Mark Warren discusses ransomware attacks and why the NHS is particularly vulnerable
Mark Warren is currently a Marketing Director at Osirium and has extensive experience as an agent, buyer and seller.
I’ve been with the company for just about three and a half years now. I suppose I joined as a Product Marketing Specialist, but last year I took care of the whole marketing team. So I’ve got a long history as an agent, but in all sorts of different parts of technology, both as a buyer and a seller. The problem we’re dealing with is enterprise-level security. And in the last three and a half years, with Osirium, we’ve been focusing on this on the privilege access management space. I have a lot of experience in the privileged access management space, which has been absolutely fascinating. It’s been a really interesting area for me to get into. And in the last couple of years, even I’ve seen a change, I think, in our marketplace.
What is ransomware?
The simplest form of ransomware is this whole idea that many people will be familiar with. Although it started back in 1999 it really came to people’s consciousness, I guess, back in 2017 with the WannaCry that impacted the NHS.
Send bitcoin to this address by this time and we’ll send you the key to uncrypt or decrypt your data and get it back again
That kind of traditional attack was relatively simple. It was the idea that some kind of virus would get onto every laptop, but every endpoint, every workstation encrypted disk and you would get a nasty message that pops ups and says, ‘Your disk is now owned by us, or, your data is now owned by us. Send this bitcoin to this address by this time and we’ll send you the key to uncrypt or decrypt your data and get it back again’. Now, what we’ve seen since that time is a huge evolution of the way the attacks are delivered and the damage the attacks can do once they strike. So one of the things we saw fairly early on was called a double whammy attack or a double-headed attack. ‘I’ll encrypt all your disk and your data, but before I do’, the attacker says, ‘I’m going to steal as much of your data as possible’.
So exfiltrate data out of your network and I’ll go and sell that. We’ll go and sell that generally through dark web channels, below-the-radar kind of channels. And there’s a particular example of that a couple of years ago when the Irish health service was attacked and the attacker there tried to sell a lot of personal data from the health care system that was being sold.
Now, eventually, I guess, the attackers maybe had a little bit of morality hit or something, and they did give back as understanding. They gave back the decryption key so that the households could decrypt the system so that they could get back to work again, but they could never return the data that had been stolen. Once it’s outside the building, effectively in the world, you’re never going to get that data back. So that kind of double attack is becoming more and more prevalent and I think even more recently we’re starting to see two or three other levels of nuance or extensions to attack. So steal data, encrypt data, and add new levels of threats. For example, if you don’t pay by a particular date, then we’ll release the data onto the internet and get out of it.
That kind of dials up the pressure on somebody to pay the ransom. Or if you go public or report the attack, then we’ll take kind of the nuclear option and actually physically just brick the entire machine. So the attack will actually attack the security chips on the motherboard. It’ll go in and destroy this. So there’s no way you can restore your machines.
It becomes kind of economically impractical to rebuild your machine. You’re basically going to pin that machine and buy a new machine and hope your backups are okay. So there are various words that people use. They talk about exfiltrators who would steal the data. So the people that could just wipe your disk if you don’t pay all the brickers – the people who actually brick the machine will damage the security chip – will damage the disk so that you can’t recover. So the attacks have kind of got more advanced, more dangerous, because ransomware attackers obviously want to make it as hard as possible for the victim to recover because that makes the chances of a ransom being paid greater.
You can go to dark marketplaces and find ransomware as a service
So that’s why you see all of these new evolutions of the kind of attacks. And the people making money out of all of this are probably the people who aren’t doing the attacking. Funnily enough, there’s a kind of little industry of ransomware as a service. So you can go to dark marketplaces and find ransomware as a service. So if you subscribe to the service, you can pick up somebody else’s code and start distributing it around. And even these ransomware providers will provide things like help desks to help victims pay their ransom to get their data back or whatever. So there’s an industry, the people that have got relatively low risk but high reward people selling the software that somebody else is delivering because there’s somebody else, whoever’s doing the delivery is the one that if anybody’s going to get caught, it’s probably going to be them. And so it’s very hard. The big guys that rebuild groups have been out there who are selling software, they’re much harder to track down, they’re much more sophisticated, may be state-sponsored, they’re really hard to get hold of, but it becomes easier for a lot of people to roll out the tax because there’s very little investment involved.
You don’t have to be a coder, you don’t have to know how to get down to network traffic sniffing or whatever to deliver. You just send out an email with a bad link in it and you’ve got a business start-up.
Is ransomware in the news because it is becoming increasingly dangerous?
