A parliamentary committee has warned the UK is at risk of a “catastrophic ransomware attack”. So, what can organisations do about it?
Ransomware: whether you’re sick of hearing about it or intrigued by it, it’s impossible to ignore. This is especially true if you’re based in the UK, where a parliamentary committee has warned there’s a high risk of a “catastrophic” ransomware attack due to poor planning and lack of investment.
The issue is wide-reaching, the report says. “Large swathes” of UK critical national infrastructure (CNI), such as financial organisations and energy firms, remain vulnerable to ransomware. The problem is particularly severe in sectors relying on legacy IT systems, like healthcare and local government.
It’s no surprise that Russia is the UK’s most prominent adversary. The majority of ransomware attacks are perpetrated by Russian-speaking operatives approved by the country’s government as part of its continuing assault on the West.
The new warning comes as ransomware surges globally, with emerging strains of the data-locking malware and increasingly sophisticated business models adding to the pressure. So what does the report say, are its concerns justified, and what can organisations do to ensure they are as resilient as possible in the face of the growing risk?
The Lifecycle of ransomware
David Wall, professor of criminology at the University of Leeds, describes the main stages of a ransomware attack in the parliamentary committee report, which you can read in full here:
- Reconnaissance: attackers identify potential victims and the access points within their networks.
- Initial access: this could be obtained via log-in credentials bought on the dark web or obtained through deception.
- Escalation: once inside, the attackers seek to escalate their access privileges to obtain critical organisational data, such as medical or law enforcement records. This might then be extracted and saved by the attackers.
- Activation: the ransomware is installed and activated, locking away key data or systems; at this point, the victim may become aware of the attack. The victim may be ‘named and shamed’ via the dark web, and they may see a message on their device.
- Ransom: the attacker will demand payment, usually in a cryptocurrency such as bitcoin, which is difficult to trace and may subsequently be laundered into more usable currencies. Even if the ransom is paid, the victim may not regain access to all their files.
Here are four key report takeaways and some handy tips to help tackle ransomware attacks.
The UK is at significant risk from ransomware
While all countries are at risk from ransomware, the report argues that the UK is particularly vulnerable. This is partly due to the widespread use of the English language. “English is the preferred language of attackers due to its commonality,” says Marc Lueck, CISO EMEA at Zscaler.
“The lack of support from the NCA and NCSC means that if you are a victim, little help will be available to you” Jeff Watkins
Companies in the UK are particularly valuable targets because the country hosts some of the world’s largest brands, says Matt Middleton-Leal, managing director of EMEA at Qualys. “As one of the world’s largest economies, companies here are going to be targeted because attackers think they can achieve a return at minimal risk.”
And the cost of launching an attack is low. Jeff Watkins, chief product and technology officer at xDesign, points out that ransomware attacks require “little investment from the attacking side.”
“The lack of support from the National Crime Agency (NCA) and National Cyber Security Centre (NCSC) means that if you are a victim, little help will be available to you,” he says.
The UK also has a skills gap in the cybersecurity sector. This means the country is “not only a large target but a soft one”, Watkins says.
Partnering is critical to tackling ransomware
Having a partner can be helpful in many areas of life, and that’s undoubtedly true for preventing damaging cyber-attacks. The committee highlights the need for the UK to work with international partners and the private sector to deter and disrupt ransomware attackers and hold them accountable.
Meanwhile, companies must ensure transparent reporting of ransomware attacks, collaborate with government initiatives, and contribute to threat intelligence to help reduce the burden.
The report suggests the real solution is to legislate and fund more central capability for resilience, compliance, response and recovery and offensive security to “disrupt attacks before they happen”, says Lueck.
To date, it appears the UK has followed a “legislate and hope approach”, he says: There’s been “no real enforcement or compliance” with the Network and Information Systems regulations. “Central funding has been lacking to implement compliance checking, and businesses need guidance on how to negotiate with a ransomware attacker and how to pay if they have to.”
Another factor is the public, who play a “critical role” in strengthening the cyber resilience of UK CNI, says Trevor Dearing, director of critical infrastructure at Illumio.
However, he highlights an embarrassing fact: “An awareness campaign only received 1.2 million views in two and a half years – less than 2% of the UK population and a fraction of the views that Love Island receives each night.”
Some sectors are more vulnerable than others
According to the committee, sectors classed as CNI (such as finance, health and energy firms) are more vulnerable than others. According to the report, supply chains are “particularly vulnerable,” and the NCA has described these as the “soft underbelly” of CNI.
“Cybersecurity training should be relevant to each employee’s role” Kevin Curran
This is because CNI firms and supply chains rely on legacy systems not designed to be connected to the internet. “Therefore, they lack in-depth network defences, leaving them incredibly vulnerable,” says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.
Considering this, it is vital for UK businesses to focus on ensuring they are not operating legacy infrastructure that might be subject to compromise, says Phil Robinson, principal security consultant at Prism Infosec.
In addition, security of the supply chain should be a priority for any firm. “There have been many high-profile attacks recently compromising suppliers to organisations with access into their systems, applications and data,” he warns.
Assess your own risk and apply appropriate security
While the report might seem alarming, it’s worth pointing out that the risk depends on several factors, including industry. The report focuses on resilience rather than cybersecurity.
Unlike cybersecurity, which centres on preventing breaches through measures such as patching, cyber resilience focuses on how easily and quickly a firm is able to recover bounce back after a successful attack, via measures such as incident response. “Businesses must assume that they will be breached and then plan for that eventuality,” Dearing says.
Cybersecurity training is also essential, and this should be aimed at the level of each employee, Curran says. “For example, it would be less valuable to teach non-technical staff about security operations. Cybersecurity training should be relevant to each employee’s role, simply addressing the security challenges they are likely to encounter in their work.”
Another thing worth noting is that cyber insurance providers will demand “an acceptable level of hygiene and resilience”, says Rob Demain, CEO of e2e-assure. This underscores the benefits of getting the basics right, he says. “If cyber insurance is currently unattainable, the goal should be to achieve minimal cyber protection. This will offer a higher chance of cyber insurance approval, reducing the risk of a cyber attack.”
The final word
The report makes several fair points, but it serves primarily as a warning to the government and critical sectors to pull their socks up.
More broadly, ransomware is developing and becoming increasingly sophisticated, which affects everyone. This makes it essential to know your own risk, apply basic cybersecurity controls, train your staff and ensure you keep up with the latest threats.
Top tips for mitigating ransomware
- Patch, patch, patch: Keep operating systems, software and applications current and patched. Set anti-virus and anti-malware solutions to update automatically, says David Dunn, head of EMEA cybersecurity at FTI Consulting.
- Test your systems: Perform penetration testing to assess the security of your systems and ability to defend against an attack, Dunn advises.
- Utilise multi-factor authentication: Ensure strong and unique passwords and use multi-factor authentication where possible.
- Train your staff: Train staff on how to spot phishing emails and malicious links that could lead to ransomware.
- Have a plan: Develop a ransomware response plan now, before an incident occurs.
- Make sure you are covered: Review your cyber insurance policy and make sure it covers ransomware.
- Use available resources: Read the NCSC’s Cyber Assessment Framework. Although the guidance is for “vitally important services and activities”, it will be helpful to all firms, Watkins says.