Each year the increasing adaptivity of cybercriminals maintains ransomware’s position as a major cybersecurity threat. Evidence of this shift can be seen in its evolution from ‘scareware’ and ‘locker’ scams through to crypto-ransomware attacks. Whereas ‘scareware’ used to bully victims into buying unwanted software to remove ‘bad’ files; ‘lockers’ froze (but not encrypted) the computer until a ransom payment was made for a release code. Crypto-ransomware, in contrast, encrypts data on the victim’s computer until a ransom payment is made to release it. In more recent malicious cases there is no release key, it is used as an attack weapon to permanently fry and disable the victims’ data, which can be devastating for the victim organisation and even more disastrous if it contributes to national infrastructure.
This article draws upon candid in-depth interviews with ransomware victims and practitioners (including police investigators) to explore their reactions to the shift in the ransomware landscape. Our research (EPSRC EP/P011721/1 & EP/M020576/1) finds that a subtle ecosystem of social and technical factors makes crypto-ransomware especially harmful. As a consequence, there is no simple remedy – no silver bullet – for such a complex threat. The attackers are increasingly doing their homework on organisations before they attack and have become extremely adaptive in tailoring attack vectors to exploit existing weaknesses within organisations. Successful attacks combine technical and social techniques to get the malware onto the victim’s networks. Techniques that include, psychological trickery, profiling staff, and exploiting various weaknesses such as technical shortcomings, areas of neglect by senior management and a shortage of skilled, dedicated and adaptive front-line managers – basically any opportunity available.
Our findings illustrate the need for a multi-layered approach to protect organisations and make them more resilient to ransomware attacks. While the cybersecurity industry has responded to progressively serious ransomware threats with a similar degree of adaptiveness to the offenders, they have tended to focus upon technical solutions rather than the social aspects of ransomware. So, these observations suggest that organisations need to continually improve their security game and be as adaptive as the criminals in their responses to attacks. In order to achieve this goal, we developed a taxonomy of crypto-ransomware countermeasures that identifies a range of response tools, which are the socio-technical measures and controls necessary for organisations to implement in order to respond to crypto-ransomware effectively. We then, identified the enablers of change – the groups of employees, such as front-line managers and senior management, who must take an active role in implementing the response tools to ensure the organisation is prepared for cyber-attacks.
We envisage that our findings will assist Police Officers working in Cybercrime Units to further understand the victim’s perspective and the impacts of crypto-ransomware. Also, they have important practical implications for IT and Security managers and their organisations more generally. The taxonomy provides a blueprint for systematising security measures to protect organisations against crypto-ransomware attacks. Managers need to select controls appropriate to their specific organisational settings. For example, the ‘business-use only’ of IT resources is necessary in some organisations, such as commercial organisations, but not practical in others such as research institutions. Similarly, face-to-face security training may be more effective in smaller organisations than larger ones. The taxonomy also underlines the importance of embedding appropriate ‘social’ based controls in organisational cultures rather than simply focusing upon technical measures. This is because, as indicated above, inappropriate measures, skills and support led to incidents occurring, some of which were particularly devastating.
The skills set for competent front-line management goes beyond being security and IT-savvy, to becoming organisationally adaptive and thinking like ‘the enemy’. Security professionals are required to be influential leaders who can change attitudes and behaviours in organisations by cultivating certain cultural traits. In return, senior management must be IT-competent and effective in overseeing the IT functions of their organisation. Senior managers represent an important part of the security chain in organisations and need to support the efforts of mid-managers. Ultimately, both levels have to respect each other’s position to work together, co-own the problem to co-produce the solution – something that is easier to describe than to implement into practice. Our future plan is to convert the taxonomy into a more user-friendly tool, similar to the Cyber Essentials self-assessment instrument.