I think so. There may be two parts. Just a sheer volume of attacks… it is much bigger than it ever was. WannaCry was not the first attack, but it was probably the first one that got people’s attention. Now I think it’s a combination: there are more attacks than we have ever had before and there are various reports that talk about 100% growth of attacks during 2021.
Secondly, people are becoming more aware of ransomware and so there is good work going on by people like the NCSE in the UK and Cesar in the US looking at how people can protect themselves from ransomware attacks. So there’s a visibility that’s being raised rightly by the authorities. There’s a certain amount of victims becoming more open about being attacked. So there have been some big names like Kaiser or SolarWinds who have gone fairly public about how they were attacked and what they managed to recover. I’ve talked to a number of our customers who say, ‘Yeah, we should do more of that, we should absolutely share more because we learn from each other’. And then you ask ‘Can we use your name in a story?’ And they say ‘No’.
‘WannaCry’ was not the first attack, but it got people’s attention
There’s a good feeling about the idea of sharing information so that we can all learn and better protect ourselves. But there’s still a lot of caution about divulging too much, whether it’s how we were attacked or what we lost. Now that may change. I think there is an interest in generally being open and sharing information, but also there are signs that legislation will come to make it required that people report attacks. That becomes public domain. I think there’s already some work going on in the US government for that. I think for federal agencies if they are attacked, have to be quite open about the attacks. Now that may well be coming over this side of the pond as well at some point. So that’s a combination of things that are leading to more attacks, they are more visible and people are being more open about being attacked. So that’s probably why we’re hearing a lot more noise and activity now.
Why do individuals not want to reveal that they were attacked?
I think there are several potential reasons. One is nobody likes to admit that they had a failure. So there is some data that seems to suggest that once you’ve been attacked once, there’s a very high liability, a very high chance that you’ll be attacked a second time. Even if you pay a ransom, you’ll be attacked a second time. So people are worried about saying too much about what happened because it may encourage others to take part.
I saw a presentation recently by a couple of people at the Cyber UK conference who are all victims. It was really striking and moving how personal the people in the IT organization felt about being attacked. They thought they’d taken all the precautions they could and they did, they did a good job there. But they’re always weaknesses and often at times as human beings there are weak points. But they felt a lot of, I guess, affinity with the real victims because it wasn’t the local authority, it was the people that rely on the local authority for their services.
Even if you pay a ransom, you’ll be attacked a second time
So whether it’s child protection services or it’s housing or it’s benefits payments or whatever, these are the people that weren’t getting paid or the children that weren’t being put on a risk register. And the people in the organisation took it personally that they had been attacked. So it’s really hard for people to talk about that because they really felt like they’d let themselves down. They let the organisation down, they let the council residents down. It’s really hard to be public, but they’re also the first to say ‘We’ll only get better by sharing and learning’. So that’s encouraging. There are a number of reasons why people aren’t as public as they should be, but say that may well be changing.
How are ransomware attacks linked to the dark web?
There’s three parts there. There came this sweet spot where software is becoming available to share the ransomware as a service. The dark web is a marketplace where you can deliver this stuff and it’s hard to track down. And the third key element is the rise of cryptocurrency and the ease of making payments that are hard to trace. They’re not impossible. People are getting caught trying to turn cryptocurrency into real cash or whatever. I think the very first attack asked for postal orders to be sent to pay the ransom or checks. Postal orders used to be the way that you could get a piece of paper and give people money. But if you ask for bank transfers or credit card payments, you know, there was always an agency there, the bank or the credit card company, that could stop the payment.
Whoever received the money could be tracked down very easily. With cryptocurrency, that’s not the case. There is a way of paying for ransomware through bitcoin or other cryptocurrencies on the dark web which means that the chance of success is quite high and the risk of being caught is quite low. So you’re seeing those things come together which helps that kind of rapid growth.
What’s in it for the hackers other than the money?
Some people that are doing it just for fun, just to disrupt, because they like to cause trouble
There are probably some people that are doing it for fun, just to disrupt because they like to cause trouble. There are a lot that are almost certainly doing it for the money. There is an element, and I don’t have data, but there is the intent to disrupt. And that’s often a state actor who wants to disrupt. That’s why so much effort goes into these days protecting the NHS or protecting critical national infrastructure like rail or electricity. Because it would be very dangerous if an attack got into the national grid, for example, and hackers started shutting down power supplies somewhere near a hospital. So some attackers are no doubt involved in this and they’re not in it for the money. They’re in there to cause as much trouble as possible before they get caught. So there are various motivations there, I guess, that isn’t just money.
Why is NHS specifically being targeted?
