UK Education Sector Suffered Most from Ransomware in 2022

The education sector in the UK was hit far more by ransomware than in other countries last year thanks to targeting by the Vice Society group, according to Malwarebytes.

The security vendor’s latest findings from April 2022 to March 2023 are based on known attacks where victims opted not to pay a ransom, so the real figures could be even higher.

It revealed that the education vertical accounted for 16% of attacks in the UK compared to 4% in France and Germany, and 7% in the US.

Read more about ransomware attacks on schools: Vice Society Ransomware Campaigns Continue to Impact US Education Sector.

Malwarebytes claimed the primary reason for this disparity was down to Vice Society.

“The UK is one of Vice Society’s favourite targets, accounting for 21% of the group’s known attacks in the past 12 months, a close second to the US which accounted for 23%, and vastly more than the next country, Spain, which accounted for 8%,” it explained in a blog post.

“Sadly, Vice Society’s disproportionate interest in the UK lands squarely on the education sector. Some 76% of Vice Society’s known attacks in the UK over the past 12 months hit the education sector, and Vice Society was responsible for 70% of known attacks on UK education institutions.”

Vice Society uses tried-and-tested tactics in its attacks, such as phishing, compromised credentials and exploits for initial access, and legitimate tooling like Windows Management Instrumentation (WMI) for post-intrusion activity, Malwarebytes explained.

“We can only speculate about why Vice Society has such an appetite for UK schools, colleges and universities, but we know the sector is not exactly awash with money,” the vendor continued.

“In 2021, this author interviewed a number of people involved in providing cyber protection for UK schools. The picture in each was the same: cybersecurity was one responsibility among many being carried by very small numbers of IT staff who were under tremendous pressure and ill-equipped to fight off the attentions of a ransomware gang like Vice Society.”

Overall, the UK suffered more ransomware attacks than any other country bar the US over the past 12 months, although there was a significant gulf in attack volumes between the two. However, when measured by economic output, the two countries are virtually neck and neck, with Canada and Spain the hardest hit globally.

When assessed per capita, the US is once again the most attacked country, followed by Canada, Australia and then the UK, according to the report.

Superyacht-Maker Hit by Easter Ransomware Attack

A noted maker of luxury yachts for the super-rich suffered a ransomware attack over the Easter weekend, although it is not clear if sensitive customer information was stolen.

Founded in 1875, German shipbuilder Lürssen is said to make annual revenue close to €2bn ($2.2bn) and will doubtless have a list of exclusive clients, making it an attractive target for digital extortionists.

“In coordination with internal and external experts, we immediately initiated all necessary protective measures and informed the responsible authorities,” a spokesperson reportedly said in a brief statement.

The Bremen-headquartered firm has made many of the world’s largest superyachts, although it also produces sea-going vessels for the German navy.

Local reports suggest that the attack has brought much of the firm’s operations to a standstill, with its Lürssen-Kröger shipyard in Schleswig-Holstein one of the few parts of the company still operational.

Read more on ransomware: More DDoS, More Leaks: Where Ransomware is Headed in 2023.

The attack follows similar extortion attempts targeting other luxury brands including Ferrari, Moncler and Zegna.

In the case of Moncler, some data on employees and customers was leaked to the dark web following the breach.

Darren Williams, CEO and founder of Blackfog, said Lürssen’s attackers likely singled the firm out as a potentially lucrative target.

“Attackers do not discriminate – one could say, except for where the dollar sign is at play, with the link between ransomware and sectors involving the super-rich becoming increasingly prevalent,” he argued.

“Without the latest anti-data exfiltration tools in place, and a solid backup/incident response plan ready for the darkest hour, even organizations with some of the highest capital worldwide cannot claim immunity to cyber-attacks.”

There is evidence to suggest that ransomware actors are upping their extortion demands as fewer victims are paying and more organizations improve baseline security.

A recent Trend Micro study revealed that every one victim that pays is effectively subsidising attacks on an additional 6–10 organizations.

Editorial image credit: nodi.jpg /

Latitude Financial Admits Breach Impacted Millions

Latitude Financial has revealed that a cyber-attack announced earlier this month resulted in the theft of over 14 million customer records, including sensitive personal information.

The Melbourne-headquartered consumer lender said in a statement today that hackers took 7.9 million Australian and New Zealand driver’s licence numbers, 40% of which were submitted to the firm in the past 10 years.

An additional 6.1 million records dating back to 2005 were also stolen, of which 94% were provided before 2013. However, many of these will still be valid, as they contain personal details such as name, address, telephone number and date of birth.

Some 53,000 passport numbers were also stolen, as were the financial statements related to “less than 100 customers.”

