pixel_dreams - Fotolia

Cyber extortion is a growing, but largely hidden threat

Security industry warns of increasing cyber extortion attacks as Lincolnshire County Council is hit by a ransomware demand

This article can also be found in the Premium Editorial Download: Computer Weekly: Building datacentres under the sea

Cyber extortion is a growing threat to companies around the world, but the extent of the practice is largely hidden because many firms just pay up and keep quiet, say security experts.

More and more public sector companies are being targeted because they are believed to be fairly likely to pay up to minimise the impact on public services. 

“Cyber-criminals are becoming increasingly ambitious, resulting in an alarming increase in the number of councils, governments and national infrastructure organisations being targeted,” said Greg Sim, chief executive of security firm Glasswall Solutions.

Lincolnshire County Council is the latest known target of cyber extortion, but reported cases are just the tip of the iceberg, according to David Flower, managing director of security firm Carbon Black.

At the weekend, Lincolnshire County Council reported that it had been targeted by cyber attackers using ransomware that had locked staff out of key databases for most of a week.

However, it has not been confirmed that the council was specifically targeted, or whether the malware infection was simply due to an indiscriminate automated attack using a malicious email attachment.

Ransomware is malware that typically encrypts key data belonging to an organisation so that attackers can demand money in exchange for unlocking the data.

Cyber attackers’ use of ransomware increased by 58% in the second quarter of 2015, according to a threat report by Intel Security.

Ransomware attacks have been extremely profitable for cybercriminals in the past few years, and researchers at security firm Kaspersky Lab believe ransomware attacks may even out-pace banking Trojans as a way for cybercriminals to make money.

The cryptography implemented by ransomware programs that encrypt the victim’s data is extremely secure, meaning there's little hope of recovering files through a brute-force attack on the encryption itself, according to Kaspersky Lab.

However, ransomware is not the only means of conducting cyber extortion. Some cyber criminals also commonly use distributed denial of service (DDoS) attacks to hold organisations to ransom and demand payment to stop or prevent attacks. 

In the case of Lincolnshire County Council, unknown attackers demanded the equivalent of £350 in crypto currency to unscramble the data encrypted by the previously unknown ransomware, which could indicate that the attack was targeted or that the council was simply unlucky to be one of the first hit.

Initial reports said the attackers had demanded £1m in ransom, but the council has since revised this down to $500, saying that at no point had it considered paying the ransom. 

Read more about ransomware

The council said it was working with its security supplier to restore its data from backups, but only a small amount of data was affected because systems were shut down as soon as the malware was detected, the BBC reports.

The ransomware attack affected some services, including libraries and online booking systems, but the council said it hoped to restore these systems soon.

The council said it had notified the Information Commissioner’s Office (ICO) about the incident, but said no personal data had been compromised.

Carbon Black’s Flower said the use of previously unseen ransomware or zero day malware is problematic, because traditional security solutions such as antivirus rely on blacklisting.

“They have a set of known threats that they detect, and if a file doesn’t appear on their list, they let it through, so if the threat has never been seen before, then this system falls down,” he said. “As such, phishing emails with ransomware can easily sneak into a user inbox, the user clicks on the attachment, and boom – the bad guys are in.”

Read more about DDoS attacks

For this reason, Flower said organisations must stop relying on antivirus alone to protect their endpoints and add capability to assess a threat against a set of policies and common characteristics.

“This should then be combined with broader threat intelligence, where you can see if a particular file has ever been seen before,” he said. “If it hasn’t, then it is likely to be zero day and hazardous. This allows organisations to get smarter about security and avoid falling into this sort of trap.”

Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers as companies pay ransoms in bitcoin for the decryption keys to unlock their data.

But Raj Samani, chief technology officer for Europe at Intel Security, said most ransomware attacks “can be avoided through good cyber hygiene and effective, regular data backups that are continually tested to ensure they can be restored if needed”.

And Patrick Wheeler, director of product at security firm ProofpointRegular, said backups are “the most reliable method for recovering infected systems”.

Businesses need to be proactive, said Samani, because the decryption keys are not always provided when ransoms are paid.

“Being proactive is often easier and less costly than a reactive approach, and by paying ransoms, companies should recognise that they are contributing to cyber crime by supporting those responsible for it,” he added.

David Emm, principal security researcher at Kaspersky Lab said the Lincolnshire County Council was right to resist paying the attackers. “At the very least, paying up should be a decision of last resort, not a routine approach to the problem,” he said.

To avoid succumbing to a ransomware attack, Emm said companies should follow strict security policies which include internet security protection, applying security updates as soon as they become available, user restrictions to prevent them running unknown applications and employee education.

“It’s also vital that individuals and businesses backup their data regularly, so that if they do fall victim to a ransomware infection, they don’t lose data. 

“Backups should be made to offline storage, since the data on any storage device connected to the computer at the time of infection will also be encrypted,” he said.

Read more on Hackers and cybercrime prevention