Cyber extortion is a growing threat to companies around the world, but the extent of the practice is largely hidden because many firms just pay up and keep quiet, say security experts.
More and more public sector companies are being targeted because they are believed to be fairly likely to pay up to minimise the impact on public services.
Lincolnshire County Council is the latest known target of cyber extortion, but reported cases are just the tip of the iceberg, according to David Flower, managing director of security firm Carbon Black.
At the weekend, Lincolnshire County Council reported that it had been targeted by cyber attackers using ransomware that had locked staff out of key databases for most of a week.
However, it has not been confirmed that the council was specifically targeted, or whether the malware infection was simply due to an indiscriminate automated attack.
Ransomware is malware that typically encrypts key data belonging to an organisation so that attackers can demand money in exchange for unlocking the data.
Cyber attackers’ use of ransomware increased by 58% in the second quarter of 2015, according to a threat report by Intel Security.
However, ransomware is not the only means of conducting cyber extortion. Some cyber criminals also commonly use distributed denial of service (DDoS) attacks to hold organisations to ransom and demand payment to stop or prevent attacks.
In the case of Lincolnshire County Council, unknown attackers demanded the equivalent of £350 in crypto currency to unscramble the data encrypted by the previously unknown ransomware, which could indicate that the attack was targeted or that the council was simply unlucky to be one of the first hit.
Initial reports said the attackers had demanded £1m in ransom, but the council has since revised this down to $500, saying that at no point had it considered paying the ransom.
The council said it was working with its security supplier to restore its data from backups, but only a small amount of data was affected because systems were shut down as soon as the malware was detected, the BBC reports.
The ransomware attack affected some services, including libraries and online booking systems, but the council said it hoped to restore these systems soon.
The council said it had notified the Information Commissioner’s Office (ICO) about the incident, but said no personal data had been compromised.
Carbon Black’s Flower said the use of previously unseen ransomware or zero day malware is problematic, because traditional security solutions such as antivirus rely on blacklisting.
“They have a set of known threats that they detect, and if a file doesn’t appear on their list, they let it through, so if the threat has never been seen before, then this system falls down,” he said. “As such, phishing emails with ransomware can easily sneak into a user inbox, the user clicks on the attachment, and boom – the bad guys are in.”
For this reason, Flower said organisations must stop relying on antivirus alone to protect their endpoints and add capability to assess a threat against a set of policies and common characteristics.
“This should then be combined with broader threat intelligence, where you can see if a particular file has ever been seen before,” he said. “If it hasn’t, then it is likely to be zero day and hazardous. This allows organisations to get smarter about security and avoid falling into this sort of trap.”
Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers as companies pay ransoms in bitcoin for the decryption keys to unlock their data.
But Raj Samani, chief technology officer for Europe at Intel Security, said most ransomware attacks “can be avoided through good cyber hygiene and effective, regular data backups that are continually tested to ensure they can be restored if needed”.
And Patrick Wheeler, director of product at security firm ProofpointRegular, said backups are “the most reliable method for recovering infected systems”.
Businesses need to be proactive, said Samani, because the decryption keys are not always provided when ransoms are paid.
“Being proactive is often easier and less costly than a reactive approach, and by paying ransoms, companies should recognise that they are contributing to cyber crime by supporting those responsible for it,” he added.