Michael Lang
Abstract
Drawing upon direct interviews and secondary sources, this article presents a qualitative comparative analysis of 39 ransomware attacks, 26 of which occurred shortly before the outbreak of the COVID-19 pandemic and 13 of which took place during the pandemic. The research objective was to gain an understanding of how ransomware attacks changed tactics across this period. Using inductive content analysis, a number of key themes emerged, namely (1) ransomware attackers have adopted more sinister tactics and now commit multiple crimes to maximise their return; (2) the expanded attack surface caused by employees working from home has greatly aggravated the risk of malicious intrusion; (3) the preferred attack vectors have changed, with phishing and VPN exploits now to the fore; (4) failure to adapt common business processes from off-line to on-line interaction has created vulnerabilities; (5) the ongoing laissez-faire attitude toward cybersecurity and lack of preparedness continues to be a substantial problem; and (6) ransomware attacks now pose potentially severe consequences for individuals, whose personal data has become a central part of the game. Recommendations are proposed to address these issues.
1 INTRODUCTION AND BACKGROUND
In recent years, the scourge of ransomware has presented one of the foremost threats to the operations of public and private organizations, continually featuring as a top priority warning in reports issued by cybersecurity firms, governments, and law enforcement agencies [FBI 2019; Europol 2020; Acronis 2021]. It is constantly evolving and the number of attacks has grown exponentially [Richardson et al. 2021].
In this article, we examine how ransomware attacks have changed since the outbreak of the COVID-19 pandemic. Data from 39 cases is compared, of which 26 occurred shortly before the pandemic (2017–2019 period) and 13 during the pandemic (2020–2021 period). We refer to these two periods as “pre-pandemic” and “mid-pandemic,” respectively, consistent with terminology used in the broader academic literature and public discourse.
The COVID-19 pandemic hyper-accelerated the digital transformation of workplaces, leading to millions of employees worldwide working in improvised home spaces that were far from ideal as regards security. At the outset, the majority of organizations were ill prepared for the security risks of working from home and lacked guidelines on cybersecurity practices [Furnell and Shah 2020; Georgiadou et al. 2022]. Unsurprisingly, the level of cybercrime targetted at individuals working from home increased substantially during the COVID-19 pandemic [Buil-Gil et al. 2021; Lallie et al. 2021]. Social engineering is a major risk for teleworkers, requiring organizations to have effective Security Education, Training and Awareness programmes in place [Abukari and Bankas 2020]. However, employees working from home are prone to developing “security amnesia” and abandoning routine practices [Borkovich and Skovira 2020]. This is simply because when individuals are within the comfort of their own home, as opposed to an industrial office, they naturally tend to feel more at ease and do not take the same precautions. As Furnell and Shah [2020] put it, “staff are working in the relaxed and safe environment of ‘home’, and so may be less inclined to feel bound by the policy norms of the workplace.” Other reasons include distractions and tiredness (maintaining work–life balance and avoiding distractions at home is a major challenge, resulting in fatigue and loss of concentration that can result in costly mistakes with data security), the tendency to use workarounds (e.g., employees may attempt to by-pass VPNs and other inconvenient security procedures, such as emailing documents to their personal accounts or storing unencrypted work data on their own devices), and sloppy practices on personal devices (e.g., employees using personal laptops at home may not have anti-malware software installed, may not be vigilant in relation to application security patches, or may disable file encryption if they feel it impacts performance) [Brandenburg and Mee 2020].
In recent years, many organizations have embraced the concept of “bring your own device” (BYOD) and adopted fair use policies to permit employees to use company IT resources for personal purposes. The separation of work from private life has become very blurred, which raises problems not just with work–life balance and “techno-stress” but also IT security. The coming together of BYOD, working from home as necessitated by the COVID-19 pandemic, and more stringent data protection legislation (e.g., EU General Data Protection Regulation (GDPR), California CCPA) is a perfect storm that has created very challenging circumstances for IT security managers. On the one hand, they have to deal with an expanded attack surface, and, on the other hand, they are obligated to enforce adequate measures to prevent unauthorised access to sensitive data, which can be scattered across a host of systems and devices. For ransomware attackers, this rather disorderly situation has presented opportunities that they have not hesitated to exploit.
Since ransomware first appeared on the scene as a major threat (about the year 2013), the volume of academic literature on this topic has mushroomed. Several surveys and systematic literature reviews of ransomware attacks have been published. However, these prior studies focus almost exclusively on the technical characteristics of ransomware, with very little attention given to socio-technical aspects or the actual impact upon victims. For example, Maigida et al. [2019] present a taxonomy of ransomware attacks under two branches of crypto or locker, as well as an extensive synthesis of detection/prevention techniques. They do not, however, analyse any cases of actual ransomware attacks against organizations. Similarly, Reshmi [2021] presents a literature review of ransomware, but it consists entirely of a series of technical recommendations and does not draw upon any real-world studies of breaches. Al-Rimy et al. [2018] present a survey of ransomware threat success factors, but the scope of their work extends only to infection vectors and enabling technologies (i.e., cryptography techniques, payment methods, ransomware development kits). They do not consider any organizational or socio-technical factors.
There are very few empirical studies of ransomware attacks in the literature, not least because victims generally do not wish to publicize the fact they were breached. Even if it becomes known that they were, they do not wish to speak about it. Indeed, there are a number of cases where organizations denied that they were attacked, even though corporate data were apparently leaked on the Dark Web. However, that tactic can sometimes be a ruse [Coveware 2021]. Our extensive search of the literature revealed just a handful of studies that looked directly at the experiences of organizations that were victims of ransomware:
• | Using secondary data, Choi et al. [2016] analysed 13 reported attacks on police departments from 2013 to 2016. They found that online lifestyle and cyber security stance contribute to ransomware victimization. | ||||
• | Zhao et al. [2018] conducted a survey and interviews with medical students and surgeons in a U.S. hospital that experienced a SamSam ransomware attack. Students who are “digital natives” were seriously stressed by lack of access to electronic resources and were not well adapted to adjust to paper-based workflows. | ||||
• | Using a mixed methods case study of a U.S. university that experienced a ransomware attack at a critical time, Zhang-Kennedy et al. [2018] reported that it took several days to recover basic services and the after-effects on user productivity were felt for a considerable time afterwards. In this case, there was substantial data loss and emotional effects on staff. | ||||
• | Findings of a survey of 46 ransomware victims in the U.K. reported that weak defenses was a key factor and that universities are more likely to be attacked than SMEs [Hull et al. 2019]. | ||||
• | Connolly and Wall [2019] conducted interviews with ransomware victims and law enforcement representatives; analysis of 26 ransomware attacks led to the development of a taxonomy of ransomware countermeasures. The current work builds on that study by comparing pre-pandemic and mid-pandemic ransomware attacks and suggesting additional measures to combat this threat. | ||||
• | Connolly et al. [2020] present an analysis of 55 ransomware attacks and found that security posture, organization sector, and attack type (i.e., opportunistic or targeted) influences the experienced severity. | ||||
• | In a rare example of a ransomware case study, Adams et al. [2021] reflect on their experiences of suffering an attack and comment on lessons learned and potential mitigation strategies. | ||||
The objective of this study was therefore to build on this rather limited body of front-line “in the trenches” knowledge, specifically looking at how ransomware has evolved during the period of the COVID-19 pandemic. The structure of the article is as follows:
• | Section 2 presents our research method, which deployed an interpretive qualitative approach. The use of qualitative techniques in cybersecurity research has increased in recent years (although the lack of rigour in their application is an oft-cited criticism) so we follow the recommendation of Fujs et al. [2019] that “special attention should be paid to describing the data collection and analysis procedure.” | ||||
• | Section 3 presents our key findings, laid out under headings that correspond to the main themes that emerged from the comparative analysis (see Appendix B). | ||||
• | Section 4 outlines a number of specific recommendations to address the issues that surfaced in the findings, followed by our summary conclusions in Section 5. | ||||
2 RESEARCH METHOD
Using a variety of sources, we conducted a qualitative comparative study to trace the recent evolution of ransomware, looking at attacks that occurred shortly before the COVID-19 pandemic (2017–2019 period) as well as attacks that have since happened (2020–2021 period). We refer to these two periods as “pre-pandemic” and “mid-pandemic” respectively.
