Case Study

Case Study

The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures

Excerpted from Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security.
Lena Y. Connolly, David…

The Cascade Effect in Big Data Cybercrime

Excerpt from Porcedda, M.G. and Wall, D.S. (2019) ‘Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack’, proceedings of WACCO 2019: 1st Workshop on Attackers…

How Big Data Feeds Big (Data) Crime

Excerpted from Wall, D.S. (2018) How Big Data Feeds Big Crime, Current History: A journal of contemporary world affairs, 1 January, pp. 29-34. (references removed). See https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3359972 Developed…

How Big Data Feeds Big (Data) Crime

How Big Data Feeds Big (Data) Crime

Excerpted from Wall, D.S. (2018) How Big Data Feeds Big Crime, Current History: A journal of contemporary world affairs, 1 January, pp. 29-34. (references removed). See https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3359972 Developed further in BIG DATA, BIG CRIMES: Linking the Crime Supply Chain in the Cybercrime Ecosystem (forthcoming). Funded by EPSRC EP/M020576/1 & EP/P011772/1

Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds

Big data helps organisations predict social behaviour. It brings with it a range of exciting new data analytic tools that offer great potential for identifying new truths about social and physical phenomena that were previously impossible to research on such a large scale. Largely the product of cloud technologies which have over the past 15 years, massively increased the number of data flows in circulation, big data is in high demand. But big data is also a very disruptive phenomenon which has a positive side in that it inspires creativity and new forms of thinking about business and service delivery, but in the wrong hands these social benefits can be overshadowed. So much so, that its value has stimulated illicit and licit markets which circulate and process the stolen data and which are encouraging data breaches. Not only do data breaches cause massive financial and reputational losses for affected organisations, but the stolen data is then be used in a number of ways to cause criminal harms, mainly to create delivery mechanisms such as spamming services or botnets. Services which can be used, for example, to send out fraudulent ‘phishing’ emails that seek to socially engineer a response either to deceive recipients into giving personal financial information that can subsequently be used to defraud them, or to click on a URL link or open an attachment that will infect their computer with malicious software. Such ‘malware’ might harvest the computer user’s data, or it may be Ransomware which, through encryption, can either disable key data in an infected computer system until a ransom is paid, or it can destroy the data by rendering it useless. Hence, in such a manner data can also be ‘weaponised’ and used to ‘attack’, especially when the data delivery systems mentioned earlier can include the ability to send out Distributed Denial of Service (DDoS) attacks (sending out floods of login data) to restrict access to system gateways.

Thus, the use of ‘stolen’ data following data breaches creates a chain of cybercrime events by enabling large scale ‘downstream’ cybercrimes to take place. If ‘upstream’ cybercrimes, such as data breaches can be prevented, then it follows that the ongoing ‘downstream’ cybercrimes will be prevented from taking place on such a large scale. The big question is how to break the chain, one, obvious answer, is to identify the tipping points at which the data cascades downstream, such as the point (e.g. darkmarkets) where the stolen data passes from one group of offenders to another, from the sellers to the buyers – this ‘cascade’ effect is the subject of another article from the CRITiCal & EMPHASIS projects (The Cascade Effect). Another way to break the chain is to explore how data analytics involving artificial intelligence and machine learning can be harnessed to identify data breaches and other ‘upstream’ big crimes as they take place or develop measures out of the research to prevent them before they happen. In effect, turning the technology on its head and shifting the foot back from ‘black hat’ to ‘white hat’. Again, aspects of this are being explored in the CRITiCal project.

Big cybercrime is here to stay because we are in the age of big data and this is a bitter pill that cannot be sweetened. Protective measures such as data backups, personal recovery tactics, and business continuity strategies can go a long way toward mitigating the damage done by increasingly common attacks. But a broader combined and multi-sector approach to big crime is needed that integrates technological defences with social, educational, professional and even some political reforms, as well as improved legal procedures. Such an approach must also clearly define which government and non-government agencies are responsible for tackling the threat of big crime, recognizing that it has the potential to severely disrupt our economy and society in general.

