The British Library Attack: Are Ransomware Actors Inflating the Severity of Attacks?

As the details around the ransomware attack on The British Library twist and turn, it has come to light that the attack wasn’t quite as it initially seemed. Callum Booth ponders whether ransomware actors are inflating the severity of their attacks

At the end of October, the British Library was revealed to be the victim of a ransomware attack. The fact that the fountain of UK knowledge was under attack was undeniably a huge symbolic blow. It’s certainly one of the UK’s most memorable cyber incidents of 2023, and the institution has been brought to its knees

At the time of writing, the British Library’s website, online systems, and various onsite elements are all suffering issues. Hacker group Rhysida has claimed responsibility for the ransomware attack, stating it has “exclusive, unique and impressive data.”

The criminal gang has auctioned the stolen data to the highest bidder, requesting 20 Bitcoins, currently worth around £591,332.

But this is where things get even more interesting. The British Library revealed on November 20th that the leaked data was from its “internal HR files.” Not great, certainly, but also not as bad as feared.

Then, the plot thickened. The institution put out another note a week later (on November 27^th) contradicting the former statement and saying that “some user data” had appeared online. So, right now, confusion reigns.

From an outside perspective, it could be argued that events might’ve been even worse. The British Library is one of the most prominent institutions of its type in the world, and Rhysida could have accessed and stolen incredibly damaging data. Let’s not get too far ahead, though. Just how terrible things will get remains to be seen.

These events got Assured Intelligence thinking: Is there such a thing as a ‘good’ or a ‘bad’ ransomware attack? How can businesses and organisations even quantify such a thing? And what can they do to prevent something like this from happening to them?

Let’s find out.

Ransomware: Are some attacks better than others?

I put this question to David Emm, principal security researcher at Kaspersky. He tells me in no uncertain terms that “it [doesn’t] matter” — all ransomware attacks have “a dramatic effect on a business.”

Expanding on this, Emm explains that in many ways, it doesn’t matter how ‘good’ or ‘bad’ a ransomware attack is because, fundamentally, a company still needs to “remove the infection and restore the data from a backup … all of which [affects] business uptime.”

In other words, if they’ve been hit, they’ve been hit.

Chris Marks, principal outbound product manager at Parallels, agrees. “The harsh reality is that every ransomware attack can have a profound and wide-ranging impact on businesses.” He continues, “There’s always a price to pay that may not necessarily be financial.”

Hüseyin Can Yüceel, security research engineer at Picus Security, echoes this sentiment. He says it’s “rare for attacks to be less severe than feared.” Still, he has seen situations where some ransomware infections can be easier to handle than others, specifically regarding their technical limitations.

Yüceel pointed to early versions of ESXiArgs ransomware. As this didn’t encrypt chunks of files over 128MB, researchers were able to recover some of the virtual machines impacted.

Unfortunately, this type of lucky escape is getting rarer. With ransomware groups like Rhysida becoming ever more sophisticated, there’s not often a ‘get-out-of-jail-free’ card like the one ESXiArgs provided. When attacks like the one on the British Library happen, it’s hard to see the bright side.

This leads us to another question: if, as the experts posit, all ransomware attacks are bad, how can businesses actually quantify their impact?

Just how bad is bad?

A big part of answering this question revolves around how prepared an organisation is. When speaking with Jay Coley, senior security architect, EMEA at Fastly, he says that quantifying attacks is manageable when organisations follow good practices.

If, for example, the company uses network segmentation, monitoring, and system isolation, professionals can understand what the ransomware affected and act accordingly.

“There are also several indeterminable costs which make it almost impossible to put an exact figure on the true impact of an attack” Mark Hughes

But what happens if a company doesn’t have robust security like this in place?

In that instance, Mark Hughes, global security lead at DXC Technology, suggests it’s “best to look at the financials.” This includes working out lost earnings, the costs of upgrading security platforms, and the potential ransom paid.

“This makes it easy for executives to understand the bottom line impact,” Hughes explains.

It’s a wise approach, but he adds, “There are also several indeterminable costs which make it almost impossible to put an exact figure on the true impact of an attack.”

This is where businesses need to figure out what to do without the necessary data.

The balance between disruption and severity

Businesses hit with ransomware have a tough decision to make. They must balance the severity of the stolen data against the disruption their business faces if they completely shut down.

This uncertainty causes some companies not to bother making this calculation.

“Even though the British Library attack turned out to be not as serious as first thought, attacks like this can still cause disruptions in services,” Chris Hauk, consumer privacy advocate at Pixel Privacy, says, “which is why some organisations will immediately pay a ransom before learning the severity of the attacks.”

The problem is that this doesn’t always go to plan.

“In many cases, organisations are hit with a double whammy, facing having their data breached and put up for sale, while also being hit by a demand for ransom to unencrypt their data.”

Emm from Kaspersky tells Assured Intelligence that while the cost of a ransomware attack tends to be “the most dramatic aspect” of the saga, people focus on it too much. In reality, “it’s just the visible tip of the iceberg,” he argues.

For businesses, that’s a terrifying thought.

Organisations thrive on structure. They’re run via predictions and spreadsheets and are often risk-averse. Yet, try as they might, no formula can tell them how to act in a ransomware attack. Measuring disruption versus severity of data leaked is hard, but clarity is nonexistent when dealing with a criminal organisation.

That is why the best way to deal with ransomware attacks is also the simplest: preparation.

Plan now to avoid surprises later

To be adequately prepared, Hauk from Pixel Privacy says, “Organisations need to have a strong, workable recovery plan in place, including full system and data backups, allowing them to quickly recover from ransomware attacks.”

“It’s rare for attacks to be less severe than feared” Hüseyin Can Yüceel

Beyond this, Hauk, Hughes, and many other experts we talked to pointed to two other vital elements: keeping systems updated and educating employees.

This approach can broadly restrict attackers from exploiting new software loopholes and using phishing attacks to target vulnerable employees.

In terms of more specific approaches, Coley from Fastly points towards network segmentation, which can “reduce the blast radius of a ransomware attack,” and endpoint detection and response (EDR), which can provide companies “an early warning on potential malicious activity, allowing for remediation before any ransomware detonates.”

Closing thoughts

As reassuring as it is to rank or quantify the impact of specific ransomware attacks, the cruel reality is that these variances are minor. Even the ‘best case’ successful ransomware attacks are incredibly damaging, not just in terms of the severity of the data lost but also the impact this has on the wider aspect of the business.

You only need to look at how the British Library has struggled to ascertain what data was accessed as an example of this ‘always bad’ nature of successful ransomware attacks.

The more prepared a business is for cyber threats, the less they have to worry about. The only ‘good’ type of ransomware attack is one that doesn’t happen at all.

Put another way, failing to prepare means companies are simply preparing to fail. A cliché? Certainly. But is it any less true for it? Not one bit.