Font Size: A A A

Home > Blogs > On ransomware

Mike Gillespie

On ransomware

Ransomware is coming to a physical system near you, writes Mike Gillespie.

Recent news stories revealed that 70 per cent of the police video surveillance recorders in Washington DC were actually off in the days prior to the inauguration of Donald Trump. This was as a result of a cyber-attack, using a malware from the ransomware family. Ransomware is a particularly nasty exploit which, simply put, maliciously encrypts files and demands a ransom for release. This pernicious and sinister form of malware has been used on hospital trusts, charities and police departments with impunity. In this case, systems were apparently attacked eight to 12 days prior to the presidential inauguration event and four recording machines that are responsible for recording almost three-quarters of the camera images in the capital, were affected by two kinds of this malware. Although there has been no confirmation that a ransom was demanded, it has been confirmed none was paid and in fact two people were arrested by the NCA in London and face trial in April for this crime.

This isn’t the only case of ransomware attacking physical systems in the press lately. Another recent story discussed the hacking of a hotel in an upmarket Austrian lakeside resort. While initial reports stated that guests were locked in their rooms by a ransomware attack (which seemed unlikely given it was the card entry system that was attacked) it was soon clarified that if they left their rooms they were unable to return, as their key cards would not work. We had expected the rise of ransomware to continue but its expansion into such physical systems has happened swiftly and we, as security professionals, need to catch up.

When it comes to the inauguration hack, we are going to have to wait for the trial to find out what actually happened but there are some things that stand out. It was reported that police effectively had to rebuild these recorders after they were crippled by this attack, but no one has mentioned a ransom. Normally when a ransomware demand is reported, the price in Bitcoin usually, features quite heavily and in media reporting but there has been no mention of it in this instance. The recorders were out of action for three days but we don’t know how long it took for their infection to be discovered. As is so often the case, there are more questions than answers. Some of those questions relate to the individuals arrested; one British national and one Swedish national who are both in their 50s. It is an unusual age bracket and does not fit the profile we have come to expect of many hackers – building tools for financial gain, often for organised crime groups or ‘script kiddies’- the term used for talented young people who are building malicious code for fun or kudos among their peers. This doesn’t appear to fit those profiles.

So the motive is unknown but we can speculate on a few. For instance, that it was a politically motivated attack, based on conflicting ideology. It can’t be denied that the new president has divided worldwide opinion and as such, could have been a target for disruption and chaos by politically motivated hacktivists. If this was the case then with the safety of the crowds of visitors, inhabitants and the President himself might have been compromised and if this vital security system was not restored in time, could have compromised the ceremony going ahead, causing significant disruption to a great many people. Although it would never have stopped his inauguration, it could have served as a very effective protest action and draw attention to certain pockets of resistance to his administration.

It is also possible that the inauguration was simply a convenient distraction. The plan may have been to carry out another activity in DC while attention was on Capitol Hill and the attack on the cameras was to ensure that police oversight was effectively dark during the required period and this is why we have not heard any detail of any sort of ransom demand. Perhaps a robbery or high profile crime was the real objective and the successful completion of that crime needed the recording systems to be disabled. We have seen that kind of distraction technique used many times in the annals of crime. Indeed, we see a growing number of incidences of the cyber version of this methodology; when a server or website is attacked with a Distributed Denial of Service (DDoS) attack to distract attention from the objective crime being carried out elsewhere on a network. This works by sending huge numbers of ‘visits’ or page requests for instance, which overloads the network or website and causes it to crash. This means genuine visitors find the website or service is unavailable to them, hence the name, denial of service. It can be hugely disruptive and has the potential to cost businesses dearly in loss of trade, for instance. But whilst it is an incredibly damaging attack in and of itself, it has found this bonus application too.

So the inauguration attack was a carefully timed and highly specific attack, using two different kinds of ransomware, which may or may not have been used to extort money, carried out by attackers with an unexpected profile and unknown motive. People could have been the target, disruption could have been the target or it could have been a simple politically motivated protest. The stand out fact is that it is one of a growing number of physical systems that have been attacked and disabled or damaged, from cyberspace. The fact we saw the hotel key-coding system attacked in the same month shows that we are potentially looking at the birth of a new trend. This is one of the first times we have seen ransomware used on a physical system and although we don’t know the motive, the very fact that a physical system can be in effect, held to ransom, should give any security professional pause for thought and wonder about the systems they manage and could they potentially be attacked in this way. Next time it may not be a recording system or a key-coding system.

We do cyber security, we all do cyber security. The real question is not if we do it, it is how well.