Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
When a 17-year-old boy from Walsall was arrested last month on charges of blackmail and offences under the Computer Misuse Act, a group of teenage computer saboteurs and bandits who go by the name of Scattered Spider briefly came out of the shadows. These perpetrators of cybercrime have become notorious for going after giant corporations.
“Ransomware gangs are aggressively targeting victims and coming up with increasingly innovative ways to try to obtain ransom payments,” said Will Lyne, head of intelligence at the National Cyber Crime Unit, part of the National Crime Agency (NCA).
The secret cybersecurity unit, breaking cover at its secure central London office, works with the National Cyber Security Centre at GCHQ, the FBI and the Australian secret service to bring down cybercriminals operating out of the former Soviet Union and Europe.
The stakes are huge, as ransomware can threaten the existence of a business whose owners do not want, or cannot afford, to meet the attackers’ demands. “The harms aren’t just limited to the financial costs of paying ransom and restoring systems. The harms are psychological, economic and all sorts,” said Lyne.
Scattered Spider uses “social engineering” methods such as phishing — luring readers to click on emails — to gain valuable data. One of its tactics is Sim “swapping”. The hackers use phishing to pick up data such as the victim’s name and their Sim card number, which will be unique to their phone. They then contact the victim’s mobile phone company, pretending to be them, and ask for the Sim card to be activated on another phone — often by claiming the original was lost or stolen.
Once the Sim has been swapped to a new phone, the hackers can use it to gain access to the victim’s other digital accounts. Having control of a Sim means they can get around two-factor authentication, whereby temporary codes are texted to people’s phones to help them log in to accounts.
“Malicious email approaches or social engineering allow them to steal data and conduct fraud. They contact people and send emails and SMS messages to manipulate either help-desk staff or end-users,” said Don Smith, head of threats at the cybersecurity firm Secureworks.
So what can companies do to combat the threat? They need active defence strategies, according to Lyne: “Firms need to be updating software, using strong passwords and multi-factor authentication, and ensuring that staff are aware and have training on things like phishing.
“There’s a big human dimension to online security,” Lyne added. “If you’ve got negligence, sloppiness or untrained people, then you’re as vulnerable as if you had no online security at all.”
He added a further warning on the trend for home working: “When you’re working from home you are accessing your company’s IT remotely. That is exactly what the threat actor wants to do. That’s when security of your IT communications is so critical.”
Crooks have at least four ways of extorting a ransom out of a victim once they have infiltrated their computer.
When a company receives a ransom demand from an anonymous source after its computer has been encrypted and made unusable, it has become the victim of what security experts call “traditional extortion”.
“‘Double extortion’ means they steal data and threaten to release it,” said Lyne. “Triple extortion involves contacting the victim’s customers and partners and notifying them that sensitive data has been stolen and could be disclosed if the victim does not pay. They add in another attack, such as a denial of service, to increase the pressure on a victim to pay, in what we call quadruple extortion.”
Denial of service typically involves bombarding a company website with traffic, knocking it offline.
Ransomware groups also create data-leak sites, where they post stolen personal or sensitive data to maximise the pressure.
Scattered Spider is an exception among ransomware groups. Many of its gangs are based in the former Soviet Union and receive protection from the Putin regime in return for a percentage of their takings.
“Russia is a very permissive country for cybercriminals,” said Lyne.
Cybercrime services such as encryption, coding and translation can be bought on the dark web in what Lyne calls a ransomware “ecosystem”.
However, infiltration of these markets has enabled secret services to track the key cybercrime actors, say industry insiders, and they have had some success against ransomware gangs. In February, the NCA and the FBI brought down the LockBit group — a Russian gang with 200 smaller groups or affiliates that paid a membership fee to use its software.
LockBit had promised the data of victims who had paid ransoms would not be leaked, but investigators found this was a lie. “People who pay ransoms should ask themselves what benefits they received,” said James Babbage, the NCA’s head of threats, who formerly worked at GCHQ and was a key investigator in the LockBit takedown.
Ultimately, the decision to pay a ransom is one of the toughest to make for victims of corporate cybercrime. When Scattered Spider attacked the American resorts giant MGM last September, it demanded a $30 million ransom. Chief executive Bill Hornbuckle told The Sunday Times this month: “We refused to pay a ransom. And we never closed. We got through it.”
English