Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.
In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.
In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network. It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid. It seems Manchester United have been targeted similarly
In a statement on 20th November 2020, Manchester United stated,
'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.
Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'
Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'. Several UK newspapers also reported the club's email system remains disabled.
As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.' Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.
The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.
No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded. The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.
If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office. Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).
The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating,
‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.
Ransomware payments may also embolden cyber actors to engage in future attacks'
The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.
If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.
Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.