First, an earlier study by Connolly and Wall [2019] yielded data about 26 ransomware attacks that took place prior to the outbreak of COVID-19 (see Table 1). Several ransomware victims and specialist police officers from the U.K.’s cybercrime units were interviewed. Voluminous information was captured about characteristics of ransomware attacks and vulnerabilities that allowed attackers to be successful.
| Organisation alias | Industry; size; sector | Crimes committed | Attack details |
|---|---|---|---|
| LawEnfJ | Law enforcement; small; public | Encryption | Malicious email |
| GovSecJN | Government; large; public | Encryption | Malicious email |
| GovSecJ | Government; large; public | Encryption (four times) | Multiple attacks: |
| EducInstF | Education; large; public | Encryption | Drive-by-download |
| EducInstFB | Education; large; public | Encryption | Brute-force |
| LawEnfM | Law enforcement; small | Encryption (twice) | Multiple attacks: |
| GovSecA | Government; large; public | Encryption | Brute force attack |
| LawEnfJU | Law enforcement; medium; public | Encryption | Malicious email |
| HealthSerJU | Health service; large; public | Encryption | Multiple attacks: |
| LawEnfF | Law enforcement; medium; public | Encryption | Malicious email |
| ITOrgA | IT; small; private | Encryption | Brute force attack |
| ConstrSupA | Construction; small; private | Encryption | Brute force attack |
| EducOrgA | Education; small; public | Encryption | Brute force attack |
| SecOrgM | IT; small; private | Encryption | Malicious email |
| ITOrgJL | IT; small; private | Encryption | Brute force attack |
| CloudProvJL | IT; small; private | Encryption | Brute force attack |
| InfOrgJL | Infrastructure; medium; private | Encryption | Brute force attack |
| ConstrSupJ | Construction; small; private | Encryption | Brute force attack |
| RelOrgJ | Religion; medium; private | Encryption | Malicious email |
| SportClubJ | Sport; large; private | Encryption | Brute force attack |
| UtilOrgD | Utilities; large; private | Encryption | Brute force attack |
Table 1. Victim Profiles and Details of Pre-pandemic Ransomware Attacks
Second, three semi-structured interviews were conducted with two cybersecurity professionals, who provided data on seven ransomware attacks that took place during the COVID-19 pandemic (one professional was interviewed twice due to new data emerging). We enquired about attack vectors, ransomware propagation techniques, and ransomware characteristics. We also asked interviewees about the level of organizational preparedness for these attacks and measures that could prevent them. The interview protocol was directly based on Connolly and Wall [2019], thereby providing an opportunity for comparative analysis of pre-pandemic and mid-pandemic attacks.
Third, to bolster our data on mid-pandemic attacks, we foraged through official documents released into the public domain, such as press releases, incident reports, and data breach disclosures. This approach of using some secondary sources was necessary because our extensive efforts to solicit primary in-person interviews with attack victims were not successful. From secondary sources, we discovered sufficiently detailed accounts of six additional ransomware attacks, thus bringing it to a total of 13 that occurred during the COVID-19 pandemic (see Table 2).
| Victim alias or name | Organization characteristics | Crimes committed | Data source | Attack details |
|---|---|---|---|---|
| HospOrgOca | Healthcare; large; private | Encryption and stolen data | Cybersecurity specialist, CyberComp | Unpatched Citrix; poor security practices throughout organization |
| ManOrgOca | Manufacturing; SME; private | Encryption and data likely stolen | Cybersecurity specialist, CyberComp | COVID-themed phishing email |
| CritOrgOca | Infrastructure; large; private | Encryption and stolen data | Cybersecurity specialist, CyberComp | Old VPN credentials of an employee who left the company months ago |
| PharmFrAga | Pharmaceutical; SME; private | (1) Encryption, (2) mandate fraud, (3) wiped off online presence, (4) data possibly stolen | Unit Coordinator, CyberTL | Whaling; unchanged work practices |
| ArgOrgAga | Agricultural merchant; SME; private | Encryption and data likely stolenc | Unit Coordinator, CyberTL | RDP weak credentials |
| EvOrgAga | Entertainment; SME; private | Encryption and data likely stolenc | Unit Coordinator, CyberTL | TeamViewer or RDP weak credentials |
| ITFrAga | IT; SME; private | Encryption and fraud | Unit Coordinator, CyberTL | RDP sold credentials |
| University of California San Franciscob | Education; large; public | Encryption and stolen data | [UCSF 2020; Tidy 2020] | Not disclosed |
| Michigan State Universityb | Education; large; public | Encryption and stolen data | [Adams et al. 2021] | Pulse Secure VPN vulnerability |
| Magellan Health Inc.b | Healthcare; large; private | Encryption and stolen data | [NRF 2020] | Phishing email |
| Citywide Home Loansb | Finance; large; private | Encryption and stolen data | [Bergwall 2021] | VPN using an employee's username and password |
| HSE Irelandb | Healthcare; large; public | Encryption and stolen data | [HSE 2021a; | Not disclosed |
| T-Mobileb | Mobile provider; large; private | Encryption and stolen data | [T-Mobile 2021; | Not disclosed |
aAlias name. bActual organization name. cDid not fully disclose.
Table 2. Victim Profiles and Details of Mid-pandemic Ransomware Attacks
aAlias name. bActual organization name. cDid not fully disclose.
2.1 Sampling Strategy
The data obtained from the study by Connolly and Wall [2019] pertained to 26 purposefully selected ransomware attacks. The sample included 21 organizations (some victims were attacked more than once) from 11 industries from private and public sectors and of different sizes. To enable comparative analysis, the pre-pandemic dataset was classified according to the threat that ransomware represented to each category. For instance, hospitals have different security requirements compared to schools, because a ransomware attack may lead to a loss of life if certain systems are down. In another instance, an organization that highly depends on IT infrastructure (e.g., a cloud provider) has a higher risk of bankruptcy than, say, a construction company or a publicly funded organization. Accordingly, an organization's security posture and its overall outlook to security may depend on the nature of that organization. This classification exercise produced five categories (see Table 3).
| Basis for comparability | Pre-pandemic attack victims | Mid-pandemic attack victims |
|---|---|---|
| Category: critical infrastructure with a possibility of life loss and highly sensitive data. | HealthSerJU | HospOrgOc, Magellan Health Inc., HSE Ireland |
| Industry: healthcare | ||
| Category: critical infrastructure, but no possibility of life loss, although disruptions could cause serious harm to public; various type of data could be compromised. | LawEnfF, LawEnfM, LawEnfJ, LawEnfJU, GovSecA, GovSecJN, GovSecJ, InfOrgJL, UtilOrgD, EducOrgA, RelOrgJ | CritOrgOc, T-Mobile |
| Industries: law enforcement, government, infrastructure, utilities, school education, religious institution | ||
| Category: possibility of losing intellectual property that can severely affect the organization. | EducInstFB, EducInstF | UC San Francisco, Michigan State University |
| Industry: higher education | ||
| Category: high dependency on IT infrastructure, bankruptcy can occur within a few days of an incident (if no backups are available). | CloudProvJL, ITOrgA, ITOrgJL, SecOrgM | ITFrAg |
| Industry: IT | ||
| Category: some dependency on IT infrastructure, bankruptcy is possible but at much slower rate compared to organizations that highly depend on IT. | ConstrSupA, ConstrSupJ, SportClubJ | ManOrgOc, PharmFrAg, ArgOrgAg, EvOrgAg, Citywide Home Loans |
| Industry: manufacturing, pharmaceutical, retail, entertainment, construction |
Table 3. Comparability of Pre-pandemic versus Mid-pandemic Ransomware Attacks
We endeavoured to find mid-pandemic ransomware victims under each category. This resulted in a sample of 13 organizations that were of various sizes and industries and from both public and private sectors. Details of the attacks and the victim organizations are outlined in Table 2. It includes the organization's characteristics (e.g., industry, size, and sector), crimes committed by ransomware (e.g., encryption, data theft, and fraud), data sources, and information about attacks (e.g., attack vector and propagation techniques). For data collected via interviews, aliases are used to respect confidentiality of victim organizations. In the instances where publicly available data was collected, we do not conceal the identity of victim organizations.
