Ransomware Attack on The Edinburgh Festival Fringe Society

by Ryan Miller

Summary

Non-profit organizations become attractive targets for cybercriminals due to limited security budgets, outdated technological infrastructure, ideological opposition, and possession of valuable sensitive data in the black market. The ransomware attack on The Edinburgh Festival Fringe Society falls under the standard [7.1.1 Zero-day malware]. To effectively combat diverse cyber threats targeting non-profits, it is crucial to understand the various types of attacks and implement proactive measures in line with security requirements. This is explained in the international email security standards set by the International Telecommunication Union (ITU). The following text analyzes actual hacking incidents in non-profit organizations, explores different attack vectors, and proposes response solutions based on international standards.

1. Overview

Non-profit organizations emerge as prime targets for cybercriminals due to several reasons. Firstly, they often lack the resources to maintain dedicated security teams and possess outdated technological infrastructure that are relatively easy to breach. Most non-profits face various constraints on funding their security efforts. Since most of the revenue generated for non-profits is typically used to advance their core mission, there is typically a limited budget allocated for maintaining robust firewalls or bolstering IT security systems. Consequently, this leads to weakened systems, making both information and funds susceptible to attacks. Adrien Ogée, Chief Operating Officer of the CyberPeace Institute (a Switzerland-based non-profit organization offering cybersecurity support to NGOs), highlights, "Non-profits have one of the lowest levels of self-protection within the industry."

Nonetheless, non-profit organizations face threats from ideological actors, such as political or extremist entities, beyond mere financial motives. Due to the diverse philosophies within non-profits, they become targets for individual actors driven by hatred towards their ideologies, aiming to disrupt operations. Furthermore, the valuable resources, as well as billing and medical data possessed by non-profits, make them lucrative targets in the black market. Given that every non-profit organization relies on donors, the vulnerabilities of these donors serve as potential entry points for hackers.

Ransomware attacks on non-profits have seen a tremendous impact and carry substantial consequences. According to the 2023 UK Government Cyber Breach Survey, 24% of charities reported experiencing a breach or attack in the past 12 months in 2022. Beyond financial implications, these cyber attacks also severely impact the operational capabilities of non-profit organizations. Adrien Ogée expresses concern over the growing realization among cyber attackers regarding the significant lack of security funding and support within non-profits. "Non-profits, with their very limited ability to protect themselves, are becoming increasingly attractive prey for criminals," adds Ogée.

2. Attack Case Analysis - Attack Type

To effectively discern phishing emails, understanding the various types of attacks and hackers’ intentions is crucial, along with implementing proactive security measures as outlined in the International Telecommunication Union (ITU)'s international email security standards. These globally recognized standards, registered with the ITU, serve as a credible framework. This text aims to analyze real cyber-attack cases on non-profit organizations based on these international standards and provides insights into identifying attack types and implementing proactive responses.

Case: Ransomware Attack on The Edinburgh Festival Fringe Society in January 2022 - Malware Email Attacks (Zero-day Malware)

In January 2022, The Edinburgh Festival Fringe Society fell victim to a ransomware attack, resulting in £95,000 worth of damage to the charity. The attack rendered the organization unable to access critical internal HR, financial, and media and marketing archives spanning the past 20 years. The ransomware note, presumably sent by the Russia-linked Conti gang, was delivered through email, demanding a payment of $15,000 to regain network access. Despite the demand, the organization refused to pay, leading to recovery costs of approximately £65,000, with half of the expenses eventually covered by the insurer Chubb. This cyber-attack caused severe economic damage, requiring several months for the organization to fully recover.

The email security standard categorizes this type of hacking as [7. Threats for targeted email attacks - 7.1 Malware email attacks]. This involves a ransomware attack containing malware, which threatens to access, damage, or delete files and programs within the victim's computer system's memory. Though the standard does not explicitly specify whether the ransomware note is delivered through a URL or an attachment, it aligns with the characteristics of  Zero-day malware.

