What unites the National Health Service, a bureau de change, one of the world’s biggest football clubs and a well-known high street clothing retailer?
Over the last four years, all of them have been held to ransom by cyber-criminals.
The £1.45million attack on FatFace this January, which only came to light a few weeks ago when it informed customers and employees in emails reported by This is Money, has once again highlighted the increasingly regular ‘ransomware’ attack.
Attacks by digital pirates using the hostage-taking software tripled in 2019-20 compared to the year before, according to the UK’s National Cyber Security Centre, while the number of reported cyber-attacks rose from 658 to 723.
Ransomware attacks by digital pirates in search of valuable treasure tripled in 2019-20, according to the Government-run National Cyber Security Centre
However the figures are likely to be higher as these crimes are underreported.
‘The NCSC has seen an increase in the scale and impact of ransomware attacks and a new and growing trend to be more targeted and more aggressive than ever before’, it said in a report published last November.
But what’s behind the rise, who is often targeted, and, most importantly, what can those worried about being hit do to protect themselves?
What is ransomware?
Ransomware, according to the NCSC, is a type of malicious software which prevents victims from accessing their device, or the data that is stored on it, until they pay a ransom or fulfil some other kind of quid pro quo. This data is often encrypted by the software and then withheld.
And as well as becoming more common, the nature of these attacks has changed in recent years, the NSCS, a Government organisation which has provided computer security guidance and support since 2016, said in its annual report last November.
‘Rather than simply preventing access to data, criminals are stealing it and threatening to leak the most sensitive parts publicly.’
This is what happened in the case of Travelex, a well-known bureau de change hit by a ransomware attack on New Year’s Eve 2019 that left its systems down for weeks.
The firm provided travel money services for high street banks and major supermarkets which were also caught in the chain reaction.
Bureau de change Travelex was hit by a ransomware attack on New Year’s Eve 2019 which left its website down for weeks
Hackers claimed to have harvested 5GB of Travelex customer data including dates of birth, credit card details and National Insurance numbers, and reportedly demanded £4.6million in return for not leaking it. Such data can be valuable if sold on the dark web to criminals who can use it to commit fraud.
FatFace meanwhile paid out £1.45million to hackers which harvested 200GB of data and locked it out of its systems on 17 January this year. The data put at risk included names, email and physical addresses and National Insurance numbers.
Victims are usually asked to contact attackers via anonymous email addresses or websites and make ransom payments using an untraceable cryptocurrency like bitcoin.
Even if no money changes hands, attacks can be devastating, with data lost and computer systems unavailable for weeks.
The ransomware attack on the NHS on 12 May 2017, probably the best-known example in Britain, hit 34 per cent of NHS trusts and cancelled an estimated 19,000 appointments, according to a National Audit Office review of the attack published in 2018.
And even if data is recovered the reputational damage can linger. Travelex, for example, collapsed into administration last August, thanks to both the pandemic’s impact on international travel and the effects of the cyber-attack.
Cyber-attacks rose as a result of the coronavirus pandemic, the NCSC said last November
Who is a target?
As well as the NHS, Travelex and FatFace, Manchester United was hit in an attack last November, while Redcar and Cleveland Council in the North East was also attacked.
Cybersecurity experts said that rather than being sent out in a scattergun approach, such attacks are becoming more akin to ‘big game hunting’.
Professor Alan Woodward, a cybersecurity expert at the University of Surrey
Professor Alan Woodward, a visiting professor at the University of Surrey, said: ‘Anyone can be a target, but ransomware is becoming rather more targeted.
‘Organisations are being targeted if they are very dependent on their IT, likely to be more vulnerable to an attack, and able to pay larger sums so the criminals can be sure of a good return on their investment.’
This is likely why organisations which hold lots of data, like the NHS, are hit.
Adam Palmer, chief cybersecurity strategist at the company Tenable, said: ‘While the value of credit card details, email and password combinations, are immediately obvious, an individual NHS number is considered to be worth as much as 10 times more than other information.
‘This is due to the additional crime that it enables, such as false IDs to purchase medication and equipment, to even filing false insurance claims.’
Sports teams are also in attacker’s crosshairs. Seven in 10 sports organisations surveyed by the NCSC last July said they had suffered a cyber-attack in the 12 months beforehand.
One unnamed football club was hit by a ransomware attack which stopped its CCTV cameras and turnstiles from operating and nearly cost it a match, while the attack on Redcar and Cleveland Council ’caused considerable damage and disruption’.
‘Criminals do their homework when targeting’, Professor Woodward said.
