In the annual security lecture to the Royal United Services Institute (RUSI) in June, the Chief Executive Officer of the National Cyber Security Centre (NCSC), Lindy Cameron, declared that the primary threat to the UK ‘is not state actors but cyber-criminals, and in particular the threat of ransomware’. It is certainly proving profitable for the cyber-criminals with millions being stolen, often through cryptocurrencies. The actual amount is hard to establish as threats often go unreported and payments unacknowledged in the face of official advice not to pay.

The scale of the problem

From recent reports that do reach the open press, the scale and impact is colossal and international. On 7 May the Colonial Pipeline in the US paid $4.4m to cyber-attackers: the FBI managed to retrieve about half of this but disruption to vital services lasted several days. The Irish Health Service Executive was attacked on 14 May for £16.5m while JBS, the world’s biggest meat producer, was hit on 2 June for $11m. In the Irish case, payment was withheld but services had still not returned to normal a month later. Over a weekend in early July, more than 800 supermarkets in Sweden were forced to suspend trading when cash tills were compromised by a ransomware attack on a US software company that affected over 1,000 business mainly in the US and came with a demand for $70m.

According to the UK’s Information Commissioner’s Office (ICO), 144 ransomware incidents were recorded in the first quarter of this financial year (out of a total of 2,552 cyber and non-cyber incidents). This is probably the tip of the iceberg as reporting to the ICO is required when there is any threat to people’s safety, rights or freedoms. Besides health and education, local authorities are recorded victims: almost any organisation or sector can be attacked.

Hacking into supply chains and third-party providers can often provide the criminals with access to key targets – solicitors and lawyers can open clients’ doors. Moreover, amounts need not be large if repeated at scale. Yet, in a RUSI study (2020) around 60% of victims were based in the US or had their headquarters there, perhaps reflecting the location of wealthy targets. Reconnaissance before an attack in order to identify the most business-critical information and weak entry point is a technique that has been observed.

A co-ordinated response

What can be done to limit the damage from ransomware? At the top end, the UK Government’s cyber-security strategy has been reinforced with plans outlined the Integrated Review in March. This document talks of overarching objectives to ‘strengthen the UK’s cyber ecosystem’ while ‘detecting, disrupting, and deterring’ through ‘a whole-of-cyber approach’. A National Cyber Force, formed in 2020, brings together defence and intelligence capabilities while the NCSC provides valuable information on the threat from ransomware, and how to defend against ransomware attacks.

On the commercial side, all businesses as potential targets have a responsibility to protect themselves. Many ransomware attacks are unsophisticated and exploit basic security lapses which can be eliminated by good cyber measures and hygiene. Hence, simple, routine measures to protect systems and software are important. Remote working has certainly increased the opportunities for the criminals so companies can help themselves by ensuring employees wherever abide by the right security protocols and apply the right software. However, with a plethora of cyber-security solutions it is sometimes hard to ascertain effectiveness and suitability.

There is also a role for the insurance industry in mitigating the threat. Cyber-cover has become one of the fastest growing types of insurance markets with businesses, particularly for those involved in e-commerce, trying to protect themselves against the high financial costs of data breaches and ransomware attacks. According to estimates from Munich Re, the cyber-insurance market was worth $7bn and could be worth $20bn by 2025. However, if the insurers’ responses are to pay up then that will not help address the fundamental problem.

There is no straightforward answer to ransomware and every part of government and business must play a part in ensuring systems are resilient. As the CEO of the NCSC said in her speech: ‘A co-ordinated response on ransomware, involving these key players, would have the added benefit of helping us meet broader national and strategic international objectives, making the UK a more resilient and prosperous place to live and do business online.’

Note: Invited Resilience First members will receive an e-briefing from the former Director of Europol, Sir Rob Wainwright, on the issue of ransomware on 16 July.