twitter facebook rss

Ransomware at the University of Hard Knocks

Posted by on September 3, 2016.

I recently happened across an article by ‘next-gen’ provider SentinelOne about ransomware attacks experienced by universities in the UK: Freedom of Information requests reveal 6 out of 10 universities have been ransomware victims and almost 2/3 of targets were hit multiple times.

SentinelOne drew its conclusions from responses to Freedom of Information requests for information directed to 71 universities, of which 58 agreed to give information. According to SentinelOne, 63% of those establishments that agreed have been attacked by ransomware at some point, 56% in the last year. The company points out that all but one of them had an anti-malware solution installed, prompting the company’s Chief of Security Strategy, Jeremiah Grossman, to comment that:

“The fact that all but one of those suffering a ransomware attack had an anti-malware solution installed, confirms the abject failure of traditional solutions to protect against the new, virulent strains of ransomware”

Eek! Looks as if the industry sector to which I provide consultancy services is dead, then. Again.

However, maybe not all is as it seems.

As Kevin Townsend remarked for Security Week in article called Vendor Survey Fails to Convey Prevalence and Effect of Ransomware:

‘…surveys are difficult, and asking the right questions is tricky. Without the right questions, you will always get the wrong answers.’

Without seeing what the questions, it’s not really possible to evaluate the quality of the information. Which is why I don’t usually waste time on a survey that doesn’t make some effort to explain its methodology: this is good, because it means I rarely need to see or write about surveys. 🙂

That said, in my experience, when an organization is asked about malware attacks, it doesn’t differentiate between attacks and successful attacks and malware detected by security software before it can execute unless the questionnaire is designed to help them differentiate. Since we don’t know what the questions were, we don’t know if the respondents were encouraged to differentiate. And you can’t assess the validity of a judgement like Grossman’s about the effectiveness of protective software without knowing:

  • How many of those attacks (if any) were successful. (Kevin wonders whether the attacks succeeded only in the cases where a specific amount of ransom was demanded, but rightly concludes that it’s impossible to say.)
  • Whether the anti-malware in question was correctly installed and configured. And, come to that, whether it was truly representative of the commercial-grade programs in the marketplace where Sentinel One is trying to make its mark.

As a colleague put it in a related discussion:

The phrase “had an anti-malware solution installed” is about as helpful and definitive as “the car had a seatbelt installed” in terms of vehicle accident reports. Was it being used at the time of the accident? Was it being worn correctly?

The report apparently did not find the following, or it would have loudly said so:

“All but one of those suffering a ransomware attack were confirmed to have an appropriately configured and managed anti-malware solution installed at the initial point of infection at the time the infection occurred.”

While it’s often claimed that healthcare, academia and so are heavily targeted (I don’t know how true that is) there’s certainly a lot of ransomware that is no more targeted than other malware spread by phishing campaigns, compromised web services and so forth. It isn’t really possible to draw conclusions as to whether these institutions were intentionally targeted from the size of ransom quoted. $100 isn’t outlandishly low for ransomware targeting the world in general and especially un-savvy home users. In the absence of any solid data, I’d be inclined to think that it suggests an untargeted campaign in which at least one bottom-feeder ransomware program got through to one or more machines. Five Bitcoin is starting to move towards the higher end of the ransom-demand spectrum, but it still doesn’t by any means prove a true targeted attack.

If SentinelOne’s suspicion about multiple attacks from the same source is correct, that could as easily be a poorly organized mail campaign as a targeted attack. We just don’t know whether the same samples of the same malware were used every time. We don’t know how many attacks were successful. We don’t know how many attacks succeeded in getting past solid, properly-installed and correctly-configured anti-malware technology.

I’m certainly not going to say that it’s impossible that any attacks succeeded, or suggest that anti-malware solutions, of whatever generation, are guaranteed to detect all ransomware, or all malware of any sort: that’s exactly why reputable researchers tend to advocate multi-layered defence rather than relying on a single-layer solution. Nor do I think that there is no place in the security world for companies that take different approaches to defensive security: there is no One True Way. Though I do believe that the claims of a clear-cut distinction between ‘fossil’ and ‘next gen’ technologies are mostly marketing fluff. Old-school vendors know their way around machine learning and behaviour analysis too, you know, even if their technical focus tends to be broader.

But should we take it as read that a so-called next generation product, had one been installed by any of the institutions contacted – not that we know what products were installed – would have fared any better? Sometimes the lack of supporting data is, in itself, unexpectedly revealing.

David Harley

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: David Harley | Tags: , , ,