Ransomware in Dorset

Organised criminal Gangs (ocGs) do not target ransomware. they carry out large campaigns to distribute ransomware as widely as possible, often in very simple and effective ways.

Produced by Dorset Police Crime Commissioner and Dorset Police to illustrate this, we only need to look back a couple of years at another criminally successful ransomware attack in Dorset.

The organisation in question was attacked on a Friday evening, in part of a passive campaign. In order to allow staff to work off site, the organisation allowed staff to connect to their corporate network using a Remote Desktop Portal – a web-based portal that requires authorised credentials from a user in order to access resources as if they were on site.

Unable to remember the exact web address for the remote portal, a member of staff turned to a search engine. Choosing the first result, and believing it to be genuine, they clicked through, and entered their credentials. Unfortunately, the top entry on the search results page was a sponsored advert – rather than a search result – and it just happened to be a malicious advert for a website designed to look like the genuine portal. As a result, the employee’s credentials were harvested by criminals.

Investigations showed that the malicious site was hosted on a server that was under the control of an OCG based in China. Now armed with the credentials, and knowledge of the legitimate portal the employee was attempting to access, the criminal gang were able to access the businesses systems, to all intents and purposes appearing as if they were a genuine authorised user.

However, this compromise was just the beginning of their plan. Once inside the organisation, the criminals carried out reconnaissance – establishing exactly what type of organisation they had compromised, understanding how the user communicates with their contacts and, crucially, who it is they are in contact with.

From there, the criminals crafted an email with a simple message – “Here is the information you requested”. The email carried an attachment which was then sent to all contacts. Employing social engineering techniques like this, essentially exploiting people’s natural curiosity, the gang hoped that someone would open the attachment even if they had not requested any information – either because they just wanted to see what it was, or they could not recall whether they had actually.
made that request.

Unfortunately, this attachment contained ransomware, which quickly spread across the networks of those who were convinced to open it. Once it had taken effect, the malware encrypted any files it found, and display a message demanding that a ransom be paid in cryptocurrency for their return.

The knock-on effects of these attacks are often overlooked but can be just as damaging as the encryption itself. In this instance, the organisation lost access to their emails, but also their telephone system (which was delivered via the internet). The malware also impacted their print server, which unfortunately served a critical role in their day-to-day functions.

Faced with a situation like this, organisations generally have four options:
1 Rebuilding from backed up data and avoid paying a ransom.
2 Rebuilding from scratch and accepting the data is lost.
3 Paying the ransom and hoping the criminals are honourable.
4 Closing down.

The national cyber security centre has twelve principles of supply chain security. We won’t list them all, but the four main principles are: the risks in your supply chain can never truly be completely mitigated, as they are often outside of your control, but with the advice and guidance from the national cyber security centre you will be well placed to have those important conversations with your suppliers.

So, what can you do to manage the inherent risks within your supply chain?

None of these options will help to remedy the fact that data may have been compromised, but there is one clear option that can help get businesses back up and running and, if executed effectively, can minimise reputational harm, rebuilding from backed up data and avoid paying a ransom. A well-practiced response in which a business recovers from an attack with minimal impact on their operations can demonstrate to customers and stakeholders that – even when things go. terribly wrong – a business is resilient enough to survive.

As you can see from the example provided, the attack itself can often be a long process, involving more than one victim. There are a number of areas businesses need to consider in order to defend themselves comprehensively. For instance, education around using remote portals could have avoided the initial compromise. Protecting the portal with Two Factor Authentication could have minimised the impact losing the credentials. Education around
phishing emails could have prevented the secondary attack from being successful.

There are measures to consider regarding both people and processes. It might seem arduous, and perhaps a bit daunting, but it doesn’t need to be. There are plenty of resources, and a great deal of advice and guidance available to businesses from reputable organisations like the National Cyber Security Centre, or the Southwest Cyber Resilience Centre.

To find out more about these organisations, head to www.dorset.police.uk/cyber

Recent incidents involving a file transfer platform highlight the potential pitfalls of relying on third party vendors. In this instance, a previously undiscovered vulnerability in the platform allowed attackers to compromise data from a number of large customer organisations.

Unfortunately, your supply chain is often a critical part of your business, and third-party vendors are often critical to your supply chain.

With over 100 members you can join Dorchester Chamber for business from £60p/a (no VAT).