The Cascade Effect in Big Data Cybercrime

The Cascade Effect in Big Data Cybercrime

Excerpt from Porcedda, M.G. and Wall, D.S. (2019) ‘Cascade and Chain Effects in Big Data Cybercrime: Lessons from the TalkTalk hack’, proceedings of WACCO 2019: 1st Workshop on Attackers and Cyber-Crime Operations, IEEE Euro S&P 2019, Stockholm, Sweden (N.B. references excluded). Funded by EPSRC EP/M020576/1 & EP/P011772/1

Cybercrime Group, Centre for Criminal Justice Studies, University of Leeds

The big data phenomenon is driving ‘upstream’ data related cyber-dependent crimes such as data breaches. These crimes are essential components in a cybercrime chain that cascades ‘downstream’ to give rise to further crimes such as fraud and extortion, when the data is subsequently monetized in a way that impacts massively upon victims. These upstream and downstream crimes are often committed by entirely different offending actors against different victim groups, which complicates and frustrates the reporting, recording, investigative and prosecution processes. Taken together the crime stream’s ‘cascade’ effect creates unprecedented societal challenges that need addressing in the face of the booming data economy stimulated by advances in Artificial Intelligence and the Internet of Things. We explore this phenomenon by unpacking the TalkTalk case study to help conceptualize how big data and cloud computing are creating cascading effects of disorganized, distributed and escalating data crime. The case study also reveals important information about the levels of interdependency within the modern cybercrime ecosystem and, where relevant, the division of labour within the offender group.

In October 2015, news outlets extensively covered a data breach from TalkTalk, a UK internet service provider. The scale of the breach was serious enough to launch a Parliamentary inquiry into cybersecurity and the protection of personal data online. Hackers used an open source SQL Map penetration testing tool “that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers” to probe webpages. Vulnerabilities were found in three legacy webpages owned by TalkTalk and posted on TalkTalk’s website. Exploiting this vulnerability, another hacker took some data and his colleague asked TalkTalk for a ransom for its return or deletion. Multiple hacker collectives independently and erroneously claimed responsibility for the hack; the BBC even claimed that one was a “Russian Islamist group”. At the same time a third party promised to post the stolen data on the now defunct deep web black market AlphaBay. Although there might have been up to 10 attackers in total, the police arrested six individuals and all but one were convicted – another individual also convicted at the time was alleged to be involved in the sale of the data. The case study shows how complicated and distributed a data breach is, illustrating a clear disconnect between the very high media profile of the case, the police investigation and the subsequent prosecutions.

Our analysis of the TalkTalk case study suggests that tipping points occur at each stage of the cascade model, for example, the disclosure of a vulnerability, its exploitation, followed by its monetization (selling data). Then other offender groups buy data, either to use for further offending or to refine for future crime, while third party offenders use the pretext of the original attack to deceive victims. The case study not only illustrates how cybercrime cascades from upstream to downstream, but it also enables us to make a number of observations. The first is that it shows the complex nature of online crime groups and their diverse and distributed (even disorganized) nature when compared with contemporary organised crime. Not only had the offenders not met in the flesh (only two knew each other in person), but they also appear to have been in competition with one another when it came to monetizing the data. The second is the relative youth of the offenders compared to the seriousness of their offending. Their profiles showed them not to be the burly street criminals that the criminal justice is designed for, strengthening the argument for sentencing alternatives. Our third observation is that the motivations of those caught – who appear to be driven more by the prospect of increasing their status within the reputational hierarchy of their group rather than by financial gain – may have made themselves more easily identifiable to law enforcement and to become ‘low hanging fruit’. Our fourth observation is that the case study sends some blunt messages to (business) organisations to keep their computers and their data secure during a time when new attack vectors are often exceeding existing protection measures. Our fifth and final observation relates to how hard it is to find out information about cybercrime events in order to research cybercrime offending. There is no single reliable data source of information, there is no single database for arrests, prosecutions and outcomes, although it becomes evident that there are historical, legal, bureaucratic and professional reasons why this is the case. In one way it suggests that there is ‘myth of data’ and that research methodologies will have to adapt.

