Ransomware-based attacks are fast becoming the number one security issue for businesses and public sector organisations alike. In the recent Ransomware Response and Recovery report, Accenture’s Cyber Investigations and Forensic Response (CIFR) team observed a 160% year-on-year increase in ransomware events in 2020, with little signs of any slowdown in early 2021.
With this increase in activity comes a significant rise in associated costs. One estimate suggests that the global cost of ransomware will exceed £265 billion by 20311. Of course, this will include any ransom paid, but the indirect costs will usually be greater and are often less well understood. These costs can include disruption to service, loss of data, legal and regulatory sanctions, litigation and reputational damage.
This impact is also often felt far beyond the organisation that was originally targeted. When subject to a ransomware attack, the owners of the Colonial Pipeline in the US pre-emptively shut the pipeline down2. The resulting squeeze on fuel meant some long-haul flights were cancelled and worries about shortages led to stockpiling that caused the price of petrol to jump dramatically. Incidents like this make it clear that ransomware attacks are a societal threat, not just a concern for individual organisations.
So, what should the UK Government’s role be in combatting that threat?
Protecting government departments
First and foremost, UK Government organisations of all shapes and sizes should continue to take steps to improve their own security. We are increasingly seeing attackers ‘right-sizing’ their demands, so attacks are no longer limited to organisations, such as financial institutions, who can afford huge pay-outs. Now, attacks are as much a threat to organisations like universities who might not have been traditional targets, but whose systems do process and store data on thousands of students and contain intellectual property and research data potentially worth millions of pounds.
This trend is further compounded by the recent increased demand for ransomware-as-a-service and a broadening and evolving threatscape. Now, the barriers to entry for potential attackers are lower than ever - criminals can simply buy pre-coded malware and the tools they need on the dark web. Additionally, threats are going beyond IT to new technologies and platforms, such as IoT devices, as criminals re-invest and improve their tools and techniques.
Given how critical the services public sector organisations provide are and the sensitivity of their data, organisations of all sizes need to take some key steps to protect themselves:
- Address the basics. Keep security hygiene up to standard, maintain controls, continue patching and ensure visibility into and protection of sensitive data.
- Prevent and protect. Increase confidence through continuous validation and testing of your defences. Train and test employees frequently.
- Map your operations. Model the threat against your operations and understand how legacy IT obsolescence could help enable surprising new opportunities to attack systems.
- Collaborate widely. Work with Legal, Communications, senior management and external service providers, so everyone knows what they need to do during an event.
- Prepare continually. Use planning and validation as an opportunity to constantly measure and improve resilience and adjust your course over time.
Due to the relatively small size of some public sector organisations, like local councils, there will need to be a certain degree of coordination and centralised support from government. And this is a principle that it’s important to extend beyond the public sector.
Leading the response to ransomware
As well as protecting its own services and resources, the UK Government has a growing role to play in providing leadership for how organisations of all types respond to ransomware.
Firstly, it has an important role as an intersectoral hub of insight and education. This should include best practice for dealing with attacks as well as information on specific new risks arising. Cyber security was noted as major pillar in the recent Integrated Review of Security, Defence, Development and Foreign Policy3 and the collaborative approach outlined here will be essential.
One example of how the government can take a leading role is by looking to potentially mirror the recently set up US Department of Justice Ransomware and Digital Extortion Task Force. The aim of the task force is to "bring the full authorities and resources of the Department to bear to confront the many dimensions and root causes." It will also have a key focus on enhancing training with more emphasis on intelligence sharing.4 The UK itself has good capability across several of its agencies, but formally combining these with a dedicated focus on combating ransomware threats could prove to be a key weapon against the increasingly sophisticated attackers in this field.
Secondly, the government has a clear role in setting standards and establishing best practices. The United States federal government has released5 an advisory reminding CISOs that by financing terrorism or financing banned organisations in the payment of a ransom, they are committing an offense.
This is a hard line to take, but there is good cause to discourage ransom payment. Increasingly we’re seeing “double hit” attacks where companies can find themselves targeted several times in quick succession by different actors – if one attack is successful and results in payment, others will be tempted to try.
We’re already seeing strong responses from individual agencies. When asked to pay a ransom for thousands of stolen files, the Scottish Environment Protection Agency (SEPA) refused and instead focused on recovery and supporting the organisations and individuals who saw their data published online6. This approach should be endorsed and potentially mandated by central government alongside clear guidelines for how departments respond to attacks.
The proposed update to the Computer Misuse Act could also be leveraged as a timely mechanism for the UK Government to set these standards more widely. Not only could this set out a more stringent approach to criminal actors, but it could also prohibit the payment of any ransom, with stricter guidelines on the enforcement of this provision. Similar provisions already exist, but this is an opportunity for the UK Government to take a very visible stand.
Ransomware impacts everyone in unexpected ways. And the government has a vital role to play in tackling it. The Ransomware Response and Recovery report looks at the risk and lays out clear steps to protect and respond to this growing challenge. If you would like to discuss what the findings mean don’t hesitate to connect with either Mark or Freha to discuss further.
1 The cost of ransomware attacks worldwide will go beyond $265 billion in the next decade
2 US fuel pipeline hackers 'didn't mean to create problems'
3 Global Britain in a competitive age
4 DOJ creates ransomware task force to combat digital extortion
5Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
6 Cyber criminals publish more than 4,000 stolen Sepa files