2.2 Data Collection
Interview data for this study was collected in 2020 and 2021 (during the COVID-19 outbreak). Sample interview questions are given in Appendix A. All interviews were conducted remotely by means of desktop teleconferencing. We sought professionals who had direct experience of dealing with ransomware incidents during the COVID-19 pandemic. Our interviewees were a coordinator of one of the U.K.’s cybercrime police units (alias “CyberTL”), and a cyber security industry professional whose responsibilities include ransomware analysis and ransomware incident response (alias “CyberComp”). The participant from CyberTL had a total of 12 years’ experience in the police force, of which 6 were within a specialized cybercrime unit. The interviewee from CyberComp had 20 years of experience in cybersecurity. Interviews with these professionals produced data on seven ransomware attacks.
Unfortunately, further attempts to find data on mid-pandemic ransomware attacks via interviews proved to be unsuccessful. We, therefore, adopted a different strategy. First, we learned of mid-pandemic ransomware attacks from media reports. We then searched for the formal notification of these attacks by victims and subsequently examined official statements, incident reports, publicly released case details, and legal notices. Our efforts enabled us to add six additional victims to the mid-pandemic dataset, including University of California San Francisco, Michigan State University, Magellan Health Inc., HSE Ireland, T-Mobile, and Citywide Home Loans. This exercise brought the total number of mid-pandemic ransomware attacks to 13.
Data collection is considered one of the biggest challenges in qualitative research [Archibald and Munce 2015]. Collecting data on sensitive issues like cyber-attacks presents even bigger obstacles, because—as is the case with other forms of deviant behaviour or matters linked to potential legal proceedings—it is difficult to recruit willing subjects [Crossler et al. 2013]. Therefore, resource constraints often dictate when data collection ends, but a point of sufficient “theoretical saturation” is normally reached after about a dozen or so observations [Miles and Huberman 1994, pp. 30–31; Eisenhardt 1989]. Having exceeded that threshold for both pre-pandemic and mid-pandemic cases, we considered our sample to be adequate.
2.3 Data Analysis
To enable comparative analysis, inductive content analysis was used for the mid-pandemic dataset. The same method was used to analyse pre-pandemic ransomware attacks. The initial phase (open coding) involved reading through documents several times to make sense of data and identify units relevant to the study inquiry. This exercise produced 95 codes (see Appendix B). In the next phase (categorization), categories were identified with the aim of grouping codes from the previous stage. Some data units fitted within the identified categories, while others prompted the construction of additional categories. Some categories were deemed irrelevant to the study objectives and subsequently were eliminated. In the last phase (comparative analysis), we compared the two datasets. More specifically, categories and themes from the pre-pandemic dataset were compared with those from the mid-pandemic dataset. Subsequently, seven themes emerged, demonstrating how ransomware evolved during the COVID-19 outbreak. In this work, only categories and codes under the themes “Factors that hindered recovery” and “Factors that enabled infection and/or further spread” were used in comparative analysis.
The final stage of data analysis (compilation) involved data interpretation and write up, the results of which are presented in the next section.
3 FINDINGS
A number of key observations emerged from analysis of the data, as set out in the following subsections.
3.1 Attackers Adopt More Sinister Tactics to Extort Payment and Maximize Return
Of late, we have witnessed the emergence of attack strategies unlike those previously seen pre-pandemic. As organizations have improved their defense mechanisms by deploying effective backup strategies, criminals in turn have adopted methods that increase the potency of their assaults. This new modus operandi aims to maximize the financial gain by committing more than one crime within a single breach. Instead of just going for a “quick win” of executing ransomware, which only in a relatively small proportion of cases yields a return, cybercriminals instead stealthily penetrate and snoop around the organization's network; seek to exploit as many opportunities as possible by means of mandate fraud, data exfiltration, or other methods; and then drop ransomware as the final coup. The amount asked at this point is usually very high, because attackers have accumulated comprehensive knowledge about the organization, its data and systems, the consequences the attack will have, and their victims’ ability to pay.
This latest evolution of ransomware is very audacious. In addition to scrambling files, attackers also extricate confidential data and threaten to leak it on the Dark Web if the ransom is not paid. This is the modus operandi of cybercriminal gangs such as Maze, Netwalker, DoppelPaymer, and Netfilim. If the ransom is paid, then the criminals promise not to release the data, although it is hardly credible that they would not seek to monetize stolen credit card details or other sensitive information.
As can be seen by comparing the data in Tables 1 and 2, all the pre-pandemic ransomware attacks that we looked at used only encryption, but all the mid-pandemic attacks combined encryption with other crimes such as data theft and mandate fraud. Many other high-profile cases of such multi-pronged attacks have been reported in the media and on security blogs [Hiscox 2020]. Thirty percent of ransomware attacks in the second quarter of 2020 threatened to release exfiltrated data, and 22% of attacks actually did so, which was a very substantial rise from the first quarter of that year [Coveware 2020]. As one of our police contacts explained:
We've started to see this new method of operating where [in addition to ransomware], criminals take victims’ data, copy, and put it somewhere else. They then threaten to publish data if victims refuse to pay. Criminals also blackmail victims with the GDPR requirements. They explicitly explain the problems that the organization will be facing if the data breach becomes known to authorities. [Detective Constable, CyberTL]
The reason that attackers have added this extra sting is because they were starting to find it difficult to extort payment using ransomware alone, as many organizations had put effective backup strategies and other defense mechanisms in place to mitigate the threat. A detective shared his recent experience with us:
Something that I have observed over the past while is the increasing success of companies in recovering from ransomware infections without having to actually negotiate with the criminals. Consequently, attack tactics have changed. Hackers now make every available opportunity profitable once they gain access to a victim network. Before executing ransomware, they will commit mandate fraud or extract data, or they may use systems for criminal activities. This is not something we have previously seen; it is a new threat from our perspective, and—worryingly—we have seen much more of it recently, especially since the outbreak of COVID-19 with so many people working remotely from home in insecure environments where they are more vulnerable. [Detective Sergeant, CyberTL]
Although this new tactic was not initially caused by the COVID-19 pandemic per se (e.g., see Porcedda and Wall [2019]), the pandemic created a set of circumstances that rapidly accelerated its uptake as opportunistic cybercriminals became more resourceful.
3.2 Expanded Attack Surface Caused by Employees Working at Home
If employees are accessing company systems from their own devices, then there are obvious security risks, because the organization is dependent on the employee to ensure that adequate protections are in place and that the device is safeguarded against accidental loss, theft, or damage. One of our interviewees remarked that
Because of the COVID-19 pandemic, you are now taking someone out of a work premises where they are used to a single sign-on into a secure network with all the assets, software, and hardware accounted for by the IT security team. Now they are working at their kitchen table at home, maybe using their own personal laptop. So you are relying upon their operating system, patches, and anti-virus software being up to date—this is an environment that is inherently fraught with risks. [Detective Sergeant, CyberTL]
Hackers take advantage not only of remote connection devices but also of personal machines used by employees to login to corporate networks over insecure VPN connections. One of the problems here is that most organizations initially felt that the COVID-19 pandemic would only last a short while, so they took a gamble that they would just “muddle through” instead of systematically identifying and patching all the vulnerabilities. As another interviewee put it,
At the beginning of the pandemic, we saw a whole bunch of companies start moving to remote work—ones that could, obviously—and that remote work infrastructure increased the entire surface for the attackers to go after…. You now have a whole bunch of devices that you don't control that are connecting into your network, so you have your expected infrastructure, but also your employee's machines. If you're not assigning them laptops, you have whatever they're using at home and who knows what else. [Cyber Security Professional, CyberComp]
As is explained in the next section, this expanded attack surface has led to a change in the most common attack vectors being used by ransomware cybercriminals.