The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures

The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures

Excerpted from Connolly, A, and Wall, D.S. (2019) ‘The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures, Computers and Security.
Lena Y. Connolly, David S. Wall – Cybercrime Group, Centre for Criminal Justice Studies, School of Law, University of Leeds, UK

Each year the increasing adaptivity of cybercriminals maintains ransomware’s position as a major cybersecurity threat. Evidence of this shift can be seen in its evolution from ‘scareware’ and ‘locker’ scams through to crypto-ransomware attacks. Whereas ‘scareware’ used to bully victims into buying unwanted software to remove ‘bad’ files; ‘lockers’ froze (but not encrypted) the computer until a ransom payment was made for a release code. Crypto-ransomware, in contrast, encrypts data on the victim’s computer until a ransom payment is made to release it. In more recent malicious cases there is no release key, it is used as an attack weapon to permanently fry and disable the victims’ data, which can be devastating for the victim organisation and even more disastrous if it contributes to national infrastructure.

This article draws upon candid in-depth interviews with ransomware victims and practitioners (including police investigators) to explore their reactions to the shift in the ransomware landscape. Our research (EPSRC EP/P011721/1 & EP/M020576/1) finds that a subtle ecosystem of social and technical factors makes crypto-ransomware especially harmful. As a consequence, there is no simple remedy – no silver bullet – for such a complex threat. The attackers are increasingly doing their homework on organisations before they attack and have become extremely adaptive in tailoring attack vectors to exploit existing weaknesses within organisations. Successful attacks combine technical and social techniques to get the malware onto the victim’s networks. Techniques that include, psychological trickery, profiling staff, and exploiting various weaknesses such as technical shortcomings, areas of neglect by senior management and a shortage of skilled, dedicated and adaptive front-line managers – basically any opportunity available.

Our findings illustrate the need for a multi-layered approach to protect organisations and make them more resilient to ransomware attacks. While the cybersecurity industry has responded to progressively serious ransomware threats with a similar degree of adaptiveness to the offenders, they have tended to focus upon technical solutions rather than the social aspects of ransomware. So, these observations suggest that organisations need to continually improve their security game and be as adaptive as the criminals in their responses to attacks. In order to achieve this goal, we developed a taxonomy of crypto-ransomware countermeasures that identifies a range of response tools, which are the socio-technical measures and controls necessary for organisations to implement in order to respond to crypto-ransomware effectively. We then, identified the enablers of change – the groups of employees, such as front-line managers and senior management, who must take an active role in implementing the response tools to ensure the organisation is prepared for cyber-attacks.

We envisage that our findings will assist Police Officers working in Cybercrime Units to further understand the victim’s perspective and the impacts of crypto-ransomware. Also, they have important practical implications for IT and Security managers and their organisations more generally. The taxonomy provides a blueprint for systematising security measures to protect organisations against crypto-ransomware attacks. Managers need to select controls appropriate to their specific organisational settings. For example, the ‘business-use only’ of IT resources is necessary in some organisations, such as commercial organisations, but not practical in others such as research institutions. Similarly, face-to-face security training may be more effective in smaller organisations than larger ones. The taxonomy also underlines the importance of embedding appropriate ‘social’ based controls in organisational cultures rather than simply focusing upon technical measures. This is because, as indicated above, inappropriate measures, skills and support led to incidents occurring, some of which were particularly devastating.

