For a tantalising moment it felt as if the ransomware attack on Lincolnshire Council might go down in history as one of the most serious cyberattacks ever recorded in the UK. Initially the sum demanded was reported as being an extraordinary £1 million ($1.5 million), which would have made the incident by some distance the largest ransom ever publically disclosed anywhere in the world since this type of attack appeared a decade ago.
As experts wondered what was going on, it later transpired that the ransom was in fact a more ordinary $500 (£350), which the Council stated it wouldn’t pay. The difference between the two sums isn’t simply a matter of money. Attackers confident enough to ask for the huge sum of £1 million implies a targeted attack, which are usually severe to cause serious disruption. A demand for only $500 is more like a standard ransomware attack executing from a single machine with self-limiting consequences.
From the Council’s point of view, the difference probably sounds like splitting hairs. Its systems were taken down for a week and staff found themselves checking a reported 458 servers and at least 70TB of data to make sure the infection hadn’t spread beyond wherever it entered the network. As with everyday ransomware attacks, a member of staff opened a booby-trapped email that wasn’t filtered by the Council’s security systems and set off an infection that probably caught thousands of files on hard drives and possibly network shares accessible from that system.
The Council later blustered about the malware using a “zero-day” attack, which sounds highly unlikely. It is probable that a recent but unpatched flaw in software was to blame. Regardless, the attack’s disturbing quality was its simplicity and predictability for attackers who see ransom demands to return (or not) encrypted files as a percentages game. Most victims won’t pay but the small fraction who do make it worth the bother.
According to a January 2015 survey of Cloud Security Alliance (CSA) members by Skyhigh Networks that found that a quarter were willing to pay ransoms if that would prevent a cyberattack with a surprising 14 percent claiming they would pay ransoms as high as $1 million. The survey only covered slightly over 200 people across the globe so its conclusions don’t transfer to UK businesses with a fig of certainty. What it underlines is that ransom attacks have become common enough that some business leaders might be rationalising them as just another cost of business. It’s the shift in psychology that’s important here not how many organisations are actually stumping up cash.
An Online Trust Alliance (OTA) report, also from January, estimated that ransomware has now become almost the standard way of targeting businesses, almost always with some degree of targetting.
“Much like surge pricing for taxis, cybercriminals now target and calculate their ransomware pricing based on company size, market value and much more,” the report quoted OTA executive director Craig Spiezle as saying. “Cyber-surge pricing of corporate data is becoming widespread, increasing the impact and costs for businesses and their employees worldwide.”
Coping with the open-ended risks of such attacks would probably mean that cyber-insurance was going to increase in popularity as a way or rationalising uncertainty over costs.
UK organisations reel under ransomware and DDoS surge - HSBC's latest DDoS
After a record year for high-profile DDoS attacks in 2015, only days ago UK bank HSBC suffered one severe enough to disrupt customer account access, about as bad as it gets for a bank. That a DDoS attack could cause that sort of issue is astonishing given the size of the bank’s systems and the sink-holing it will have in place to mitigate such events. The institution did not explain the motive behind the attack but a ransom demand remains a possibility as does using it to act as a smokescreen for deeper incursions into the bank’s systems.
It’s not even the first such attack to hit the company and its customers after a similar one in 2012.
According to recent numbers from security firm Imperva, network-based DDoS attacks on the UK spiked significantly during 2015, and rose almost a quarter between the third and fourth quarter of the year. The MO is also shifting towards very high-throughput attacks based on short bursts, enough to cause problems for on-demand mitigation services. The firm describes this technique as akin to a war of attrition.
Is the UK coming in for special treatment? It is now among an unfortunate top group in terms of being on the receiving end of DDoS attacks, whether motivated by ransom demands or not.
“The United Kingdom has a strong online business community and strong Internet infrastructure, which enables the execution of large scale attacks. The combination of both is the reason why recently we see more and more reports against UK-based businesses and more concern about DDoS attacks from local business and government sectors, including recent high-profile arrests of alleged DD4BC and LizardSquad members,” Igal Zeifman, senior digital strategist at Imperva, told Computerworld UK.
“The quarter-on-quarter increase is an opportunity to highlight the fact that UK has one of the most frequently targeted online business communities.
“I think the increase is too substantial to be related to the activity of any individual extortionist group or hacker organisation. Rather, I would relate it to an increased adoption of DDoS-for-hire services by non-professional perpetrators, who are likely using them in DDoS extortion campaigns,” he added.
The end result of this is that while ransom and DDoS cyberattacks are bound to increase these are now becoming successful enough to cause real bother. On one end of the scale is Lincolnshire Council’s week of downtime after a single PC was infected with ransomware exploiting an unpatched flaw. At the other is global bank HSBC temporarily brought to a halt by a DDoS. What these have nothing in common in terms of size, complexity or targeting but the end result was the same – expensive downtime.
Is there an answer to this or must UK organisations simply prepare for attacks that are now inevitable? On this front there is good and bad news. Positively, global policing is starting to improve with potentially major breakthroughs in January 2015 including the UK Metropolitan Police Cyber Crime Unit (MPCCU)/Europol arrest of alleged members of the commercial DDoS world’s most active group, DD4BC, in raids across the continent.
That’s the bad news; the Europol operation involved police action in Bosnia and Herzegovina, Austria, Australia, France, Japan, Romania, the USA and Switzerland. Clearly, what the world has come to know as DD4BC has turned into a multi-national global business operation. The days of Russian cybercriminals holed up in remote Siberian towns appear to be over. This sort of cybercrime is now everywhere.