Manchester United email servers remain offline amid what is being called a 'ransomware' attack
UK data watchdog has been told and 'forensic' probe is ongoing
Players' managers looking to lift salaries by a couple of million pounds or so better check their email read receipts: a full week after Manchester United was hit by hackers, many of its systems remain offline, with at least one report claiming the club is being shaken down for ransom.
The malware hit the New York Stock Exchange-listed football business last Friday and it confirmed the attack that night.
Today, scare-mongering UK national paper the Daily Mail claimed this was because the club was actually being held to ransom. "United's network has been infected by ransomware – a computer virus – and they now face the option of having to pay up or risk seeing highly sensitive information about the club and its stars leaked into the public domain," said the newspaper in this morning's report.
Manchester United working with infosec experts to 'minimize ongoing IT disruption' caused by 'cyber attack'READ MORE
In a statement, the football club told The Register: "Following the recent cyber attack on the club, our IT team and external experts secured our networks and have conducted forensic investigations. This attack was by nature disruptive, but we are not currently aware of any fan data being compromised."
The Register asked whether player or employee data had been compromised and a club spokesman declined to comment.
The Man U statement continued: "Critical systems required for matches to take place at Old Trafford remained secure and games have gone ahead as normal. The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it."
We understand that staff will be paid as normal and that the club's email servers were shut down as a precautionary measure, while investigators have not yet announced what the attack vector was.
The club spokesman would again not be drawn on whether or not the attack was ransomware as reported but reiterated the club has informed the Information Commissioner's Office of the attack, something that is mandatory for organisations to do if personal data is compromised in a data security incident.
Jon Niccolls, EMEA & APAC incident response lead at Check Point, told The Register: "It's not a surprise that the attack which hit the club is reportedly a 'double extortion' ransomware attack, where the hackers both steal data and threaten to leak it unless their demands are met, as well as encrypting it to disrupt normal operations. These attacks were first seen a year ago, and have been a fast-growing trend in 2020 because they put extra pressure on organizations to pay the ransom or risk large fines from data watchdogs if large volumes of individuals' data is compromised."
Cyber attacks that take more than a few days to clean up and restore from do tend to be ransomware, though there is no proof either way in Man United's case so far.
The National Cyber Security Centre is helping the club figure out what happened and how to recover from it. A spokesperson said: "The NCSC is aware of an incident affecting Manchester United Football Club and we are working with the organisation and partners to understand impact."
Earlier this year the NCSC warned that football clubs were particularly vulnerable to internet-enabled skulduggery including business email compromise attacks, thanks chiefly to the large sums of money washing around the sport and its habit of moving said large sums at predictable times such as transfer deadline day.
The aftermath of a ransomware attack can be painful for a few days if done from backups, or it can be devastating. Earlier this week French-headquartered IT outsourcer Sopra Steria said cleaning up a Ryuk infection would cost it €50m and bust its cyber-insurance limit by €20m. ®
While the Daily Mail quoted no sources nor gave any details about how it was able to state that the attack was ransomware, it also published an unintentionally amusing article bylined to an anonymous "cyber security expert". Some samples include:
"If the virus is ransomware there will be a demand for money. I would put my house on it being in the millions, and 99 times out of 100 it's Bitcoin (cryptocurrency) because that is the hardest to trace."
"There's no phone call or verbal communication. A little face or symbol will appear telling you that your system is being attacked by group A, B or C, so pay this amount to unencrypt it."