The skills set for competent front-line management goes beyond being security and IT-savvy, to becoming organisationally adaptive and thinking like ‘the enemy’. Security professionals are required to be influential leaders who can change attitudes and behaviours in organisations by cultivating certain cultural traits. In return, senior management must be IT-competent and effective in overseeing the IT functions of their organisation. Senior managers represent an important part of the security chain in organisations and need to support the efforts of mid-managers. Ultimately, both levels have to respect each other’s position to work together, co-own the problem to co-produce the solution – something that is easier to describe than to implement into practice. Our future plan is to convert the taxonomy into a more user-friendly tool, similar to the Cyber Essentials self-assessment instrument.

News and events

News and events

CRITiCaL Quarterly Meeting – Leeds 2nd May 2019


A busy and packed meeting was held at Leeds with some of the criteria headings being discussed as below:

Mapping out the conceptual underpinnings of the changing Cybercrime threat
Understanding Cybercrime…

Future Dates for Quarterly Meetings and Locations
2019:

9th July – Durham University

22nd Oct – Newcastle University

2020:

28th January 2020 – location TBC

2 New RA’s Appointed for CRITICaL Integration – May 2019

We have pleasure in welcoming both Stephen Bonner and Amir Atapour Abarghouei to the CRITICaL Team.

They will work on research challenges such as integrating network/cloud-related time series data of…

Latest Events – Pam Briggs – RISCS Invited Speaker

Pam Briggs was invited by members of the National Cyber Security Centre to speak on Behaviour change interventions around cyber insurance at the RISCS (Research Institute in the Science…

Latest Events – Pam Briggs – RISCS Invited Speaker

Latest Events – Pam Briggs – RISCS Invited Speaker

Pam Briggs was invited by members of the National Cyber Security Centre to speak on Behaviour change interventions around cyber insurance at the RISCS (Research Institute in the Science of Cyber Security) Community Meeting. Institute of Education, London on April 11th.

2 New RA’s Appointed for CRITICaL Integration – May 2019

2 New RA’s Appointed for CRITICaL Integration – May 2019

We have pleasure in welcoming both Stephen Bonner and Amir Atapour Abarghouei to the CRITICaL Team.

They  will work on research challenges such as integrating network/cloud-related time series data of very diverse and heterogeneous nature, developing innovative strategies for estimating the ‘state’ of a cloud system, detecting anomalies, natural language processing and predicting potential cybercrime.

They will also assist in the process of developing evidence for prosecutions is a crucial aspect of this work, as such there will be an emphasis to create systems yielding human-understandable knowledge.

Welcome to the Team.

CRITiCaL Quarterly Meeting – Leeds 2nd May 2019

CRITiCaL Quarterly Meeting – Leeds 2nd May 2019

A busy and packed meeting was held at Leeds with some of the criteria headings being discussed as below: Mapping out the conceptual underpinnings of the changing Cybercrime threat Understanding Cybercrime from a (Computer) Science perspective Investigating cybercriminals and advising the criminal justice system on matters of process. We may be able to disclose some of the content in the next events update. Please keep looking.

About

About

The Northern Cloud Crime Centre joins an interdisciplinary group of researchers together to work towards investigating criminal activity in the cloud. “The Cloud” introduces some entirely new complications to the identification, and policing, of crime on the internet, especially with regard to investigating and enforcing regulation.

It is primarily a new force multiplier which dramatically extends the reach of criminals globally and technologically; far beyond that which the internet currently facilitates. For the uninitiated, cloud technologies essentially share computing processing facilities on demand and while the potential of ‘cloud’ is still evolving for the purposes of this discussion, ‘The Cloud’ is the extra cyberspace that cloud technologies create; a space that creates much good and also much evil.

The Centre is led by Newcastle University, UK, and includes consortium members from Durham University, Northumbria University, and Leeds University. The consortium members engage on a wide range of research initiatives to understand and conceptualize cloud crime, to identify and detect typical crime patterns with machine learning techniques and to support law enforcement in the protection and prevention from it.

The members of the Centre self-identify as data or social scientists, bringing a range of specializations and expertise areas to bear on the problem space of cloud crime and cyber crime in the wider sense.

Members of the Centre engage in projects with external partners to solve specific research problems on cloud crime on real datasets.