According to [7.1.1 Zero-day malware], the standard defines this as follows:

An email is sent with an attachment or clickable link that carries malware exploiting zero-day vulnerabilities, making it undetectable by security systems. This form of malware entices the user to click, ultimately gaining access to, damaging, or deleting files and programs within the victim's computer system's memory.

3. Attack Case Analysis - Solution

We all tend to not observe in detail when we are busy, especially when situations don’t appear to be major problems. It is too cumbersome to request busy employees to perform a detailed forensic analysis to verify the legitimacy of emails. So, how can an organization protect itself from this kind of scam? Effectively countering these phishing emails involves analyzing sender information in advance, issuing warnings to users, and proactively responding to potential attacks. Achieving this requires compliance with [Security requirements for countering targeted email attacks] and [Countermeasures for targeted email attacks], as outlined in clauses 8 and 9 of international standards.

First, to effectively respond to zero-day malware attacks, organizations should comply with the security requirements outlined in [8.1.1 Security requirements for countering zero-day malware attacks] as per the standard. The following steps are recommended:

Step 1: Implement a behavior-based analysis test to counter the threat of new malware attacks. This test is crucial for detecting viruses that are not registered in established patterns.

Step 2: Report descriptions of the behavior of newly discovered or detected malware through a manual or automated process. This reporting mechanism ensures a timely response to emerging threats.

Reflecting these security requirements, organizations can proactively respond to zero-day malware attacks by implementing solutions specified in [9.1.1 Countermeasures for zero-day malware] within the international standard. These countermeasures include:

● Through malware classification management, security administrators can configure emails that have been verified as unable to transmit malicious files and viruses, even if users request the resending of such emails.

● Multiple analysis tests detect unknown malware that may not have been captured in the primary test, combining both static and dynamic approaches. For example, test results can be categorized as 'forgery', 'memory access', 'hooking alerts', 'file creation', 'file deletion', or 'running processes'.

5. Conclusion

In the digital age, your data is as valuable as physical assets. As hacking techniques evolve into more sophisticated and advanced forms, awareness and vigilance are key to preventing cyber threats. Non-profit organizations, often alluring targets for cybercriminals, must guard against hacking attacks through a combination of robust security policies and education on international email security standards. Email security standards offer a comprehensive framework, providing both security requirements and solutions to combat various email attacks. Staying informed about these standards and continuously assessing email security in accordance with them represents a proactive approach against advanced hacking techniques. Initiating compliance with international email security standards can commence with a diagnostic evaluation of email security standards through Mail Inspector.

Reference

<Security requirements and countermeasures for targeted email attacks>

https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15710&lang=en

<Email-based Attacks Against Nonprofits Are On The Rise. Is Your Organization Vulnerable?> 

https://blog.techimpact.org/email-based-attacks-against-nonprofits-are-on-the-rise.-is-your-organization-vulnerable

<Ransomware Attacks on Nonprofits: Rarity or Regularly Hidden?>

https://www.asisonline.org/security-management-magazine/articles/2023/07/nonprofit-security/ransomware-attacks-on-nonprofits

<Nonprofit Cyber Attack Case Studies and Solutions>

https://blog.techimpact.org/nonprofit-cyber-attack-case-studies-and-solutions

<How Nonprofit Cyber Attacks Really Happen>

https://blog.techimpact.org/how-nonprofit-cyber-attacks-really-happen

<Nonprofits and Cyberattacks: Key Stats That Boards Need to Know>

https://www.boardeffect.com/en-gb/blog/nonprofits-cyberattacks-key-stats/

<BASIC CYBERSECURITY HYGIENE MEASURES COULD HAVE PREVENTED RANSOMWARE ATTACK, SAYS EDINBURGH FRINGE FESTIVAL BOSS>

https://eventsbase.co.uk/basic-cybersecurity-hygiene-measures-could-have-prevented-ransomware-attack-says-edinburgh-fringe-festival-boss/

<Philabundance falls victim to cyberattack, loses almost $1 million>

https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/

<Non-Profit Out $923,000 After Business Email Compromise Scam>

https://www.happierit.com/knowledge-center/breaches/philabundance-bec-scam