Ransomware, one of the fastest-growing malware hazards of the 21st century, threatens businesses and public institutions around the world. A particularly virulent and fast-evolving species of malicious software, it infects computers and mobile devices, often spreading across networks to other devices. Once it compromises a system, it quietly encrypts every data file it finds, then displays a ransom note to the user demanding an online payment of hundreds or thousands of pounds (to be paid in cryptocurrency like Bitcoin) in return for the decryption keys needed to restore the user’s locked files.
Ransomware is on the rise in the UK
Nearly 3 out of 4 companies infected with ransomware suffer two days or more without access to their files
A notorious example of a ransomware attack that hit companies worldwide was the spring of 2017 WannaCry outbreak, which afflicted over 200,000 computers in over 150 countries. Costing the UK £92 million and running up global costs of up to a whopping £6 billion. In the summer of 2017, the NotPetya ransomware variant ensnared thousands of business and public institutions in a global net, and despite letting victims pay a ransom, wreaked essentially unrecoverable damage. The autumn of 2017’s Bad Rabbit ransomware outbreak disrupted thousands of systems across Russia, Ukraine, and the European Union.
Last year, GandCrab became the first ransomware that demands payment in DASH cryptocurrency and utilizes the “.bit” top level domain (TLD). GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. These spam emails trick users into opening the file contained inside the attached ZIP archive, which is generally a script that downloads GandCrab ransomware and executes it.
- According to SonicWall, despite decline in malware attacks, ransomware volume shot up by 195% in the first half of 2019. UK was the second most attacked country in the world,
- Databarracks reported a quarter of UK organisations were victims of ransomware in the past year,
- And Malwarebytes reported the UK receiving the highest amount of ransomware detections in Europe.
In planning defensive strategies, IT security professionals must recognize that the cost of a ransomware attack goes far beyond the extortion payment. A steadily growing list of victimized companies have reported that other costs associated with an attack – downtime, lost sales opportunities, angry customers, the expense of attack mitigation and recovery, damage to company brand reputation, penalties for unmet contractual obligations to customers, and fines for non-compliance -- make the cost of the ransom look trivial.
The top 5 UK ransomware attacks
Ransomware attacks have wreaked extensive downtime and economic harm on many industries, including police departments, local governments, automotive manufacturers, logistics companies, financial services institutions, healthcare providers, and transportation systems around the world. Hardly a week goes by without news of another successful and costly ransomware attack. Here are just a few examples:
NHS: In 2017, the NHS, the UK’s National Health Service was brought to a standstill for several days due to the WannaCry outbreak, afflicting over 200,000 computers in over 150 countries and resulting in the cancellation of thousands of operations and appointments and the frantic relocation of emergency patients from stricken emergency centres. Staff were also forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.
Gremlin unveiled: The ransomware in this case, known as ‘Wannacry’, is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing. Once your computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access.
Eurofins Scientific: The UK’s biggest provider of forensic and scientific services, Eurofins Scientific was infected by ransomware causing disruption to their IT systems and resulting in backlog of over 20,000 blood and DNA samples. Dealing with more than 70,000 UK cases a year, Luxemborg-based Eurofins Scientific, was reported to have paid the ransom to restore access to its computer network.
Gremlin unveiled: Although the strain of ransomware was not confirmed, an NCSC advisory published the same day as its notice on the Eurofins incident emphasised the risk from Ryuk ransomware: ‘Ryuk ransomware is often not observed until a period of time after the initial infection – ranging from days to months – which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack.’
Reckitt Benckiser: British pharmaceutical and CPG maker Reckitt Benckiser estimated that its victimization by the NotPetya ransomware cost it £107M pounds in disrupted production, goods it could not deliver to customers, and clean-up and recovery costs.
Gremlin unveiled: One of the most devastating strains of a cyber-attack, NotPetya is a highly sophisticated migration of the Petya virus, that is not in fact ransomware. Encrypting all files beyond repair, with a bitcoin ransom notification, NotPetya exploits several different methods to spread the virus without human intervention. Unlike its predecessor, when a victim pays the ransom, there is not tell-tale code to say who has paid, hence it’s cause is to disrupt and create chaos.
British and Foreign Bible Society: Swindon-based The British and Foreign Bible Society, was fined £100,000 by the Information Commissioner’s Office, after their computer network was compromised as the result of a cyber-attack in 2016, putting supporter’s payment card and bank details at risk.
Gremlin unveiled: With over 400,000 records compromised, due to weak passwords protecting the personal details of their supporters, hackers deployed ransomware that encrypted one million files across the Bible Society’s network resulting in a GDPR-enforced fine.
Police Federation of England & Wales: The Surrey headquarters of the staff association for the police, which represents over 119,000 officers suffered a data breach as a result of malware causing local servers and networks to be infected and the deletion of their backup servers.