3.3 Attack Vectors during the COVID-19 Pandemic
Consistent with Hijji and Alam [2021], we found that the most commonly used social engineering techniques during the COVID-19 pandemic have been phishing, smishing, vishing, spamming, and fake websites and apps, often used in conjunction with ransomware. As one of our interviewees disclosed,
Attackers are certainly taking advantage of COVID-19 and remote working …. One of the most prolific things they are doing now is taking advantage of phishing, particularly against Office365; we have seen a massive spike in that. Compromised accounts are used to access documents or send email messages with malicious attachments to other organizations …. The reason phishing is so popular now is because users believe that with remote working it is quite normal to be presented with a splash page asking for credentials or other security questions, or maybe the login interface looks slightly different. The end user assumes that it is an update or additional measure to tighten security, because they are working from home. Organizations rely upon rational end user behavior. However, businesses do not realise the effect that remote working is having on employees …. People are very vulnerable to handing that information over and that's definitely being exploited at present with the number of reports that we're seeing [Detective Sergeant, CyberTL]
Another observation is that a lot of phishing emails mid-pandemic contain COVID-related information, preying on curiosity and public fear of the virus,
We saw a huge spike in phishing campaigns using COVID as a lure and other groups climbing on to it. In one case that I dealt with, Donald Trump had just recommended some miracle drug for COVID and an email circulated with that in the subject line. The manager clicked on it to find out about this miracle drug, it contained an attachment, he opened it up and that unleashed the ransomware campaign. [Cyber Security Professional, CyberComp]
For pre-pandemic attacks, phishing was also one of the main attack vectors, along with brute force attacks on Remote Desktop Protocol (RDP) and other known vulnerabilities. This changed for mid-pandemic attacks, with RDP exploits giving way to VPN exploits, related to the vastly expanded attack surface comprised of a plethora of remote devices,
I specialize in the diversification of ransomware attacks. So if you go back to 2019, ransomware was delivered primarily in two ways: phishing or RDP using either credential stuffing or credential reuse, because there are millions of usernames and passwords just hanging out in underground forums. But since the beginning of the pandemic, with the advent of this expanded attack surface, we saw ransomware groups really focusing on exploiting vulnerabilities—not new ones, but rather they were scanning for and finding established vulnerabilities that had proof-of-concept exploit code available. VPN in particular was targeted. So all of these remote connecting devices suddenly became very, very popular with cybercriminals, either with ransomware groups or the “initial access supply” groups. [Cyber Security Professional, CyberComp]
3.4 Failure to Adapt Practices to the “New Normal” of Hybrid Teleworking Environment
One of the major problems that organizations are currently facing is that offline practices do not always fit in with the new norm of working from home, where employees are more relaxed and likely to take shortcuts. The failure to transform common office practices into an online mode makes organizations vulnerable to attacks.
In one of the mid-pandemic cases that we examined, an organization in the pharmaceutical sector (“PharmFrAg”) became a victim of whaling. Having gained access to email data and other sensitive information, the perpetrators intercepted an invoice sent by PharmFrAg to one of its customers and altered banking information, which prompted the customer to send a payment of UK£30,000 to the attackers’ bank account. After committing mandate fraud, the criminals then reset the domain controller password and changed DNS settings. The victim's online presence was wiped and email services stopped working. At that point, the attackers made their first demand (approximately UK£20,000 in bitcoins). PharmFrAg, however, reacted by hiring in cybersecurity consultants. They swiftly implemented necessary response measures, prioritising effective backup solutions. As the attackers realised that the victim was not going to pay, they executed ransomware and made a second ransom demand. However, because PharmFrAg already had backups in place and there was no evidence of data exfiltration having occurred, they managed to recover without paying any ransom. Upon investigation, the external consultants found that criminals had remained undetected inside PharmFrAg's network for about a month and snooped around SharePoint documents. One of the police officers that we spoke to offered his opinion on why this happened,
From my experience, attackers take advantage of human vulnerabilities since remote working became a norm. Organizational practices must change, because people are working in different premises. Although companies have formal processes in place, employees do not obey them, as they do not know how. For example, in the PharmFrAg attack, the bank details of an invoice were modified by perpetrators and sent to a customer for payment. In a typical environment, an accountant would have had a conversation with a financial director and queried the invoice. But employees decided to just trust the system, assuming it sent a correct invoice. I think the remote mode led to various organizational and cultural changes, forcing people to go about their normal business differently. In my opinion, the risk of ransomware attacks during COVID-19 outbreak is mainly coming from people's behaviour. [Detective Sergeant, CyberTL]
Additionally, the COVID-19 pandemic meant that employees’ normal schedules became utterly chaotic and unpredictable as they struggled with work–life balance issues. Normal routines were severely disrupted as home offices became workplaces and schools, shared by the entire household [Fukumura et al. 2021; Xiao et al. 2021]. Some employees who had freedom to re-locate chose to do so, working remotely from foreign locations. This meant that behavioral analytics were thrown out of kilter, making it much more difficult to differentiate legitimate from suspicious activity. We did not obtain any firm data on the extent to which this enabled mid-pandemic attacks to fly under the radar, but the impression given by interviewees is that the turmoil caused by COVID-19 and the loosening of access restrictions left the door open for attackers to cunningly slip in undetected in a number of cases (see the points made by a Cyber Security Professional from CyberComp in Sections 3.2 and 3.3 about the extended attack surface and remote working).
3.5 Ongoing Laissez-faire Attitude to Cybersecurity
In the 39 cases that we examined, we found that a key underlying cause for both pre-pandemic and mid-pandemic attacks was shoddy practices and failure to attend to basics. Poor technical controls, weak passwords, inadequate security awareness and training, the absence of a well-rehearsed incident response plan, ineffective network security practices, and inadequate IT governance appeared time and again throughout the comparative analysis. From this weak base, organizations were ill equipped to deal with the sudden unplanned emergency of COVID-19:
At the outset of COVID-19, everybody said, OK, we need to go to remote work right now. So whatever they had on the shelf, that became how they got remote work done. There was very little thought given to security, because everybody thought, “hey, we're going to do this for a couple of months and then we'll go back to normal office work.” But it turned out that a couple months became a year and a half. And what I've seen repeatedly with clients that I've worked with, nobody went back and looked at the security of the infrastructure they originally put in. So if you deployed insecure routers or unpatched VPN concentrators or out-of-date Citrix, because that was what you had on the shelf, all of that remained unpatched. [Cyber Security Professional, CyberComp]
A further aspect that we found—again common to pre-pandemic and mid-pandemic attacks—is that several of the victim organizations had poor knowledge of their enterprise data and its various locations. Cybercriminals now spend a considerable amount of time conducting reconnaissance, both pre-attack and also after infiltration. Initially, they may gather intelligence about business executives by scraping details from social media accounts and publicly available data to build up a profile for the purposes of launching a targeted phishing attack, which is one of the most common weapons now used to breach defenses. Once they breach the organization's defenses, they sniff around internally, often staying undetected for weeks on end before deploying ransomware. The attackers may therefore have a clearer sense of things than the victim. One of the reasons that EducInstFB paid the ransom was because they actually did not know what data they were missing (if any) and how valuable it was, and time was not on their side,
So really it was like a fog … We knew that computers were plugged into network nodes, but we could not see them … And we did not know what sort of data then was encrypted. So that was really our biggest challenge. [Executive Manager, EducInstFB]
The blackmail element in the most recent evolution of ransomware is only enabled when criminals manage to exfiltrate data from victims’ networks. Worryingly, some victims are not even aware that their data are gone until hackers contact them or it is already leaked,
The victim in a lot of cases does not have full oversight of what has been actually taken from them. My real concern is that once an organization has its network ransomwared, do they have the capability to go back in time and conduct a full audit of whatever activity was happening on the network for the last week, month, or longer. And the answer very often is no. [Detective Sergeant, CyberTL]
3.6 More Severe Consequences for Individuals and Privacy
A lot of mid-pandemic ransomware attacks were purposely targeted at universities and hospitals [Kooson 2021; Fouad 2021; Dullea et al. 2021; Swasey 2020]. This was because such organizations were already under immense pressure because of COVID-19, possess a lot of personally identifiable information (PII), and typically have points of weakness in their systems. Other types of organizations that typically hold substantial volumes of PII—such as insurance companies, mortgage and loan providers, police, utility companies, and government agencies—feature prominently amongst the lists of known recent attacks. In our analysis of mid-pandemic cases, several examples of data exfiltration from such organizations came to the fore,
Citywide has determined that the attackers obtained access to some data on a file share, which is believed to contain personal information associated with some of Citywide's employees and customers, and uploaded this data to Mega, a cloud storage provider. Depending on the individual, the types of information stored on the system may have included the following: name, address, phone number, date of birth, Social Security number, driver's license, passport number, bank account information, credit card information, other financial account information, taxpayer identification number, and health insurance information. This may also include information relating to the administration of the Citywide Health Plan, including personal information associated with employees and any eligible spouses or dependents. [Bergwall 2021]
Unfortunately, this domain [at Michigan State University] not only contained research data, it held files containing personal identifiable information (PII), some of it from the 90s … the attackers exfiltrated data, including PII, affecting more than 9,000 students. NetWalker posted passports, driver licenses, and bank accounts as a pressure tactic …. In total, 1.3 million files were exposed in the incident, and an estimated 127,000 files contained personal information. [Adams et al. 2021]
Again, this type of behavior was not seen at all in the pre-pandemic cases that we analysed. The emergence of this new tactic cannot be attributed to the COVID-19 pandemic alone, although the pandemic created opportunities to target and exploit certain types of organizations. The main reasons why ransomware attackers are stealing PII are, ironically, improvements in data backups, as well as an unintended consequence of the introduction of stricter data protection laws. The EU GDPR came into effect in 2018 with the intention of strengthening citizens privacy, but ransomware attackers are now using it (and similar legislation in other jurisdictions) as a weapon to blackmail victims. As mentioned in Section 3.1, attackers use the threat of data exfiltration to induce victims to pay, being aware that if a breach were to become public knowledge, then it could lead not alone to losses due to damaged reputation but also financial penalties imposed by data protection authorities. Another unintended consequence of stricter data protection laws is that organizations are more likely to attempt to cover up a breach and deny it, or brush it over, in order to avoid penalties.
