UK organisations reel under ransomware and DDoS surge - didn't they see it coming?

The UK is now at the centre of a nasty nasty convergence of skilled criminality

For a tantalising moment it felt as if the ransomware attack on Lincolnshire Council might go down in history as one of the most serious cyberattacks ever recorded in the UK. Initially the sum demanded was reported as being an extraordinary £1 million ($1.5 million), which would have made the incident by some distance the largest ransom ever publically disclosed anywhere in the world since this type of attack appeared a decade ago.

As experts wondered what was going on, it later transpired that the ransom was in fact a more ordinary $500 (£350), which the Council stated it wouldn't pay. The difference between the two sums isn't simply a matter of money. Attackers confident enough to ask for the huge sum of £1 million implies a targeted attack, which are usually severe to cause serious disruption. A demand for only $500 is more like a standard ransomware attack executing from a single machine with self-limiting consequences.

From the Council's point of view, the difference probably sounds like splitting hairs. Its systems were taken down for a week and staff found themselves checking a reported 458 servers and at least 70TB of data to make sure the infection hadn't spread beyond wherever it entered the network. As with everyday ransomware attacks, a member of staff opened a booby-trapped email that wasn't filtered by the Council's security systems and set off an infection that probably caught thousands of files on hard drives and possibly network shares accessible from that system.

The Council later blustered about the malware using a "zero-day" attack, which sounds highly unlikely. It is probable that a recent but unpatched flaw in software was to blame. Regardless, the attack's disturbing quality was its simplicity and predictability for attackers who see ransom demands to return (or not) encrypted files as a percentages game. Most victims won't pay but the small fraction who do make it worth the bother.

According to a January 2015 survey of Cloud Security Alliance (CSA) members by Skyhigh Networks that found that a quarter were willing to pay ransoms if that would prevent a cyberattack with a surprising 14 percent claiming they would pay ransoms as high as $1 million. The survey only covered slightly over 200 people across the globe so its conclusions don't transfer to UK businesses with a fig of certainty/ What is underlines is that ransom attacks have become common enough that some business leaders might be rationalising them as just another cost of business. It's the shift in psychology that's important here not how many organisations are actually stumping up cash.

An Online Trust Alliance (OTA) report, also from January, estimated that ransomware has now become almost the standard way of targeting businesses, almost always with some degree of targetting.

"Much like surge pricing for taxis, cybercriminals now target and calculate their ransomware pricing based on company size, market value and much more," the report quoted OTA executive director Craig Spiezle as saying. "Cyber-surge pricing of corporate data is becoming widespread, increasing the impact and costs for businesses and their employees worldwide."

Coping with the open-ended risks of such attacks would probably mean that cyber-insurance was going to increase in popularity as a way or rationalising uncertainty over costs.

UK organisations reel under ransomware and DDoS surge - HSBC's latest DDoS

After a record year for high-profile DDoS attacks in 2015, only days ago UK bank HSBC suffered one severe enough to disrupt customer account access, about as bad as it gets for a bank. That a DDoS attack could cause that sort of issue is astonishing given the size of the bank's systems and the sink-holing it will have in place to mitigate such events. The institution did not explain the motive behind the attack but a ransom demand remains a possibility as does using it to act as a smokescreen for deeper incursions into the bank's systems.

It's not even the first such attack to hit the company and its customers after a similar one in 2012.

According to recent numbers from security firm Imperva, network-based DDoS attacks on the UK spiked significantly during 2015, and rose almost a quarter between the third and fourth quarter of the year. The MO is also shifting towards very high-throughput attacks based on short bursts, enough to cause problems for on-demand mitigation services. The firm describes this technique as akin to a war of attrition.

Is the UK coming in for special treatment? It is now among an unfortunate top group in terms of being on the receiving end of DDoS attacks, whether motivated by ransom demands or not.

"The United Kingdom has a strong online business community and strong Internet infrastructure, which enables the execution of large scale attacks. The combination of both is the reason why recently we see more and more reports against UK-based businesses and more concern about DDoS attacks from local business and government sectors, including recent high-profile arrests of alleged DD4BC and LizardSquad members," Igal Zeifman, senior digital strategist at Imperva, told Computerworld UK.

"The quarter-on-quarter increase is an opportunity to highlight the fact that UK has one of the most frequently targeted online business communities.

"I think the increase is too substantial to be related to the activity of any individual extortionist group or hacker organisation. Rather, I would relate it to an increased adoption of DDoS-for-hire services by non-professional perpetrators, who are likely using them in DDoS extortion campaigns," he added.

The end result of this is that while ransom and DDoS cyberattacks are bound to increase these are now becoming successful enough to cause real bother. On one end of the scale is Lincolnshire Council's week of downtime after a single PC was infected with ransomware exploiting an unpatched flaw. At the other is global bank HSBC temporarily brought to a halt by a DDoS. What these have nothing in common in terms of size, complexity or targeting but the end result was the same - expensive downtime.

Is there an answer to this or must UK organisations simply prepare for attacks that are now inevitable? On this front there is good and bad news. Positively, global policing is starting to improve with potentially major breakthroughs in January 2015 including the UK Metropolitan Police Cyber Crime Unit (MPCCU)/Europol arrest of alleged members of the commercial DDoS world's most active group, DD4BC, in raids across the continent.

That's the bad news; the Europol operation involved police action in Bosnia and Herzegovina, Austria, Australia, France, Japan, Romania, the USA and Switzerland. Clearly, what the world has come to know as DD4BC has turned into a multi-national global business operation. The days of Russian cybercriminals holed up in remote Siberian towns appear to be over. This sort of cybercrime is now everywhere.

Read: UK SMEs and DDoS attacks - a survival guide for defending smaller organisations

Join the CSO newsletter!

Error: Please check your email address.

More about CSAEuropolHSBCImpervaSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place