Organisations must adopt comprehensive cybersecurity strategies to mitigate ransomware threats, Brian Boyd, head of technical delivery at i-confidential, explains how
Ransomware has become one of the most prevalent cybersecurity threats facing organisations today. Its impact has been widespread, affecting everything from small businesses to large government entities.
A common misconception about ransomware is that it always involves data theft. However, many ransomware attacks are primarily focused on encrypting data, rendering it inaccessible until a ransom is paid, without stealing any information.
Understanding the distinction between encryption-only attacks and those involving data exfiltration is crucial for organisations seeking to protect themselves.
What is Ransomware?
Ransomware is a type of malicious software that encrypts the victim’s data and demands payment, often in cryptocurrency, in exchange for the decryption key.
This type of attack can severely disrupt operations, especially if backups are not available or are also compromised.
While some ransomware strains have evolved to include data theft as part of their strategy, many still focus solely on encryption.
Encryption-only ransomware attacks
In encryption-only ransomware attacks, the malicious actors aim to lock the victim’s files without extracting or stealing data.
Often though these users also have mapped network drives with access to information that is available and used by many people. The Ransomware affects these files and folders as well meaning it is more than the original exploited user that has an issue.
These attacks can be devastating, causing operational chaos and financial loss, but they do not involve the added risk of sensitive information being exposed or sold on the dark web.
There is a general trend observed in sectors like education, financial services, and healthcare, where ransomware groups focus on encrypting data to disrupt services and force organisations to pay for decryption keys.
The UK has been one of the most targeted countries outside the United States, with a substantial number of these incidents reported over the last couple of years.
Real life examples of encryption-only attacks
It’s often difficult to tell whether data has been stolen in ransomware attacks, however, based on the current information available, the following examples appear to be encryption only.
St Helens Borough Council (2023)
In August 2023, St Helens Borough Council in northwest England was hit by a suspected ransomware attack that caused significant disruption to its IT systems and services.
The attack, which was identified on August 21, led to the shutdown of several internal systems as a precautionary measure.
Despite the council’s efforts to maintain service continuity, many of its typical operations were affected. Residents were warned to be vigilant, particularly against phishing emails that could exploit the situation.
While most critical systems were restored within a couple of months, the council acknowledged that the situation was complex and ongoing, with some non-critical systems still being worked on for full recovery.
Western Isles Council (2023)
In 2023, the Western Isles Council, also known as Comhairle nan Eilean Siar, suffered a significant cyber-attack that disrupted many of its services.
The attack, believed to be a ransomware incident, targeted the council’s IT infrastructure, causing widespread outages that impacted everything from email communications to public services.
The council worked closely with cybersecurity experts and the Scottish Government to contain the breach, restore systems, and ensure the integrity of sensitive data. They had to request emergency funding from the Scottish Government to help with the recovery costs.
Ransomware attacks involving data theft
In contrast to encryption-only attacks, some ransomware variants have evolved to include data exfiltration, where attackers steal sensitive data before encrypting it.
This strategy adds an additional layer of pressure on the victim, who may face not only operational downtime but also reputational damage and potential regulatory fines if sensitive data is exposed.
There is an additional layer of complexity for the criminals in this scenario meaning it takes longer to complete. It also requires additional skills. Having said that, the additional effort is reflected in the ransom charged.
Real life examples of an encryption and data theft attack
British Library (2023)
In late 2023 The British Library in London was targeted by a ransomware attack that caused significant service disruptions affecting their online services as well as other data.
Although initial concerns included potential data exfiltration, the primary focus was on encrypting data to disrupt operations, leading to challenges in accessing library services.
The incident highlighted the ongoing risk of encryption-only ransomware, even against large and well-known institutions.
The evolving threat landscape
As ransomware continues to evolve, understanding its various forms is crucial for organisations aiming to protect themselves.
Encryption-only attacks can be devastating, leading to significant operational and financial losses. They are less sophisticated but more readily available to lesser skilled criminals.
However, the addition of data theft introduces further risks, including regulatory penalties and reputational damage.
“Understanding the motives and tactics of ransomware groups can aid in developing effective defence mechanisms.”
Organisations must adopt comprehensive cybersecurity strategies to mitigate these threats. This includes regular data backups, employee training, and the implementation of robust security measures to detect and prevent ransomware attacks.
Moreover, understanding the motives and tactics of ransomware groups can aid in developing effective defence mechanisms.
In conclusion, while many ransomware attacks still focus on encrypting data without theft, the lowest cost of entry to the attack, the rise of double extortion tactics underscores the need for vigilance and preparedness in the face of evolving cyber threats.
No comments yet