Ransomware – a conundrum for local councils

By James Parry, Technical Manager, Auriga

Is our data being held to ransom without us even knowing it? When Lincolnshire County Council fell victim to a ransomware attack at the beginning of the year, SOCITM Director of Policy and Research was quick to reassure that the attack was “the exception rather than the norm”. But a recent Freedom of Information (FOI) Act request published in June reveals that nearly a third of local councils fell victim to ransomware attacks during 2015.

The attack against Lincolnshire County Council was reportedly due to a phishing attack which saw an unwitting employee opened a phishing email that lead to the CryptoLocker malware quickly spread throughout the network, compromising 300 computers. The ransomware encrypted files before demanding a £500 ransom fee which then spiralled to £1 million in Bitcoin. The council refused to pay the fee and worked rapidly to get its systems back online, requiring the 458 servers and 70 terabytes of data to be scanned and checked, but that still saw the council reduced to pen and paper for a week.

Interestingly, the FOI request also revealed that 35 percent of those councils questioned were unwilling to disclose whether they paid or not and this is a problem because the high payout rate is fuelling these threats. Of course, even if you pay, there are no assurances that you will get your data back, nor that you won’t be targeted again (the FOI request revealed that one unlucky council had been targeted no less than thirteen times although it’s unknown as to whether they had paid out following any of those attacks).

Ransomware is one of the fastest growing attack vectors because it allows the perpetrator to profit from the attack so quickly. According to the Verizon Data Breach Investigations Report (DBIR) 2016, ransomware attacks are up 16 percent compared to the previous year. Others have reported that there are now 124 types of ransomware due to the fact the source code is readily available and that there has been a 3,500% increase in the use of criminal web domains which host the payment mechanisms used to profit from these attacks. Those statistics sound alarming but the scale of these attacks can actually work in the organisation’s favour.

There’s been a great deal of advice bandied about concerning whether you should/shouldn’t pay and what security mechanisms you should have in place (as an aside, ensuring your anti-virus is up to date, while advisable, is not an effective safeguard as many of these attacks are zero days and increasingly using obfuscation techniques). But in reality the best form of defence is to ensure you have an air-gapped source of back-up for your data (with back-ups performed at least daily) and, given the likelihood of an attack, that you take an offensive position by monitoring activity and scanning incoming traffic.

As we’ve already covered, ransomware is continually evolving, making signature detection on the network complex. However, the organised and prolific nature of this malware, with multiple domains, and the fact that the preferred method of attack is via phishing, make it advisable to monitor activity. Organised campaigns will usually generate some form of ‘noise’ through a peak in activity and background chatter. Using a machine-learning Security Operations Center (SOC) it is possible to capture and correlate events to detect patterns that could be indicative of an attack. Moreover, because the SOC ‘learns’ over time, detection rates will continually improve.

Local councils can use SOC-as-a-Service to provide them with this capability, effectively monitoring activity on external networks using filters to look for activity aimed at the local government sector. The SOC is also able to capture suspect emails which originate from unfamiliar sources or behave in an anomalous manner and flag these to the data analyst team, effectively creating an outward and inward form of network monitoring that is tailored to the organisation.

Going forward, the ransomware threat is likely to proliferate as ransomware-as-a-service takes hold, effectively seeing organised criminal gangs sell campaigns that seek to exploit the weaknesses of specific sectors. With local government organisations renowned for their aging systems, poor back-up and low investment in cyber security solutions, the sector will continue to be a prime target. But as of now, the sector has a real opportunity to improve its defences by utilising state-of-the-art monitoring and the specialist data analysis associated with SOC-as-a-service. That has to make more sense than building up a Bitcoin reserve.


Auriga Consulting Ltd, a centre of excellence in Cyber Security and Monitoring Services. With a renowned track record of succeeding where others have failed. Offering its clients a cyber protection journey from design through to continuous monitoring, Auriga’s Consultants and Analysts have tailored solutions no matter the size of your organisation.