• Who is behind the latest wave of UK ransomware attacks?

    960 630 Stuart O'Brien

    Ransomware attacks in the UK hit record levels last year, according to data by the Information Commissioner’s Office. These attacks potentially exposed the private information of over 5.3 million individuals across more than 700 organisations.

    Unfortunately, this concerning trend has continued into this year, with prominent companies and public bodies falling victim to ransomware attacks in the UK including the Royal Mail, Capita, and the Barts Health NHS trust.

    Just last month, the Police Service of Northern Ireland faced a significant data breach when the surnames and initials of 10,000 police employees were accidentally disclosed in response to a Freedom of Information request.

    On Thursday, Greater Manchester Police became the latest target of a ransomware attack. The breach means thousands of police officers’ names, photos, and serial numbers are at risk of becoming public knowledge. While the names of many officers are publicly available, there is particular concern regarding the identities of undercover officers.

    Ian Reynolds, Director and cybersecurity expert at SecureTeam, clears up the jargon and explains how businesses can prevent and respond to ransomware attacks…

    What is a ransomware attack?

    Ransomware is malicious software that infiltrates an organisation’s computer network, commonly gaining entry through a phishing attack. In this type of attack, victims are tricked – often via deceptive emails or downloadable files – into downloading malware. Cybercriminals may also exploit vulnerabilities within operating systems or software applications.

    Once inside the network, the malware proceeds to encrypt the data on the affected computers, effectively locking the files and rendering them inaccessible.

    The cybercriminals will then offer an ultimatum: pay a ransom, usually in cryptocurrency, in exchange for a decryption tool or key. This decryption tool is the only means by which the victim can regain access to their data. The ransom demand, usually delivered through a pop-up message or a text file, may be accompanied by threats and intimidation intended to coerce the victim into making the payment quicker.

    According to the Information Commissioner’s Office (ICO), 706 ransomware incidents were reported in 2022, an increase from 694 reported in 2021.

    Have police forces been targeted deliberately?

    Ransomware attacks are prevalent across the public and private sectors, indiscriminately targeting businesses and organisations of all sizes. According to the Information Commissioner’s Office, the retail and manufacturing industry is more vulnerable than any other UK sector to ransomware attacks, with 14% of all reported attacks.

    However, this incident serves as a stark reminder that organisations, particularly those where staff details can be extra sensitive, need to be careful in vetting third-party suppliers who handle their data. People need to consider that sensitive data can be exposed whether it’s in an attack on a harmless-seeming supplier.

    Who is behind the attacks?

    There are numerous criminal gangs actively engaged in ransomware activities; the majority of ransomware groups are associated with regions in Eastern Europe, former Soviet republics, and notably, Russia.

    Earlier this year, several prominent organisations, including British Airways, the BBC, and Boots, fell victim to an attack orchestrated by the Clop group, based in Russia. These global threats highlight the need for international bodies to address cybersecurity

    Is it legal to pay a ransomware group?

    Paying ransomware gangs is heavily frowned upon by UK authorities. Last year, the Information Commissioner’s Office and the National Cyber Security Centre both clarified that they did “not encourage” the payment of ransoms. Nonetheless, UK firms are making payments. The average ransomware payment by UK organisations is higher than the global average, at £1.7m.

    Paying ransomware attackers does not guarantee that a company will get their data back. There have been several cases where businesses have paid a ransom and still not received their data back. In July 2021, the Travelex currency exchange company paid a £4.6 million ransom to the LockBit ransomware group but did not recover its data, significantly reducing its share price, and eventually leading to the company’s forced administration.

    Do the police forces face punishment from the data regulator?

    The ICO has launched an investigation into whether Greater Manchester Police (GMP) selected their third-party supplier properly and carried out a proper contracting process.

    The third-party supplier in question, Digital ID, will also be scrutinised. Digital ID manufactures identity cards and lanyards for various UK organisations including several NHS trusts and universities. The investigation will likely assess Digital ID’s handling of sensitive data and adherence to GDPR. However, it’s worth noting that the ICO said last year it was planning to reduce the use of fines on public sector organisations for GDPR breaches.

    How can businesses protect themselves from ransomware attacks? 

    Businesses can protect themselves by using strong passwords, enabling two-factor authentication, and keeping their software up to date. They may also want to consider implementing a mobile device management (MDM) solution to help them manage and secure remote workers’ devices. Secure cloud storage ensures data accessibility and protection.

    Sensitive data should always be encrypted for secure communication, both in emails and websites using SSL. Local-drive encryption prevents unauthorised access in case of device loss or theft, making it much more difficult for hackers to access company data.

    The best way to protect workers from cyberattacks is to make sure they are aware of the risks and how to protect themselves. Educating employees on the dangers of phishing emails will prevent them from occurring.

    My system has been infiltrated by a ransomware attack, how should I respond? 

    • Isolate the infection: Disconnect the compromised computer from the network immediately to prevent further spread. Disable Wi-Fi and unplug network cables to ensure the isolation is effective.
    • Alert relevant parties: Your IT team must be notified, as must the incident response team, senior management, and, if relevant, the legal counsel. Contact your local police force and report the ransomware incident.
    • Consider bringing in a cybersecurity expert: Engaging a cybersecurity expert will likely help you avoid more significant issues later on.
    • Do NOT pay the ransom: Remember, paying does not guarantee that you will receive your data back.

    Image by Pete Linforth from Pixabay


    Stuart O'Brien

    All stories by: Stuart O'Brien