As such, individuals have become innocent pawns in a game of “should we pay or not?,” which often boils down to a rational economic decision. However, the publication on the Dark Web of highly sensitive and confidential personal data that might be used for fraud, identity theft, bribery, and other such crimes, on top of violation of privacy and loss of control, is hugely distressing for persons affected, with potential long-term consequences.
4 DISCUSSION AND RECOMMENDATIONS
Several of the issues that we identified can be mitigated by adhering to standard practices such as patching vulnerabilities, training staff, enforcing strong passwords and multi-factor authentication, managing privileges, disabling unused accounts, and practicing basic internet best practices. Policies that employers may refer to include the U.S. NIST Guide to Enterprise Telework, Remote Access and BYOD Security [Souppaya and Scarfone 2016], U.K. National Cyber Security Centre (NCSC) guidance on preparing organizations and staff to work securely from home [NCSC 2020], SANS Security Awareness Work-from-Home Deployment Kit [SANS 2020], and the secure homeworking framework developed by Eiza et al. [2021]. Employers also need to be cognizant of legal requirements that may apply to their cybersecurity practices, especially in regulated sectors such as financial services and healthcare [FCA 2022; Guerrero 2022]. In addition to these policies and guidance, this section sets out a number of specific recommendations to deal with the problems that we observed.
4.1 Preventing Data Exfiltration
In order to prevent illegal data transfers, organizations are conventionally urged to scan network traffic and monitor unusually high bandwidth utilisation. However, as encryption of the Hypertext Transfer Protocol using Transmission Layer Security (TLS) has become commonplace to help keep sensitive data private on the Internet, ransomware actors have also moved to use it to defeat basic content scanning techniques. In an attempt to address this detection avoidance used by ransomware for data exfiltration, multiple vendors recommend employing TLS inspection. These systems use a public key infrastructure certificate authority that is trusted by the organization's computers. This allows a network security appliance to conduct what is essentially an authorized man-in-the-middle monitoring of encrypted traffic. This technology, however, must balance privacy laws against the performance impact of resource-intensive encryption and scanning operations. Solutions often employ vendor- and customer-defined trust lists and fast-path rules for trusted business applications and websites.
Approaches to data theft detection and prevention vary depending on the location of data. Attackers have modified their methods to avoid detection by using business cloud platforms for ransomware downloads and data exfiltration as these platforms are likely to be trusted by organizations and excluded from scanning. This approach may be informed by attackers’ research on potential victims’ security solutions from publicly available information. Unusually large data volumes may still arouse suspicion. Attackers hence use the “low and slow” approach of trickling data transfers that helps to blend in with background activity and avoid appearing in high volume reports.
Organizations that have migrated to cloud native data storage and collaboration tools will have to re-assess their information security strategy and may find their on-premises security technologies cannot protect cloud stored data. These organizations are largely restricted to features made available by their cloud service provider. If an attacker succeeds in obtaining login credentials, then they can penetrate a network, move laterally, and conduct internal reconnaissance by eavesdropping and rummaging through cloud files. For example, if a Microsoft Office 365 email account were to be compromised, then it could give access to an organization's shared documents. Data exfiltration might be as simple as switching to OneDrive or SharePoint and searching for “Confidential,” “Internal Use,” “Bank Details,” “Password,” “Curriculum Vitae,” “Contract,” “Allegation” or other term likely to retrieve classified documents that could be used as leverage to extort payment. Depending on the roles and privileges assigned to the individual whose account was hacked, this could be very serious. We advise to utilize Multi-Factor Authentication (MFA) to prevent unauthorized access, combined with audit logging of user actions. Some organizations are reluctant to adopt MFA because of employee privacy issues (e.g., using personal telephone numbers for SMS authentication), but against this downside the benefits of greatly enhanced security must be set.
Many cloud providers now support Data Loss Prevention (DLP) to classify and control data sharing and may offer “always-on encryption” through Information Rights Management (IRM). The IRM controls what legitimate logged-in users can do with data (e.g., no downloading or printing) and prevents all access to stolen files without a valid login. As vendors continue to improve their response to attack techniques, some are now beginning to develop advanced integrated approaches, often described as Extended Detection and Response (XDR). The XDR links network, endpoint, and other security technologies in their portfolio in an attempt to collectively address the challenges of root cause detection and subsequently prevent infection, lateral movement, and data exfiltration.
There are also mitigating controls that can be employed to reduce the severity of successful attacks. One such control to protect sensitive data is file-level encryption, where data encryption is proactively applied at a file level, so the data are secure against unauthorized access wherever it is stored. Although this does not prevent data exfiltration, it adds protection that helps to render any exfiltrated data useless to the attacker. Commonly available tools for this are generally designed for individuals and utilise simple passphrase-based symmetric encryption. This approach, however, does not scale effectively for large collaborative enterprise environments without complex methods of passphrases sharing, which are also difficult to secure. Some vendors offer proprietary software designed to transparently implement “always-on file encryption” that works collaboratively for larger enterprises. These, however, are considered a more advanced control and can impose significant initial technical burdens to achieve a configuration that meets the end users’ needs, particularly if data classification is not already in place.
As important as technical solutions are, the heart of the problem is that organizations do not identify their risk exposure. They do not know their data (i.e., lack of classification mechanisms) and, most importantly, are not aware of its location. This is equally applicable to identification and classification of critical systems. The DLP solutions may operate at the network level similarly to TLS inspection or endpoint level via an agent to help organizations classify sensitive data as well as detect and prevent unauthorized transfer of any sensitive file. Some organizations do not employ data access audit logs and hence maybe not be able to identify the scale of data theft without engaging with the attackers. In such cases attackers can claim that they accessed and stole a lot more data than they actually did. Centrally collecting access audit logs from critical assets gives incident responders vital data to investigate should an exfiltration attack be successful. The ability to validate an extortion claim and assess the damage is invaluable [8]. Furthermore, once logging is enabled, organizations can employ more advanced automated analytics like Security Information Event Management (SIEM) solutions. SIEM utilizes machine learning models to detect indicators of compromise with the noise of routine activity in log files.
Ultimately, prevention is better than cure. Focusing solely on detection and failing to adequately address security fundamentals leaves systems open to attack. Organizations must ensure they have undertaken basic hardening and best practice as a foundation on which to deploy more advanced security products from vendors. A number of basic controls can be implemented in existing infrastructure to significantly reduce risk of infection and increase visibility. Crucially, it is impossible for any system to be absolutely secure and no one product or technology offers a “silver bullet” against ransomware. In practice, the application of multiple complementary controls, known as defense-in-depth, is vital to reduce the threat of ransomware, especially as techniques, tactics, and procedures of threat actors continue to rapidly evolve with new generations of ransomware.
4.2 Cybersecurity Audit of the Work-at-home Environment and Transformation of Processes
If employees are to be permitted to work from home in future—as is likely to be the case not just because of the enduring effects of the COVID-19 pandemic but also because of climate change initiatives around the world—then it is incumbent on organizations to train their employees to conduct a basic cybersecurity audit of their work environment, much in the same way that they are expected to complete self-assessment audits of the ergonomic safety of their home workstation configuration.