How are companies and people targeted?
Adam Palmer, from cybersecurity company Tenable, and the former head of the UN anti-cybercrime programme
The attack on FatFace, and reportedly the one against Manchester United, were delivered through phishing emails.
These trick people into clicking on a link or downloading a file that delivers the malware onto a computer, and are frequently used to launch ransomware attacks.
Professor Woodward added: ‘It’s also not unknown for some very targeted ransomware to misuse the software update process for some popular piece of software. In one instance attackers used a piece of accounting software used by companies doing business with Ukrainian companies.
‘Occasionally ransomware can exploit a vulnerability in internet-facing software to enable an attacker to obtain a foothold on your network and inject ransomware.
‘More often these vulnerabilities are used to enable the ransomware to spread within a network once it has gained its foothold via phishing emails.’
Attila Tomaschek, a digital privacy expert at the company ProPrivacy, said computers could also become infected through unlicensed apps or outdated software downloaded from websites, or through USB sticks and hard drives.
And in some cases, victims can be tricked into giving hackers remote access to their computers, which are then infected by ransomware.
How often do victims pay out?
Ever heard the phrase ‘we don’t negotiate with terrorists’? A similar principle applies to ransomware attacks.
Attila Tomaschek, from ProPrivacy
Despite the underlying principle and the threat of having valuable data destroyed or leaked, companies and other victims are encouraged not to pay the ransom or carry out any quid pro quo.
‘If you do pay the ransom, there is no guarantee you will get access to your data or computer, your computer will still be infected, you will be paying criminal groups, and you’re more likely to be targeted in the future’, the NCSC warns, stating that ‘law enforcement do not encourage, endorse, nor condone the payment of ransom demands.’
However, FatFace did, while Travelex reportedly paid £1.66million in April 2020 to its attackers.
‘Sadly victims pay out rather than be publicly recognised’, Professor Woodward said. ‘It is very tempting if your business is on the receiving end of such an attack to simply pay up. Sometimes insurers have even covered the cost and so it is seen as the easiest way out.’
However, this can lead to organisations being put on a ‘payers list’, he said, which means criminals ‘then know you will pay and you will find yourself the target of further attacks.’
Instead, infected organisations are recommended to disconnect any infected devices, wipe them and restore them from a clean backup with the help of antivirus software. The NHS attack in 2017 was foiled after a ‘kill switch’ was found.
And given these attacks can encrypt, destroy or otherwise put valuable data at risk, the NCSC also recommended regularly making offline backups of important files which are kept in a separate location, to make it easier for victims to recover from attacks after they happen.
FatFace paid out £1.45m to the attackers behind a ransomware attack on the clothing chain on 17 January. The attack was not disclosed until a few weeks ago
And how can people protect themselves?
Ransomware attacks are a matter of when, not if, Professor Woodward said.
Because of their increasing regularity, companies and individuals need to take steps to lessen the damage they can do, if they can’t completely prevent them from happening.
‘Employees should know never to click on any link or download any attachment contained in any unsolicited email or text message, never to plug hard drives or USBs into shared public systems, and never to download pirated software to their devices’, Attila Tomaschek from ProPrivacy said.
Manchester United were hit by a ransomware attack last November. However the club insisted no fan data was compromised in the attack
‘On top of that, organisations should implement strong password policies, require two-factor authentication to log into internal systems, and ensure operating systems are constantly up to date across the board to protect against vulnerabilities.’
This last point may sound self-explanatory, but the NAO report into the NHS ransomware attack in 2017 found affected trusts ‘could have taken relatively simple action to protect themselves’.
It added: ‘All NHS organisations infected had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.’
The NHS computers affected by the 12 May 2017 ransomware attack had not been patched properly, a National Audit Office report into the attack published the following year found
Tenable also found unpatched systems were the most popular way cyber-criminals attacked companies in 2019-20.
Remote access attacks also pose a greater threat with more employees working from home, meaning they need to be extra vigilant and IT staff need to be supportive.
And lastly, companies need a plan.
‘These incident response plans should be practiced, you wouldn’t want to try a fire drill out for the first time whilst your office is actually burning down’, Professor Woodward said.
‘You protect yourself, and prepare for when the attackers get through. Ransomware is the single largest type of threat in cybersecurity at present and is set to grow.’
Some links in this article may be affiliate links. If you click on them we may earn a small commission. That helps us fund This Is Money, and keep it free to use. We do not write articles to promote products. We do not allow any commercial relationship to affect our editorial independence.