In January 2017, Lloyds Bank was threatened by a cyber-attack caused by a distributed denial of service (DDoS), but it didn’t pay a ransom. The cyber-criminals involved with the incident attempted to block access to 20 million UK accounts. “The denial of service attack ran for two days from Wednesday 11 January to Friday 13 January, as Lloyds, Halifax and Bank of Scotland were bombarded with millions of fake requests designed to grind the group’s systems to a halt. Usually in a distributed denial of service attack the criminals demand a large ransom, to be paid in bitcoins, to end the onslaught.” wrote Patrick Collinson in The Guardian on 23rd January 2017.

Ransomware success

Around that time, Proofpoint’s Adenike Cosgrove told Computer Business Review: “Ransomware has proven to be a successful business model with attackers collecting more than $209 million from victims during the first three months of 2016 alone, and the volume of attacks was ten times higher than all of 2015. Ransom amounts have tended to be relatively fixed at $300-$1k per machine.  As long as the return on investment remains high for attackers, it seems likely that ransomware will continue to be a significant threat.”

The trouble is that quite a number of organisations aren’t taking the threat of ransomware seriously enough. David Trossell, CEO and CTO of data acceleration company Bridgeworks therefore adds: “Just look at the Korean hosting company Nayana: It cost them $1m to unlock their customer files, and yet how much would it have cost them to put in place a back-up process?”

Like with British Airways’ recent IT downtime debacle that caused many passengers to end up being stranded, there is a reputational cost to add to the financial expense of any incident caused by either human error or by a cyber-attack. The cost of back-up data is likely to be far less because it’s better to take preventative action than to find a cure for a disaster.

Loss of control

Rahme Mehmet, a P.R. consultant working on the behalf of cloud security firm CTERA, writes in an email pitch to me: “Just a month after WannaCry targeted computers running Microsoft Windows [in May 2017], cyber criminals prove they’re one step ahead again as the University College London in the UK is under attack.”

She feels this represents another example of tragic loss of cyber-control, and one that asks a crucial question: “What is being done to minimise exposure and to avoid these attacks?” Whatever is being done, she adds: “Between WannaCry and today’s UCL attack, it’s clear ransomware is gaining in sophistication. Even as our thoughts are with the university, there’s no doubt all organisations are considering their strategies for countering ransomware.”

Mehmet also cites her client Liran Eshel, CEO of cloud security company CTERA, who says: “If we can’t eliminate, we must minimise. Companies must enable the rapid recovery of attacked data and files. Until they actually figure out how to stop ransomware by building the right safeguards that eliminate enterprise vulnerabilities. Until then, organisations need to be ready to catch and recover from some serious ransomware crypto-lock events. One consideration: strategic file sync and backup procedures that minimise recovery points to as little as five minutes while making a full recovery of encrypted data.”

DDoS explained

With regards to the attack on the banks, one has to ask other questions too, such as: “Is a DDoS attack really the way that ‘ransomware attacks’ occur?” Both can be significantly damaging to organisations, and the fact that banks have been hacked raises questions about how tough their security really is. Also, a DDoS attack usually occurs when an attacker floods an organisation’s servers with traffic to the point that they collapse.

Clive Longbottom, Client Services Director of analyst firm Quocirca, says that ransomware attacks don’t usually begin with a DDoS attack: “This is quite an unusual one.  The core ransomware attacks are carried out through dropping emails or web links through to individuals who then download a payload onto their machine. That payload then, at some point (can be a long time into the future to make forensics more difficult) starts to encrypt all data that is within reach of that machine – and also infects other machines.  As such, a single infected machine can possible encrypt every bit of data within an organisation.”

Ransomware differences

In contrast, a ransomware attack is usually undertaken by infecting a computer or a device with malware that installs itself covertly. It either mounts a cryptovirology attack or hold the victims’ data hostage, requiring the payment of a ransom to release it. “Ransomware attacks are now a fact of life and so organisations must act accordingly [as] attacks come via a variety of vectors”, claims Tony Lock, Director of Engagement at analyst firm Freeform Dynamics. He rightly says that anyone in an organisation – including in a financial services institution such as a bank – could be targeted by a generic or sophisticated attack.

Top 5 tips against ransomware

Trossell, Longbottom and Lock therefore offer their top tips to help banks and other organisations to counter ransomware attacks:

  1. Back-up is your back-stop, and so place a big air gap between your systems and back-up by using tape or remote locations.
  2. Keep all platforms up to date in terms of the operating systems, middleware and applications they run.
  3. Ensure that multi-level means of addressing each problem are in place
  4. Do not count on user education to avoid encryption ransomware attacks. Users forget: accept that it is likely to happen and plan for recovery.
  5. Review business security needs regularly and test security measures frequently.

Longbottom concludes with some invaluable advice: “Be prepared, don’t pay!” To pay any form of ransom would only service to encourage the ransomware attackers to harm other organisations. He also suggests that the type of DDoS attack suffered by the banks is easy to avoid:

“There are plenty of load balancing services out there that can identify when such a DDoS attack is happening, redirect traffic and throttle or airlock the DDoS traffic so that it does not have a massive effect on other users.  Behavioural analytics can also be used – although the IP addresses that the DDoS attackers use are changed rapidly, they can still be picked up by blockers and blacklisted.”

Banks and financial services organisations, as well as any other, should also keep a clear picture of the systems and data they need to protect. Lock also highlights that it’s also worth noting that even a DDoS attack can be a ransomware attack if a ransom is demand by the cyber-attackers. So while it is possible to confuse the differences between one type of attack to another, they can all potentially cause the same kind of financial, operational and reputational damage to your organisation.

To ensure your organisation is protected you therefore need to keep a step ahead of the attackers, and your first line of defence means that you must train your staff to protect themselves and your organisation. So ransomware can be countered if the right steps and systems are in place to prevent it from running riot against organisation. When it comes to cyber-security there is no time like the present to invest in solutions, process and training to protect your company.


Webinar recording: Cybersecurity and the New Definition of ‘Adequate’

Webinar Replay: Cybersecurity and the New Definition of 'Adequate'The threat landscape for financial institutions has changed considerably since the DDoS attacks of 2012. Watch this webinar with Rich Bolstridge, Chief Strategist, Financial Services, at Akamai Technologies for an overview of how the definition of “adequate cybersecurity” has shifted.


Graham Jarvis

Graham Jarvis

Graham Jarvis is a widely published freelance business and technology journalist who began his writing career in 1999. He has edited online marketing and technology publications for organisations such as the Chartered Institute of Marketing’s Technology Group (CIMTECH). His journalism appears in publications such as CloudPro, CloudTech, IT Pro Portal, Computerweekly, Cloud Computing Intelligence, City A.M, FSTech, CIO magazine, IoT News, Tech City News, Financial Director, Facilities Manager,Banking Technology. His work has also appeared in technology supplements for the Daily Telegraph and Sunday Telegraph.
Graham Jarvis