Normally, it is the responsibility of home-owners to have appropriate insurance policies and security measures in place to avoid damages from an intrusion. However, if employees are permitted to work at home, then their employers must be assured that it is a safe and secure environment. For example, if an employee is sharing rented accommodation with a number of other young professionals, then what measures are in place to prevent the risk of shoulder surfing or espionage? If an apartment common room is a shared workspace during the day but a party venue for guests in the evenings, then are sufficient precautions being taken to prevent the theft of laptops and portable devices? If a device is stolen, then are its contents encrypted and backed up? Are employees aware of the risks of connecting to a rogue WiFi network within an apartment block? Are they taking adequate care to guard against “dumpster diving” for print-outs of confidential corporate documents discarded into the trash? Is a “leave no documents behind” policy adhered to for common areas of shared accommodation? Does the employee ensure that confidential documents and devices are always kept under lock and key if he/she is not present? Is the property where the employee resides alarmed and monitored by security cameras? Similarly, these and other such rudimentary measures would apply if a teleworker were hot-desking from a remote digital hub. If employees want the convenience of working from home, then they must be capable of demonstrating to their employer that they are fully compliant with the organization's policies and procedures (cybersecurity, health and safety, etc.). Conversely, organizations must educate their employees about crime prevention (e.g., theft of devices and/or data) and the legal implications of working from home (e.g., financial regulators or data protection commissioners may have the right to enter an employee's private home or demand access to personal devices, if they are used for work purposes). Furthermore, the inability to conveniently interact with colleagues is a widespread problem for remote working, and this can be exploited by attackers. Organizations therefore need to understand common practices and protocols that would typically be used by their employees in face-to-face environments and transform them into the new remote context.
4.3 Knowing How to Respond When Calamity Strikes
One of the first steps that employees need to take if they detect a suspicious activity is to report it without delay. Although many organizations directly employ or hire the services of staff to provide around-the-clock physical perimeter security, when it comes to IT security, very few organizations have round-the-clock guards looking out for suspicious behavior. Our analysis revealed a pattern of attacks occurring at night, weekends or holiday periods. Attackers deliberately choose this timing, because normally there are fewer IT staff on duty, if any at all, to monitor alerts or to take notice of network performance issues. We feel that all organizations should consider out-of-hours IT security monitoring and support. If an employee's single sign-on password is compromised while working at home over a weekend, then it cannot wait 2 days to be rectified. Cybersecurity-as-a-Service is increasingly being adopted as an option by organizations who do not have the capability to provide continuous in-house cover.
Most importantly, employees need to know when to contact IT. The very first response steps will define the outcome of the incident. One of the affected organizations (“LawEnfJU”) shared that while their employee detected a suspicious activity (i.e., files on a shared drive were encrypted and therefore were inaccessible), they shut down their machine and logged into another. This step was repeated with several machines until the employee finally realized that they needed to contact IT.
Fire drills are required by law in several countries and employees know precisely what to do when alarms sound. In contrast, very few organizations run regular IT security drills, so employees typically do not know how to respond when suddenly faced with a cyberattack as was the case with LawEnfjU. Lack of awareness and preparedness was a common theme across the cases that we analysed.
It is not sufficient just to have an incident response plan and links to training videos that employees are told to watch. Organizations should simulate phishing and ransomware attacks on a periodic basis so that employees know how to recognize potential risks and proact or react accordingly. A Security Manager from a victim organization shared his opinion of what ought to be done to prevent further attacks,
I have a military background, and this is what we do in the army—we train people how to act in case of an attack. The same should be done in organizations to protect against cyberattacks. It is called a tabletop exercise. You simulate attacks and teach people how to react if a cyberattack happens. [Security Manager, GovSecJ]
If organizations have a plan in place and continually practice the basics, then they become natural habits. Conversely, if there is no plan and an attacker strikes, then there may not be sufficient time to adequately consider the unexpected. For ransomware attacks, it is vital to have the services of a skilled negotiator who has the capability to buy time and barter the demands down.
4.4 Learning from Past Experiences and Exchanging Threat Information
Employees become more aware of the dangers posed by ransomware if they are informed about past security breaches or directly affected by one. One of our interviewees, a Security Manager at a government department that experienced a disruptive attack, commented on the changes in employees’ attitudes following the incident:
I think organizationally it was a shock, because although we had attempted to raise awareness about the dangers of malware, actually being subject to a malware attack made a lot of people listen. Post the attack, everybody realised the serious impact it could have on an organization. And attitudes changed all the way through the organization from the very top to the very bottom. [Security Manager, GovSecJN]
In truth, we know relatively little about the realities of ransomware attacks and their level of incidence. Managers very often cover things up and reveal only paltry details in incident reports, which does not add to our knowledge on important facts of the incidents (e.g., attack vector, the methods used for lateral movement, reconnaissance details, etc.). As one of the interviewees from a victim organization commented,
I can tell you one of the things that really bothers me about security incidents is that organizations hide this information. But the more people who keep this behind closed doors, the less we know. We are giving the advantage to the bad guys by not sharing this information. [Executive Manager, EducInstFB]
The need to create shared platforms for security breaches is greater than ever before. One such initiative, the Cyber Security Information Sharing Partnership, was organized by the NCSC in the U.K. to allow organizations share cyber threat information in a secure and confidential environment. However, fear of adverse consequences remains a major barrier to information sharing. As one interviewee lamented:
Of course, organisations bury the truth. And this is because of fear of incrimination. Organizations are potentially faced with huge fines and public persecution via media exposure. [Security Manager, GovSecJ]
This was also our experience when seeking to elicit details about ransomware attacks from known victims. We faced a wall of silence, or in some cases were repelled with a standard face-saving response that “we regret that we cannot disclose any details of this case as it is currently under investigation by the police.”
4.5 GDPR: Be Vigilant and Fear Not
An organization that fails to comply with the stringent requirements of GDPR is liable to be fined up to 4% of its global turnover, depending on the severity of the offence. Although not as punitive, provisions for fines have recently also been introduced or proposed in other jurisdictions such as Switzerland's Data Protection Act 2020, Brazil's LGPD 2020, and India's Personal Data Protection Bill 2019.
Unscrupulous attackers attempt to use the prospect of fines to their advantage by threatening to expose failings to the relevant enforcement agency unless a blackmail demand is met. Although changing the fine structure could be a potentially good solution and is worthy of further exploration, the best defense as of now against this ploy is for organizations to regard GDPR not as a burden but rather as a “gold standard” that serves to improve cybersecurity. It obligates data controllers to systematically catalogue the location and scope of all personal information, methodically analyse infrastructure, define policies and procedures for data storage and transfer, and put strong governance in place. Being GDPR compliant not only safeguards citizens’ rights but also protects organizations by making them more resilient in the wake of a ransomware attack and cutting off an avenue for blackmail.
If an organization can demonstrate that it adhered to the rules, then the risk of monetary penalties or civil action is dissipated. In Europe, the level of fine imposed by national GDPR supervisory authorities can be as low as 0% of the legal maximum, depending on the seriousness of the breach (nature, gravity, duration, and intentional/negligent character) and the categories of personal data affected [EDPB 2022]. Similarly, under Australian law, so-called reasonable steps that an organization-violator must take to protect personal information are normally assessed by a data protection commissioner on an individual basis by taking in consideration certain circumstances (e.g., the amount and sensitivity of personal information, whether a security measure itself is privacy invasive, the possible adverse consequences for an individual, etc.) [OAIC 2018]. As such, data protection commissioners may choose to be lenient regarding punishments if the organisation did “the best they could” to protect personal information under the circumstances (even if they failed to prevent a breach of personal data).
Furthermore, under GDPR, it is not a requirement to issue notification of a ransomware attack unless personal data that presents a risk to the affected individuals is breached. However, to make this determination, organizations need a rigorous risk assessment process and robust procedures for detecting, investigating, and reporting breaches. It is therefore seen that GDPR is not just a sword but also a shield; rather than being fearful, organizations should embrace it.
5 CONCLUSIONS
The COVID-19 pandemic resulted in employees around the globe being constrained within their private homes to perform work duties in very unprepared circumstances. On a positive note, this led to innovative ways of doing business and accelerated the rate of digital transformation. Employees have adopted to a “new normal” of collaborating remotely with colleagues, and this will be the way of the future as people swap the tedium of daily commutes for the autonomy to work from home.
However, with freedom comes responsibility. Whereas during the COVID-19 pandemic, organizations had no choice but to permit their employees to work from home, under normal circumstances they can insist that certain rules and procedures must be strictly adhered to in return for the concession of not being physically present in the office block. As we demonstrated in this article, there are several aspects of organizational security practices that need to be tailored to the very different requirements of an unsupervised, uncontrolled mid- and post-pandemic environment.
