Cyber security: Think like the enemy

Cyber-security professionals need to get more cybercrime savvy about crypto-ransomware

The news out this week is that twenty-two US cities have been targeted so far in 2019 and that 170 county, city, or state government systems have been targeted by ransomware attacks since 2013.

This is in addition to attacks on many thousands of corporate businesses. In response, 227 city mayors at the 2019 annual US Conference of Mayors pledged that they will not pay a ransom.

The crippling crypto-ransomware attacks upon Baltimore, Lake City and Riviera Beach and various large multi-nationals such as Maersk, illustrate the increasing resilience of cybercriminals to maintain ransomware's position as a major cybersecurity threat.

^{Co-author Lena Y. Connolly, Research Fellow at the Centre for Criminal Justice Studies in the School of Law at the University of Leeds}

Evidence of this adaptivity can be seen in its evolution from ‘scareware' and ‘locker' scams through to crypto-ransomware attacks. Whereas ‘scareware' used to bully victims into buying unwanted software to remove ‘bad' files; ‘lockers' froze (but not encrypted) the computer until a ransom payment was made for a release code.

Crypto-ransomware, in contrast, encrypts data on the victim's computer until a ransom payment is made to release it. In more recent malicious cases there is no release key, it is used as an attack weapon to permanently fry and disable the victims' data, which can be devastating for the victim organisation and even more disastrous if it contributes to national infrastructure.

To understand this shift in the ransomware landscape we drew upon candid in-depth interviews with ransomware victims and practitioners (including police investigators). Our research (EPSRC EP/P011721/1) found that a subtle ecosystem of social and technical factors makes crypto-ransomware especially harmful.

As a consequence, there is no simple remedy - no silver bullet - for such a complex threat. The attackers are increasingly doing their homework on organisations before they attack and have become extremely adaptive in tailoring attack vectors to exploit existing weaknesses within organisations.

Successful attacks combine technical and social deceptions to get the malware onto the victim's networks. Techniques that include, for example, psychological trickery, profiling staff, and exploiting various weaknesses such as technical shortcomings, areas of neglect by senior management and a shortage of skilled, dedicated and adaptive front-line managers - basically any opportunity available.

Our findings illustrate the need for a multi-layered approach to protect organisations and make them more resilient to ransomware attacks. While cybersecurity professionals have responded to progressively serious ransomware threats with a similar degree of adaptiveness to the offenders, they have tended to focus upon technical solutions rather than the social aspects of ransomware.

So, these observations suggest that organisations need to continually improve their security game and be as adaptive as the criminals when responding to attacks.

In order to achieve this goal, we developed a taxonomy of crypto-ransomware countermeasures that identifies a range of response tools, which are the socio-technical measures and controls necessary for organisations to implement in order to respond to crypto-ransomware effectively.

We then, identified the enablers of change - the groups of employees, such as front-line managers and senior management, who must take an active role in implementing the response tools to ensure the organisation is prepared for cyber-attacks.

We envisage that our findings will assist Police Officers working in Cybercrime Units to further understand the victim's perspective and the impacts of crypto-ransomware.

Cyber security: Think like the enemy

Cyber-security professionals need to get more cybercrime savvy about crypto-ransomware

Also, they have important practical implications for IT and Security managers and their organisations more generally. The taxonomy provides a blueprint for systematising security measures to protect organisations against crypto-ransomware attacks.

Managers need to select controls appropriate to their specific organisational settings. For example, the ‘business-use only' of IT resources is necessary in some organisations, such as commercial organisations, but not practical in others such as research institutions.

Similarly, face-to-face security training may be more effective in smaller organisations than larger ones. The taxonomy also underlines the importance of embedding appropriate ‘social' based controls in organisational cultures rather than simply focusing upon technical measures. This is because, as indicated above, inappropriate measures, skills and support led to incidents occurring, some of which were particularly devastating.

The skills set for competent front-line management goes beyond being security and IT-savvy, to becoming organisationally adaptive and thinking like ‘the enemy'.

Security professionals are required to be influential leaders who can change attitudes and behaviours in organisations by cultivating certain cultural traits. In return, senior management must now be fairly IT-competent and also effective in overseeing the broader IT functions of their organisation.

Senior managers represent an important part of the security chain in organisations and need to support the efforts of mid-managers. Ultimately, both levels have to respect each other's position to work together more effectively, co-own the problem to co-produce the solution - something that is easier to describe than to implement into practice.

Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security. Available online, https://doi.org/10.1016/j.cose.2019.101568