Billy the Puppet

Opinion: How where you work could define the threats you face

Today, there are a huge number of different ransomware families that are active around the world and this has been compounded by the rise of ransomware as a service. Each of these have their own methods of attack and ways of spreading.

Growing problem

This year alone, reported ransomware attacks on businesses in the UK swelled by 195%. With over 6 million attacks recorded in the first half of 2019 alone, it leaves the UK (along with the US) as the most targetted country in the world.

Interestingly, where your business operates seems to be a big factor in deciding the ransomware you’ll face.  

Malware for hire

A recent report by analysts, Malwarebytes, looked at the distribution of malware across the world, breaking this down by country and region.

One of the first points of note was that a significant number of UK attacks were caused by malware that had been ‘hired’. Indeed, the most popular across all regions, and indeed across Europe as a whole, GandCrab and Cerber were both distributed as ransomware as a service.

But that doesn’t give the whole picture for UK businesses. Indeed, for the top five most targeted regions in the UK, the types of malware used differed considerably.

Regional flavours

While GandCrab made up a large slice of the attacks against organisations in Manchester and inner London, there were no recorded attacks in Outer London, Reading or Leeds.

And, although a ransomware strain known as BTCWare, made up 80% of the attacks against organisation based in Reading, it didn’t feature anywhere else in the UK (nor curiously in any of the EMEA analysis).

It’s one of the older ransomware families and targets Windows-based systems by brute-forcing weak remote desktop protocol (RDP) passwords.

For the Leeds region, a strain called Locky – which often takes the form of an invoice document requiring payment – made up 18% of attacks and was as popular as Cerber. Yet, Locky didn’t feature in any other of the top five most targeted regions.

One of the most recognisable strain – Jigsaw – uses “Billy the Puppet” in it’s ransom note

Similarly, Jigsaw – one of the most recognisable and volatile ransomware strains – is also popular in a specific region. This family is known for adopting the fictional villain “Billy the Puppet” from the Saw film series, a picture of which is included in the ransom note.

It appears as the second most popular malware for organisations in the Manchester region, and yet doesn’t feature in any other region.

Defending against malware

Of course, the best defence against this sort of attack is to have a robust security tools in place to prevent the ransomware from being downloaded or, as a fall back, triggering if accidentally downloaded.

It’s a key element of the work the NEP is doing across policing and will help ensure forces are protected. The National Management Centre (NMC), which is being rolled out across police forces in England and Wales, provides forces with a nationally-supported cyber security protection facility.

The NMC utilises a range of security tools, technologies and a specialist team of analysts that together are responsible for monitoring, hunting and helping to detect unknown, sophisticated and evasive cyber security threats. Together they will help police forces ensure these threats can be locked down and eliminated before they can cause damage and disruption. The NMC is the first step in the work the NEP is doing to help police forces transform the way they securely and safely work and collaborate, which is a foundation for delivering the Policing Vision 2025.

Back to top
Back to top


Sign up to make sure you get all the latest straight to your inbox