Originally, Latitude Financial claimed the breach had resulted in the loss of only around 100,000 identification documents and 225,000 customer records.

Read more on Australian data breaches: Aussie Data Breaches Surge 489% in Q4 2022.

Although it claimed no suspicious activity has been observed since March 16, the firm will likely face a significant fall-out from the incident.

Customers are likely to be bombarded with convincing phishing attacks using the stolen data to obtain financial details, while scammers could also buy the information online to attempt identity fraud.

Latitude Financial CEO, Ahmed Fahour, described today’s news as “hugely disappointing” and apologized to affected customers.

“We are committed to working closely with impacted customers and applicants to minimize the risk and disruption to them, including reimbursing the cost if they choose to replace their ID document. We are also committed to a full review of what has occurred,” he added.

“We urge all our customers to be vigilant and on the look-out for suspicious behavior relating to their accounts. We will never contact customers requesting their passwords.”

Attackers reportedly managed to obtain Latitude employee credentials to access the documents, although it’s not clear exactly how.

Latitude Financial is Australia’s largest non-bank lender and provides buy now, pay later (BNPL) services to a string of popular domestic retailers.

At Least 30% of

Female participation in cybercrime is far higher than for all types of crime, according to a new report which raises some interesting questions about possible gender bias in investigations.

Trend Micro used machine learning web service Gender Analyzer V5 to analyze text written by 50 random users of the Russian-language XSS forum and 50 users of the English-language Hackforums site.

It revealed that 30% of those XSS forum users were women, rising to 36% of Hackforums users.

“Our control group consisted of 10 aliases that posted their gender profiles online and identified themselves as women from XSS and Hackforums,” the report noted. “When we ran posts from these users through the text analyzer, results indicated that all the aliases were classified as female with an average classifier percentage of 82.4%.”

The report authors also used a separate AI tool to ascertain the gender of cybercrime forum users. Semrush is billed as a search engine marketing solution. It uses machine learning algorithms to analyze data from social networks and other third-party sources, in order to determine the demographic information of web users, such as gender.

Its analysis claimed an even higher percentage of dark web forum users were women: 41% of XSS users and 40% of Hackforums users.

By contrast, 4–8% of the prison population in the UK, Russia and US is female, according to data cited in the report.

If accurate, the findings would also indicate that a higher percentage of women participate in cybercrime than currently work in the cybersecurity industry. The latest estimates from ISC2 put this figure at around 24%, although it does rise to 30% in the under-30s.

Trend Micro argued that the cybercrime economy appears generally welcoming of all individuals as long as they have the right skills and experience.

That should be a reminder to investigators never to assume a malicious actor’s gender, it concluded.

“It is our recommendation for all investigators to avoid assumptions of male personas while carrying out their work (such as referring to a suspect as ‘he’ or ‘his’) as this creates an inherent bias as they progress their case,” the report noted.

“We suggest instead to use ‘they,’ which will not only cover any gender involved, but also force investigators to factor in that more than one person may be behind a single moniker under investigation.”

Cyber-Attack Surface “Spiralling Out of Control”

Global organizations are still beset with cyber visibility and control challenges, with two-fifths (43%) admitting their digital attack surface is out of control as a result, according to new Trend Micro research.

The security vendor polled over 6200 IT and business decision-makers to compile its new studyMapping the digital attack surface: Why global organisations are struggling to manage cyber risk.

It revealed that nearly three-quarters (73%) are concerned about the increasing size of their attack surface. Over a third (37%) said it is “constantly evolving and messy,” and just half (51%) thought they were able to fully define its extent.

These visibility challenges are greatest in cloud environments, although problems persist across the board. The report highlights complex supply chains, tool bloat and home working-driven shadow IT as additional contributory factors.

On average, respondents estimated having just 62% visibility of their attack surface.

The continued practice of manual (24%) and regional (29%) attack surface mapping is also hampering efforts to gain comprehensive insight and eliminate data silos, especially for global organizations – two-thirds (65%) of which admitted the scale of their operations causes additional challenges.

“There’s a sense that major investments in IT modernization over the past few years have created a momentum that is increasingly difficult to manage,” the report noted. “Gaining visibility … is surely the first step towards effectively mitigating risk.”

Yet over half (54%) of responding organizations said they don’t believe their method of assessing risk exposure is sophisticated enough. This is borne out by other stats from the report, notably that almost two-fifths (35%) only review or update their risk exposure monthly or less frequently.

Last December, the head of MI6, Richard Moore, warned in a rare public speech that “the digital attack surface that criminals, terrorists and hostile states threats seek to exploit against us is growing exponentially.