As I understand it, the original WannaCry attack was accidental, but it wasn’t intended for the NHS. It was supposed to be wholly within a small group in Ukraine. And these things are very hard to control. The leaks got around. I think NHS is just one example of a critical infrastructure service that is being protected. It is one that there’s a lot of potential for an attacker to cause a lot of damage. One is there’s a lot of personal data that could be stolen. I think that the impact is high, so the chances of being paid might look like there it’s a good risk-return. The NHS is particularly difficult. To protect the NHS, we’ve had a lot of success with all 50 NHS trust using our products. They’re a highly diverse organisation. There are lots of bits of infrastructure in lots of places. A lot of it is quite old. When WannaCry happened, a lot of it happened because there was a lot of Windows XP machines or machines that weren’t patched up to the latest Windows Seven or later service packs and that kind of thing.
So you’ve got a lot of legacy systems. MRI scanners are using very old hardware but they have to because that’s the only version of the hardware that will work with that scanner. So you’ve got a very complicated landscape of IT infrastructure, but that doesn’t mean they can’t be protected. So at the beginning of 2021, the NCSC saw that there was a rising threat to NHS. It was a target for a lot of attackers and they came out with some very specific guidelines that you should do what you can. There’s lots of best practice and the NHS they have something that’s like cyber essentials. They call it DSP Digital Safety and Protection. So they have a lot of best practices there about protecting privileged accounts, protecting access to vital systems, that kind of thing. One of the most vital systems to be protected are backups, because once an attack occurs, assuming you’re not going to pay the ransom, and even if you do pay the ransom, you’re not guaranteed of getting your data back because there are bugs in the code. So even if you get the decryption key, that may not work.
Your real route to recovery is to restore from a backup. So you have to protect your backup systems and an interesting ransomware target systems like backups, because, again, coming back the harder you make it to recover, the more likely a ransom is to get paid. So backup systems and backups themselves are being targeted by ransomware attackers. Delete the backups, encrypt the backups, and stop them from being recovered. So the NTSC said that the NHS Trust should pay extra attention to protecting backup systems. And on the back of that, NHS Digital made s budget available to the NHS Trust to invest in privileged access management specifically for backup systems. It wasn’t a huge amount of money, but then it didn’t need to be. It’s about £5000 per trust and that’s where we signed up about 40 or so Trusts. So that gives an extra level of protection around the backup systems. So that an attack, even if it gets into the network, won’t easily transfer or get access to backups and delete them. That gives a chance of recovery. The chances of recovery are increased considerably. So that was interesting. NHS put the effort into that. Now there are similar warnings, although perhaps not at quite the same high level yet.
But there is kind of signs of this out there, that higher education is another target for many of the same reasons. Highly diverse infrastructure, some legacy systems, because universities have been doing it longer than anybody else in the world because that’s where a lot of stuff was invented. Sadly, it seems odd that both the NHS and universities or schools, they’re not exactly rich companies or rich organisations, but they are being attacked because they seem like soft targets, I guess. So, again, we’re seeing a lot of pickup within higher education in particular. So universities want to gain protective assistance because they are highly diverse. They’ve got the student population coming and going, lots of vendors, and third party suppliers that need to connect to network systems. So there’s a lot of potential for attackers to strike. So that’s probably the next biggest target. And then I think about national infrastructure with power and telecoms. That’s another prime target for attack as well.
Who else is at risk from ransomware attacks?
All of those mentioned. There are businesses that are rich and might be willing to pay a ransom. They are perhaps less visible because they are more private, so they don’t have to declare everything. But I think healthcare, education, and infrastructure are the top three that we see as a target.
How can the NHS and similar organisations protect themselves?
There’s lots of best practices, which just kind of makes sense. Make sure everything’s actually up to date, make sure you are doing audits and preparing this. Do you have a plan for when the attack happens? What are you going to do? There will be attacks and one of them will succeed one day. So be prepared. There are all the things like best practice guidance, like cyber essentials like ESP, PCI, all those.
Human factors are perhaps one of the biggest weaknesses that get exploited. There are some really great projects doing cyber training, and cyber awareness training, but they can’t be foolproof. You know, human beings are fallible, mistakes get made, attacks are really, really clever and you can’t defend against everyone. So at some point, a human being will click on a bad link or we will install something that we shouldn’t install. So always look for the tiers of protection. We would say if you can’t install software, then you can’t install malware. So that’s one of the things that we’re pretty hot on at the moment. If people have got local admin rights on their Windows workstations, they can install software, take away those local admin rights and they can’t.
