a “loader”. This gathers basic system information which is then used to deploy other malware. They are often used to determine whether a system is viable for ransomware before deploying more capable malware.
• Phishing continues to be a common attack vector. Emails with malicious attachments or links to trick users into visiting malicious websites are used as a first step to encourage large volumes of victims to download malware.
• Other large-scale distribution techniques include “malvertising” (when an attacker uses advertising as a delivery method for malware); poisoning SEO so that common search terms return malicious links; and embedding malware in cracked software.
The complex ecosystem of cybercrime activity makes identifying culprits very difficult. The cyber criminals use a variety of tools to make this job more difficult, including traffic distribution systems (TDS).
Using a TDS allows cyber criminals to define redirection rules from an administration panel. Direction is based on the type of visitors browsing their web of malicious pages. Different categories of visitors can be redirected to different campaigns. TDSs are currently very popular in phishing distribution because they can be used to block known security research IPs, thereby preventing them from receiving the malicious payloads for analysis.
According to the report, “cryptocurrency has made it easier, cheaper and faster to obtain payment and purchase criminal services than was previously possible with traditional currencies. The use of cryptocurrency also makes it harder to attribute individuals and control illicit payments, although this is in the process of changing to match traditional currencies.”
It warns, “Although some exchanges are legitimate, there are also several cryptocurrency exchanges that are complicit in assisting ransomware criminals to exchange cryptocurrency into other forms of currency. Examples of this include SUEX, which has been sanctioned by the US Treasury.”
When an organisation falls victim to a cyberattack, in retrospect it can seem to be targeted. However, the report makes it clear that this is unlikely. Criminals motivated by financial reasons don’t target specific organisations – they simply take the opportunities presented to them. It argues, “there is far less return on specifically targeting a single organisation.”
This opportunism on the part of the criminals means the success of ransomware attacks usually comes down to poor cyber hygiene – such as unpatched devices, poor password protection or a lack of multifactor authentication.
While the report acknowledges that “modern IT estates are exceptionally complex, especially for organisations that have undergone acquisitions and mergers, and security controls can be difficult to implement effectively across complex environments,” it also argues that “implementing such measures would interrupt the majority of ransomware attacks.”
If you haven’t already become Cyber Essentials certified, now is the time to do so. Following basic cyber hygiene can help to prevent the majority of ransomware attacks, preventing initial malware from being delivered.
Cyber Essentials guidance has changed this year, to reflect the growing threat of ransomware and the NCSC’s recommendations for mitigating it. Our team can advise about these changes, if there is anything you are unsure about.
Good backups and tested recovery plans must be another plank in your defence. If you know that you can easily restore your business network, systems and data, there is no need to consider paying a ransom and any disruption can be minimised.
While the report recognises that the threat of ransomware “will continue to adapt and evolve as threat actors seek to maximise profits” it also emphasises that implementing NCSC guidance on multi-factor authentication, incident management, data protection and mitigating malware would interrupt the majority of attacks.
If you’d like any advice or guidance about cyber security or help in protecting your organisation against the threat of ransomware, please reach out to the Grant McGregor team.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
You can discover additional advice and insights about a variety of cyber security topics on our blog: