Since the previous report, ransomware has been the biggest development in cyber crime:
Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A cyber criminal will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.
Ransomware attacks may cause monetary harm but sometimes the reputational damage is worse - there are additional considerations of the impact of enforcement by the ICO for not sufficiently protecting customer data. The current trend is for groups to conduct data theft and extortion without deploying ransomware - they will adapt the attack type to the industry type.
Cryptocurrency has made it easier, cheaper and faster to obtain payment and purchase criminal services. It also makes it harder to attribute individuals and control illicit payments. Most serious attacks are carried out by organised crime groups (OCG's), who are highly organised criminals operating like legitimate businesses.
Stealing Passwords
The white paper discusses stealing passwords through brute force access, but also stealers and loaders: ‘Stealers’ are a type of malware available on criminal forums that are used to harvest a variety of useful information (including credentials) which other criminals can use in fraud and/or ransomware attacks.
Common features of stealers are:
- stealing passwords stored in web browsers
- stealing cookies, browser version and other configuration details
- stealing form entry data from web browsers
- stealing stored credit card details
- taking screenshots
- capturing antivirus details
- logging keyboard presses from users.
‘Loaders’ are another type of malware used to gather basic system information which is then used to deploy other malware. Loaders can be used to determine if a system is viable for ransomware before deploying more capable malware (and spending the time necessary to take over the whole network).
Stealers and loaders are distributed using phishing techniques or traffic distribution systems (TDS). A TDS is similar to legitimate advertising services they receive visits from users who have clicked links in malicious emails, and capture basic system information such as geographical location, browser or operating system version.
Ransomware Business Models
Buy-a-build - low cost, appeals to smaller groups with lower skill levels.
In-house - traditional ransomware model, where the same threat group is responsible for developing ransomware.
Ransomware as a Service (RaaS) - the most frequently seen mode. Ransomware groups might provide a web portal to enable customers to customise their ransomware and obtain new builds with unique encryption keys per customers. It may include a communications platform to make the ransom negotiation easier.
Data leak sites have become popular in the hope of pressuring victims that could face large fines under the UK GDPR.
The full article can be viewed: White Paper - Ransomeware and the Cyber Crime Ecosystem
We provide support and guidance with cyber security in relation to data protection through our Information & Cyber Security Best Practice Library
What to do if you suffer a cyber attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protedtion officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.