Under the Computer Misuse Act first passed in 1990, any unauthorised access with intent to commit or facilitate commission of further offences is itself a criminal offence, even if there is no access control, or any other cyber security protection whatsoever.
Today, however, we mainly classify cyber crime as any attack motivated by financial gain. This definition takes in some of the advanced persistent threat (APT) groups loosely associated with governments, but run as a business making profit through the sale of stolen data, as well as organised cyber criminals and individuals.
Although theft of IP and other sensitive data is still a problem, the trend over the last few years has been in the use of ransomware. Again, state-sponsored actors have been identified as using ransomware, such as a North Korean group being called out as behind the WannaCry attack in 2017. The US National Security Agency said the group was “directly responsible” and the UK National Cyber Security Centre assessed it as “highly likely” to be responsible.
While ransomware attacks such as WannaCry were at first scattergun, aiming to obtain a small ransom from a large number of targets, the criminal’s strategy has predictably evolved to target specific organisations and look for much larger individual payouts, sometimes into the millions of pounds.
The most frequent sectors to be targeted are legal, healthcare, government, financial and industrial control systems. More recently, these targeted ransomware attacks have been combined with data theft, particularly personal identity information.
This is then used as additional leverage by threatening to release the information. Ironically, the pressure on the target organisation has increased with the new data protection regulations, because organisations must disclose loss of personal data within 72 hours and there are large fines for loss of such data.
Organisations now include data protection in their corporate risk, so this adds further time constraints and financial pressure. From the cyber criminal’s point of view, stealing personal data gives more leverage, but also provides an alternative financial return – in case the ransom is not paid, they can sell on the personal identity data.
Ransomware attacks typically start with a phishing email. In the case of a targeted attack, this will use social engineering targeted at the organisation, or individuals within it, and the malware will be packed to give the file a unique signature, thus avoiding detection by antivirus.
Once a user is deceived and clicks on a link in the email, or opens a malicious attachment, the ransomware will run and can start encrypting the local hard disk.
Critical to the success of the attack at this stage is the ability to spread. Encrypting a single user’s workstation is not going to lead to much of a ransom, so the malware must have the ability to traverse the network, infecting other hosts and, in particular, data servers holding critical data and any backup servers they can reach.
Once this happens, the only option is damage limitation. In the case of WannaCry, network traversal was automated using the EternalBlue exploit to infect anything that could be reached. In a combined attack, however, it is likely that the attackers would gain access and steal data before distributing the malware to other hosts and triggering their encryption. In some cases, the encryption software being distributed uses the organisation’s own software distribution tool.
Basic measures to prevent, detect and recover from attacks
While basic antivirus is unlikely to be sufficient to stop this kind of attack, there are several basic measures that can help. Firstly, the use of tools to detect phishing emails with malicious links or attachments.
Such tools are now commonplace and will provide an initial line of defence. If the emails do get through, then user training and the use of “phishing emulation applications” to test effectiveness can increase user awareness and reduce the risk. Not because every user will recognise the email as malicious, but because if one person does and reports it, then at least the attack has been detected.
Basic cyber security measures, such as patching known vulnerabilities, applying least privilege principles and heuristic-based endpoint security on workstations, can prevent or detect the initial attack.
Other measures, such as ensuring unused ports are closed, zoning and monitoring within the network, locking down the use of administrative tools and applying two-factor control for sensitive servers and administrators, can prevent both the spread of the malware across the estate and the access to servers to steal data, as well as helping to detect the attack.
Having a robust back-up regime and the ability to re-image servers and workstations quickly is also key to recovering from a ransomware attack. Backups must, however, be held off-line, and multiple sets of backup media used in turn, in case the backup is activated during a ransomware attack, or the attackers gain access to the backup server.
In some cases, the attacker may encrypt only part of the media at a time, so the encryption may not be detected for a while. It is therefore advisable to run a separate weekly backup cycle on separate media in case the daily backups are partially encrypted before the attack is detected.
So far, ransomware has not spread to the cloud, but this is the obvious next step, so it is time to prepare for this. While we think of the cloud as resilient and that the supplier provides much of the security, the client also has security responsibilities, particularly around configuration and access control.
Also, not all cloud services provide a backup as standard. Mirroring of data may provide resilience, but will not allow data restoration in the event of a ransomware attack. One thing that can help in the cloud is the use of versioning, if supported. If versioning is enabled, a new version of a file is created each time it is saved, so encrypting a file will create a new version, leaving the old version untouched.
Limits to the storage of personal data
Finally, it is always important to minimise any personal data stored on the system. Data protection regulations require that any personal data should be the minimum necessary to fulfil the declared purpose for holding the data. I suspect that in many cases, it is more than absolutely necessary, which will increase the impact of any data loss, leading to bigger fines.
For example, I have been asked to provide my full postcode and date of birth as essential information so that media content can be tailored for me personally. Artificial intelligence has come a long way, but I strongly doubt that it will ever be possible to differentiate preferences by age to within one day, so in this case the nearest five years would be more appropriate.
Similarly with the postcode, a full postcode covers about 10 addresses, so about 30 people. Again, far more detail than is necessary. Given a full date of birth and postcode, it is possible in most cases to identify an individual from other publicly available data, such as the electoral register, making it much more sensitive. For this purpose, a five-year age band and the first half of a postcode is probably enough and maintains anonymity.
In summary, protecting against combined ransomware and data theft attacks does not need a plethora of new specialised tools. But it does need a holistic view, including user awareness, an up-to-date incident response plan and limitation of sensitive data to only what is necessary.
These measures, together with appropriate tools and processes to detect and prevent the different stages of the attack, should be taken into consideration and, if necessary, even the definition of a strategy to protect data in the cloud.