The latest roundtable discussion from Security on Screen analyses the recent ransomware attack against UK rail network, Merseyrail and how sticking to standard industry protocols can take a lot of courage during times of adversity
UK rail network, Merseyrail has confirmed a Lockbit ransomware attack after a gang used their email system to contact employees and journalists. Providing train service throughout 68 stations in the Liverpool City region, Merseyrail said in a statement that an investigation was underway and that it would be inappropriate to comment any further.
After receiving a strange email on 18th April from the Managing Director of Merseyrail, Andy Heath with the mail subject, ‘Lockbit Ransomware Attack and Data Theft,’ the threat actors were telling employees that a previous weekend’s outage was downplayed and that they suffered a ransomware attack where the hackers stole employee and customer data.
Included in the email was a link to an image showing an employee’s personal information that Lockbit allegedly stole during the attack.
A simple email
Over the past year, ransomware gangs have become increasingly aggressive in their extortion tactics with attacks consisting of threat actors stealing victims’ data and then encrypting their files to force a ransom payment and through a simple opening of an email, no less.
Javvad Malik, Security awareness advocate at KnowBe4, comments: “This unfortunate incident is a reminder as to why email accounts should be considered part of critical systems for any organisation.
“Criminals will target emails as part of phishing attacks to install malware or attempt to take over email accounts so that they can masquerade as employees or siphon off critical information. Organisations should ensure they have robust controls protecting their email including email gateways, spam filters, multi-factor authentication, and user awareness and training.”
Brian Higgins, Security Specialist at Comparitech.com agrees: “This kind of extortion strategy is becoming ever more common in cases of Ransomware. Not content with encrypting data and demanding money, criminals have caught on to the fact that if their successful breaches are made public before their victims can implement any incident response plans, they have an extra layer of leverage to encourage payment more quickly.
“Whether it’s contacting potentially affected customers and/or staff or notifying the media (both of which tactics appear to have been used in this case) the added pressure to resolve the issue can often force victim organisations to bypass security policies and pay up.”
Dangerous development
According to Niamh Muldoon, Global Data Protection Officer at OneLogin, ransomware is the one activity that has a high direct return of investment associated with it. She continues to say, “attackers are especially motivated to execute these types of attacks as employee and customer data can be held ransom for financial payment.
“Furthermore, taking the global economic environment and current market conditions into consideration cyber criminals will of course focus on this revenue generating stream, with ransomware attacks growing by more than 150 percent in 2020.
“It is foreseeable that these attacks will continue throughout 2021, with national infrastructure being a primary target for cybercriminal groups. Therefore, the overall key message here is that no individual, industry, or company is exempt from the ransomware threat and it requires constant focus, assessment and review to ensure you and your critical information assets remain safeguarded and protected against it.”
Martin Jartelius, CSO at Outpost24 suggests, “This is the evolution we see with ransomware. Earlier it was the loss of access to your information that was the primary driver but readiness and protection in some organisations mean this is sometimes an insufficient motivation to pay.
“Leveraging trade-secrets for extortion is sometimes used, or in cases like this, a push for releasing private information leaning on GDPR and public pressure is also used as an incentive. All those are ways to attempt to monetise from a breach without having to find a willing buyer of the information but rather ‘sell it back’ to its original owner.
“In this case, paying is actually hard to grasp as it will depend entirely on the ethics of the attacker that they don’t take the money and then simply keep asking for more, i.e. you do not recover or achieve anything by a financial transaction.”
Corporate courage
Nikos Mantas, Incident Response Expert at Obrela Security Industries says the primary reason ransomware is such a prolific attack method is because of its profitability. He says: “This is because a cyclical economy is formed by ransomware attacks as a majority of the victims choose to pay to get their data back, which only fuels the industry and goes on to create more attacks.
“Companies should instead focus on prevention and transition to a ‘security in-depth’ model combining not only traditional security mechanisms but also controls for access and identity management. To do this employees awareness of ransomware is vital, as are continuous backups and up to date software and security solutions on all devices accessing the IT network.”
“We should hope that Merseyrail is prepared to respond ransomware, including the potential operational disruptions that come with that response,” adds Paul Norris, Senior Systems Engineer at Tripwire. “But while we tend to focus on the response to ransomware, prevention is still the best way to deal with the threat.
“Ransomware doesn’t magically appear on systems, and the methods by which it’s introduced into an environment are generally well understood phishing, vulnerability exploits, and misconfigurations, which is why hardening systems helps to safeguard the integrity of your digital assets and protect against vulnerabilities.”
Brian Higgins concludes: “It would appear that, in this particular instance, Merseyrail are holding their nerve and following industry standard protocols. It takes corporate courage to back up your data, inform the relevant authorities and keep hold of your cash. I hope Merseyrail come out of this successfully and provide a case-study of good practice for future cyber-crime victims.”