There will be attacks and one of them will succeed one day. So be prepared
But you have to do that in a way that still lets people do their work without creating a huge burden. On the IT team, one of the services we offer is endpoint protection. That allows people to take away the risk of installing malware, but still lets people get on with doing their work. So you’ve got to protect the back-end systems like backups, access to backups, but stop the attack getting in the first place by taking away the chance to install the malware on the endpoints as well.
Is the government doing enough to support the NHS?
You’d always say we could do more. I think the NCSE is doing some really good work through the guidance that they offer, but people do have to read it and pay attention. Cyber Essentials is a good programme to get the basics right. We also need to think about our requirements around who has access to which systems and is access only available for the period of time they need it? Do they have the least privilege that they need to get their work done? So pay attention to all those things. That includes other things like keeping systems up to date and making sure the software you’re using is supported and that kind of thing.
So it’s not just a box ticking exercise. There are some really good practices in there. Do follow them, they are continually updating them. So I think it’s a good work there. A higher education organisation for example has to improve their privilege access management because it’s a requirement from their cyber insurance company.
So cyber insurance affects local authorities and government agencies just as much as it does banks and everybody else. And that’s another one of these industries that’s kind of in transition at the moment. In the early days, Cyber Essentials was kind of offered without a lot of thought by the insurance companies. But now they start to see people claiming so they’re getting much tighter on requirements to buy an insurance to show that you’re taking reasonable steps to protect yourself and also being a lot tighter on paying out. And generally they don’t pay out to cover ransom payments. So the cyber insurance industry is also driving a lot of best practice as well.
How else could the government help?
I think we’re seeing a good increase in a number of trading opportunities. It’s been quite eye opener to me. I was at Cyber UK back in May and I spoke to quite a lot of people from different universities and the number of university courses on cybersecurity was quite remarkable. Every one of the courses is full and most students are going into some form of education. So that’s great. That’s a really good pipeline coming through, but it’s the people already in position who are perhaps not being kept up to date enough.
There may be general problems with ongoing training of people. So is there enough being done for public awareness? Maybe not, but then there were a lot of calls at the time, whether it’s pandemic preparedness or recovery through to economic factors. When you’re dealing with inflation at 9% or 10%, there’s lots of priorities out there, so it is difficult to get attention. But I think that there’s a lot of good work going on through NCSE, but it does require all agencies… all organisations to be paying attention and don’t just assume that somebody else is taking care of the problem.
Everybody’s got to take some responsibility for their own system.
Do you think we should be prepared for another WannaCry attack?
Almost certainly something will happen. It would be an exaggeration to say that our defences are 100% impregnable, that we will never be attacked. That’s not a good place to be working on. The next step down from that is: last year we did some research on 1000 UK IT directors on ransomware and we found a surprising number of people seem to take the attitude, ‘Well, we’ve not been attacked yet and we think the cost of the ransom will be lower than the cost of trying to protect against something that we know is not going to be 100%’.
That’s an equation that worries me a lot – that a the ransom is going to be affordable. You don’t know that until the action comes in and even if you pay the ransom, you might not get the data back. I say you can’t trust the people. They may not give you the key, but you give them the money. And if they do give you the key, there are folks in the software, you can’t guarantee you’ll get 100% data recovery, even if you have the decryption key.
So that’s not a good balance of risk in my mind. So again, you’ve got to be prepared for when the attack happens. If it never happens, that’s fine, but that’s a problem we have with cybersecurity in general. Everybody’s defending against or investing in something that’s not going to happen. I’m buying antivirus so that I don’t get a virus. So if we don’t get a virus, that means I’ve been successful. But maybe there wasn’t one attacking us anyway, but certainly there was, probably hundreds of times a minute or something. But the tools are working. People should always plan for when the attack will happen.
I wonder if people are fully in government. It may be a slightly different kind of motivator as well, but we talk about cost of ransom, tax and paying the ransom and how long it takes to get the business back to operation again. And that’s certainly a huge cost. But reputational damage is an important factor. It could take weeks, months, years before people fully get over the fact that Acme Inc. Was attacked. And do I trust them with my bank details next time around? If I know that there’s an organization out there that is promoting itself as saying, we hit all of these standards, we’ve got all this protection in place, our priority security of our customers and our clients and our users, I think humans will want to go to what looks safer. So don’t underestimate the potential for reputational damage. Even if you can recover your systems, especially if the world is moving towards the you have to be public when you get attacked. Where you’ll be judged is how well you handle the attack, how do you communicate it, how do you protect your users and customers, how do you recover? You know, all those things will become an important business capability.