Gremlin unveiled: The ransomware attack encrypted several databases and servers, making data and email services inaccessible, and resulted in an investigation from the ICO.
More disturbing facts about ransomware’s hidden costs
Industry researchers have compiled some scary facts and statistics about the cost and frequency of ransomware attacks:
- Ransomware is costing UK companies £346 million per year
- The Police and other government agencies agree that paying the ransom is a very poor defence: over half of ransomware victims who pay do not successfully recover their files, either because the extortionists fail to deliver the promised keys, or have implemented the encryption/decryption algorithms so poorly that the keys don’t work.
- Recovering files from backup and restoring encrypted systems is often easier said than done. According to Intermedia research, nearly three out of four companies infected with ransomware suffer two days or more without access to their files. Around 30% go 5 days or longer without access.
- As more ransomware victims heed the experts’ advice not to pay the ransom, the rate of total ransomware attacks keeps rising, with criminals turning their sights on verticals like healthcare and law enforcement that tend to be more willing to pay because of the life-and-death consequences that can result from computer downtime in their fields.
- Ransomware is projected to attack one business every 14 seconds by the end of 2019, up from every 40 seconds in 2018. According to other statistics, 71% of companies targeted by ransomware attacks have been infected, and half of successful ransomware attacks infect at least 20 computers in the company.
- Ransomware has driven people to commit suicide
How ransomware got to be a malware epidemic
The reasons for the rapid growth of this category of malware are mostly attributable to its evolution from a one-time cottage industry to a modern, criminal version of the software-as-a-service business. Ransomware gangs copied the model of tech vendors like Salesforce.com, continually and rapidly developing and improving their product and relying on a network of Internet-based “distributors” – lower-level, relatively-unskilled criminals willing to push the malware onto as many machines as possible in return for a cut of the ransom – to get their product into the marketplace.
These front-end criminals use a variety of techniques to propagate ransomware attacks, including blasting out phishing emails with infected web links or attachments, placing bogus online ads that lead users to fake websites that invisibly download malware to anyone that visits them.
Meanwhile, the highly skilled back-end developers labour to create new variants that can exploit operating system and application vulnerabilities, take advantage of unwary end-users, and evade anti-virus software and other defences created by the IT security industry. They also build sophisticated distribution, monitoring, notification and payment infrastructures which they make available to their “distributors” for free. All anyone needs to get into the ransomware distribution racket is moral flexibility, a browser, and an Internet connection to access these easy-to-use tools, start spreading ransomware around, and begin extorting cash from victims. It’s called ransomware-as-a-service.
How business and public institutions can fight back against ransomware
In the face of this rapidly growing threat, businesses and public institutions can take concrete steps to protect their systems from the operational disruptions and high costs of ransomware attacks. Step one is to start educating employees on the techniques that ransomware distributors use, teaching them to be cautious about the online advertisements and email links they click on, the websites they visit, and the attachments they open.
Even though ransomware detection has increased in the UK, it is still the most resolute country for dealing with ransomware attacks. Organisations like St John’s Ambulance have been praised for their response to a ransomware attack.
Due to a data breach, British Airways have been hit with a record ‘intention to fine’ by the ICO following the introduction of GDPR. Previously, companies were only fined a maximum of £500,000 for data breaches such as Facebook. Greater fines send a clear message to companies that IT security failures will no longer become solely a PR liability. Cyber-attacks are becoming more visible with company boards.
However, there is a long way to go! The improved understanding of cyber security is no reason for businesses to become complacent. This bridges nicely with existing recommendations and how to fight back against ransomware.
How to avoid ransomware attacks
Good network and security hygiene measures remain important, like segmenting networks to make it harder for ransomware to spread from system to system, keeping endpoint anti-malware software up-to-date, and patching known vulnerabilities in operating systems and applications as quickly as possible.
Finally, given the high success rate of ransomware attacks, it is imperative to institute a rigorous backup regimen and keep multiple copies of critical business and patient data both locally, offsite and in the cloud. Routine, frequent backup remains the most fool proof defence against ransomware: if your systems are compromised, you can simply identify the onset of the attack and restore your systems from clean backups created before the incursion.
Final thoughts and further reading
To avoid becoming victims of the next widespread ransomware attack, businesses and public institutions will have to deploy the basic measures outlined above, and consider deploying leading-edge technologies for ransomware defence like Acronis Active Protection, a free extension to Acronis Backup and Acronis Backup Advanced that uses machine learning to identify ransomware attacks in progress, instantly terminate them, and automatically restore any damaged files.
For case studies of enterprises that have used Acronis Active Protection to effectively protect themselves against ransomware attacks, see these stories on auto dealership Ready Honda, electronics manufacturer Johnson Electric, and aluminium refining giant Hydro Alunorte.
For details on how Active Protection works, see: https://www.acronis.com/en-us/resource-center/resource/276/ .