For IT security managers, it is a nightmarish prospect with almost infinite endpoints scattered across a fragmented attack surface. The likelihood of a breach occurring moves from the realm of possible to almost certain, and the complexity is such that artificial intelligence technologies must necessarily be used to detect unusual behaviours [Scott and Kyobe 2021; Alhayani et al. 2021]. However, most breaches still occur because of avoidable mistakes or omissions made by human actors, so the first link in the chain of defense must be to upskill and educate all employees on essential aspects of cybersecurity.
As we have demonstrated in this article, the menace of ransomware evolved through the COVID-19 pandemic and substantially disrupted important business operations in organizations. It is a growing threat that shows no signs of abating. The simple recommendations that we contribute are grounded in an analysis of 39 real-world cases, and we implore educators, practitioners, and researchers to disseminate this guidance.
This study is not without limitations. First, our results cannot be generalized as the strength of qualitative research is in rich data. Therefore, the endeavour of future research is to collect additional data on ransomware attacks that took place during the pandemic via a large-scale survey. Second, the use of secondary data is not ideal, but sharing qualitative data for secondary analysis is becoming an increasingly common practice, because data collection is often costly and time-consuming [Ruggiano and Perry 2019]. Subsequently, we identified relevant techniques to address the limitations of existing data. In a search for appropriate documents, we had to make sure that secondary data will indeed assist in pursuing the study's objective. As such, we sought the official documents that could answer questions from the interview guide. By and large, this goal was met. Furthermore, Ruggiano and Perry [2019] argued that conducting research with one purpose using data that were created or collected for another purpose may yield limited results (indeed, some information in the aforementioned documents was completely irrelevant to our study). To overcome this challenge, two researchers were actively involved in data analysis. While one of the authors led this process, another oversaw it via frequent meetings. Ultimately, data analysis produced very clear and consistent themes.
In order to address the final limitation of this study, more specifically the different size of datasets (i.e., pre-pandemic consisted of 26 ransomware attacks and mid-pandemic consisted of 13), we ensured consistency of comparative analysis by grouping ransomware attacks and checking both pre-pandemic and mid-pandemic cases for comparability (Table 3).
APPENDICES
A SAMPLE INTERVIEW QUESTIONS
| Questions | ||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||
B QUALITATIVE DATA ANALYSIS CODES AND THEMES
| Phase 1: Open Coding | Phases 2a &; 2b: Categorization | Phase 3: Comparative Analysis | ||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Theft of sensitive data | Multi-crime ransomware | ||||||||||||||||||||||||||||||||||||||||||
| Using all opportunities to earn money | |||||||||||||||||||||||||||||||||||||||||||
| Fraud | |||||||||||||||||||||||||||||||||||||||||||
| Encryption still prevails | |||||||||||||||||||||||||||||||||||||||||||
| Home environments are not secure | Extended attack surface | ||||||||||||||||||||||||||||||||||||||||||
| VPN connections are not secure | |||||||||||||||||||||||||||||||||||||||||||
| COVID-themed phishing emails containing | Attack vectors changed | ||||||||||||||||||||||||||||||||||||||||||
| Increased number of attacks via VPN | |||||||||||||||||||||||||||||||||||||||||||
| Challenging working environment | Organizational practices were not adapted to COVID | ||||||||||||||||||||||||||||||||||||||||||
| Employees did not adapt to COVID | |||||||||||||||||||||||||||||||||||||||||||
| Poor password practices | Organizations continue security negligence | ||||||||||||||||||||||||||||||||||||||||||
| Poor incident response planning | |||||||||||||||||||||||||||||||||||||||||||
| Poor VPN practices | |||||||||||||||||||||||||||||||||||||||||||
| Weak security overall | |||||||||||||||||||||||||||||||||||||||||||
| Hackers know how to stay undetected | |||||||||||||||||||||||||||||||||||||||||||
| Poor security education and awareness | |||||||||||||||||||||||||||||||||||||||||||
| Inadequate IT governance | |||||||||||||||||||||||||||||||||||||||||||
| Not all hackers are extremely smart, they are just eager to earn money | |||||||||||||||||||||||||||||||||||||||||||
| Huge expenses post attack, which could have been avoided if proper investments were made in the first place | |||||||||||||||||||||||||||||||||||||||||||
| Poor network practices | |||||||||||||||||||||||||||||||||||||||||||
| Better backups | Backup practices improved | ||||||||||||||||||||||||||||||||||||||||||
| Individual victims could be dealing with the data breach for a long time | Consequences for individual victims are severe | ||||||||||||||||||||||||||||||||||||||||||
| Data breach as a consequence of ransomware attack | |||||||||||||||||||||||||||||||||||||||||||
| Not reporting data breach in time | |||||||||||||||||||||||||||||||||||||||||||
- . 2020. Some cyber security hygienic protocols for teleworkers in COVID-19 pandemic period and beyond. Int. J. Sci. Eng. Res. 11, 4 (2020), 1401–1407.Google Scholar
- Acronis. 2021. Cyberthreats Report: Mid-year 2021. Retrieved from https://dl.acronis.com/u/rc/White-Paper-Acronis-Cyber-Protect-Cloud-Cyberthreats-Report-Mid-year-2021-EN-US.pdf.Google Scholar
- . 2021. Research at Risk: Ransomware attack on physics and astronomy case study. NSF Cybersecurity Center of Excellence, Trusted CI. Retrieved from http://hdl.handle.net/2022/26638.Google Scholar
- . 2015. Challenges and strategies in the recruitment of participants for qualitative research. Univ. Alberta Health Sci. J. 11, 1 (2015), 34–37.Google Scholar
- 2021. Effectiveness of artificial intelligence techniques against cyber security risks apply of IT industry. Materials Today: Proc.
DOI: https://doi.org/10.1016/j.matpr.2021.02.531Google ScholarCross Ref
- 2018. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput. Secur. 74 (2018), 144–166.
DOI: https://doi.org/10.1016/j.cose.2018.01.001Google ScholarDigital Library
- . 2021. Notice of Information Security Incident (Citywide Home Loans). Washington State, Office of the Attorney General. Retrieved from https://www.atg.wa.gov/citywide-home-loans-llc.Google Scholar
- . 2020. Working from home: cybersecurity in the age of COVID-19. Issues Inf. Syst. 21, 4 (2020), 234-246.Google Scholar
- . 2020. Cybersecurity for a Remote Workforce. MIT Sloan Management Review, July 23. Retrieved from https://sloanreview.mit.edu/article/cybersecurity-for-a-remote-workforce/.Google Scholar
- . 2021. Cybercrime and shifts in opportunities during COVID-19: A preliminary analysis in the UK. Eur. Soc. 23, S1 (2021), S47--S59.
DOI: https://doi.org/10.1080/14616696.2020.1804973Google Scholar - . 2016. Ransomware against police: Diagnosis of risk factors via application of cyber-routing activities theory. Int. J. Forens. Sci. Pathol. 4, 7 (2016), 253–258.
DOI: https://doi.org/10.19070/2332-287X-1600061Google Scholar - . 2019. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. Comput. Secur. 87 (2019), 1–18.
DOI: https://doi.org/10.1016/j.cose.2019.101568Google ScholarDigital Library - . 2020. An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. J. Cybersecur. 6, 1 (2020), 1–18.
DOI: https://doi.org/10.1093/cybsec/tyaa023Google Scholar - Coveware. 2020. Ransomware Attacks Fracture Between Enterprise and Ransomware-as-a-Service in Q2 as Demands Increase. Retrieved from https://www.coveware.com/blog/q2-2020-ransomware-marketplace-report.Google Scholar
- Coveware. 2021. Ransomware Payments Fall as Fewer Companies Pay Data Exfiltration Extortion Demands. Retrieved from https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020.Google Scholar
- . 2013. Future directions for behavioral information security research. Comput. Secur. 32 (2013), 90–101.Google ScholarCross Ref
- . 2021. Cybersecurity Update: Recent ransomware attacks against healthcare providers. Missouri Med. 117, 6 (2021), 533–534.Google Scholar
- . 1989. Building theories from case study research. Acad. Manage. Rev. 14, 4 (1989), 532–550.Google ScholarCross Ref
- . 2021. Keep calm and carry on with cybersecurity @Home: A framework for securing homeworking IT environment. Int. J. Cyber Situat. Aware. 5, 1 (2021), 1–25.Google ScholarCross Ref
- European Data Protection Board (EDPB). 2022. Guidelines 04/2022 on the Calculation of Administrative Fines under the GDPR. Retrieved from https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf.Google Scholar
- Europol. 2020. Internet Organised Crime Threat Assessment. Retrieved from https://www.europol.europa.eu/sites/default/files/documents/internet_organised_crime_threat_assessment_iocta_2020.pdf.Google Scholar
- Federal Bureau of Investigation (FBI). 2019. Internet Crime Report. Retrieved from https://pdf.ic3.gov/2019_IC3Report.pdf.Google Scholar
- Financial Conduct Authority (FCA). 2022. Remote or Hybrid Working: FCA Expectations for Firms. Retrieved from https://www.fca.org.uk/firms/remote-hybrid-working-expectations.Google Scholar
- . 2021. Securing higher education against cyberthreats: From an institutional risk to a national policy challenge. J. Cyber Policy 6, 2 (2021), 137–154.
DOI: https://doi.org/10.1080/23738871.2021.1973526.Google ScholarCross Ref - . 2021. Negotiating time and space when working from home: Experiences during COVID-19. OTJR: Occupat. Particip. Health 41, 4 (2021), 223–231.Google ScholarCross Ref
- . 2019. The power of interpretation: Qualitative methods in cybersecurity research. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES’19). ACM, 1–10.Google Scholar
- . 2020. Home working and cyber security: An outbreak of unpreparedness? Comput. Fraud Secur. 8 (2020), 6–12.Google Scholar
- . 2022. Working from home during COVID-19 crisis: A cyber security culture assessment survey. Secur. J. 35, 2 (2022), 486-505.
DOI: https://doi.org/10.1057/s41284-021-00286-2Google ScholarCross Ref - . 2022. HIPAA Compliance Guidelines for Remote Workers. Retrieved from https://www.jdsupra.com/legalnews/hipaa-compliance-guidelines-for-remote-9027191/.Google Scholar
- Hiscox. 2020. Data Exfiltration during Ransomware Attacks. Retrieved from https://www.hiscox.co.uk/sites/uk/files/documents/2020-07/20816-Data-exflitration-guide-final.pdf.Google Scholar
- Health Service Executive (HSE). 2021a. HSE Statement: Friday 28 May 2021. Retrieved from https://www.hse.ie/eng/services/news/media/pressrel/hse-statement-friday-28-may-2021.html.Google Scholar
- Health Service Executive (HSE). 2021b. Cyber Attack Response. Retrieved from https://www2.hse.ie/services/cyber-attack/how-it-may-affect-you.html.Google Scholar
- . 2005. Data collection, primary versus secondary. In Encyclopedia of Social Measurement, K. Kempf-Leonard (Ed.). Elsevier Science, 593–599.Google Scholar
- . 2021. A multivocal literature review on growing social engineering based cyber-attacks/threats during the COVID-19 Pandemic: Challenges and prospective solutions. IEEE Access 9 (2021), 7152–7169.Google ScholarCross Ref
- . 2019. Ransomware deployment methods and analysis: Views from a predictive model and human responses. Crime Sci. 8, 1 (2019), 2–22.
DOI: https://doi.org/10.1186/s40163-019-0097-9Google ScholarCross Ref - . 2021. Rise of ransomware attacks on the education sector during the COVID-19 pandemic. ISACA J. 5 (2021), 1–4.Google Scholar
- . 2021. Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput. Secur. 105 (2021), 102248.Google ScholarCross Ref
- . 2019. Systematic literature review and metadata analysis of ransomware attacks and detection mechanisms. J. Reliable Intell. Environ. 5, 2 (2019), 67–89.Google ScholarCross Ref
- . 1994. Qualitative Data Analysis: An Expanded Sourcebook (2nd ed.). Sage, Thousand Oaks, CA.Google Scholar
- National Cyber Security Centre (NCSC). 2020. Home Working: Preparing Your Organisation and Staff. Retrieved from https://www.ncsc.gov.uk/pdfs/guidance/home-working.pdf.Google Scholar
- Norton Rose Fulbright (NRF). 2020. Supplemental Legal notice of information security incident (Magellan Health Inc.). Iowa Department of Justice, Office of the Attorney General. Retrieved from https://www.iowaattorneygeneral.gov/media/cms/5112020_Magellan_Health_Inc_321274ED31DA9.pdf.Google Scholar
- Office of the Australian Information Commissioner [OAIC]. 2018. Guide to Securing Personal Information: ‘Reasonable Steps’ to Protect Personal Information. Retrieved from https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information.Google Scholar
- . 2019. Cascade and chain effects in big data cybercrime: Lessons from the talktalk hack. In Proceedings of the IEEE European Symposium on Security and Privacy Workshops (EuroS&PW’19). 443–452.Google Scholar
- . 2021. Information security breaches due to ransomware attacks-a systematic literature review. Int. J. Inf. Manage. Data Insights 1, 2 (2021), 100013.Google Scholar
- . 2021. Ransomware: The landscape is shifting—A concise report. Int. Manage. Rev. 17, 1 (2021), 5–86.Google Scholar
- . 2019. Conducting secondary analysis of qualitative data: Should we, can we, and how? Qual. Soc. Work 18, 1 (2019), 81–97.Google ScholarCross Ref
- SANS Institute. 2020. SANS Security Awareness Work-from-Home Deployment Kit. Retrieved from https://www.sans.org/security-awareness-training/work-home-guide/.Google Scholar
- . 2021. Trends in cybersecurity management issues related to human behaviour and machine learning. In Proceedings of the International Conference on Electrical, Computer and Energy Technologies (ICECET’21). IEEE, 1–8.Google Scholar
- . 2016. NIST Special Publication 800-46, Revision 2: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. National Institute of Standards and Technology (NIST), U.S. Department of Commerce. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf.Google Scholar
- . 2021. The Cyberattack against T‑Mobile and Our Customers: What Happened, and What We Are Doing about It. Retrieved from https://www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers.Google Scholar
- . 2020. Insufficient Healthcare Cybersecurity Invites Ransomware Attacks and Sale of PHI on the Dark Web. Center for Anticipatory Intelligence, Utah State University. Retrieved from https://www.usu.edu/cai/files/studentpaper-swasey.pdf.Google Scholar
- . 2020. How Hackers Extorted $1.14m from University of California, San Francisco. BBC News, 2020. Retrieved from https://www.bbc.com/news/technology-53214783.Google Scholar
- T‑Mobile. 2021. T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack. Retrieved from https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation.Google Scholar
- University of California San Francisco (UCSF). 2020. Update on IT Security Incident at UCSF. March 31, 2020. Retrieved from https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf.Google Scholar
- . 2021. Impacts of working from home during COVID-19 pandemic on physical and mental well-being of office workstation users. J. Occupat. Environ. Med. 63, 3 (2021), 181–190.Google ScholarCross Ref
- . 2018. The aftermath of a crypto-ransomware attack at a large academic institution. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, 1061–1078.Google Scholar
- . 2018. Impact of trauma hospital ransomware attack on surgical residency training. J. Surg. Res. 232 (2018), 389–397.
DOI: https://doi.org/10.1016/j.jss.2018.06.072Google ScholarCross Ref
Index Terms
- The Evolving Menace of Ransomware: A Comparative Analysis of Pre-pandemic and Mid-pandemic Attacks
Recommendations
Ransomware: Recent advances, analysis, challenges and future research directions
AbstractThe COVID-19 pandemic has witnessed a huge surge in the number of ransomware attacks. Different institutions such as healthcare, financial, and government have been targeted. There can be numerous reasons for such a sudden rise in ...
Ransomware early detection: A survey
AbstractIn recent years, ransomware attacks have exploded globally, and it has become one of the most significant cyber threats to digital infrastructure. Such attacks have been targeting ranging from individuals to critical infrastructure or large ...
Double-Sided Information Asymmetry in Double Extortion Ransomware
Decision and Game Theory for SecurityAbstractDouble extortion ransomware attacks consist of an attack where victims files are both encrypted and exfiltrated for extortion purposes. There is empirical evidence this leads to an increased willingness to pay a ransom, and higher ransoms, ...
Comments