Ransomware Concerns for SME’s Raised in Parliment

The idea that an organisation as important as a council suddenly loses access to all its computers, documents, emails, and telephone system sounds like an extreme scenario and yet this is precisely what happened to Redcar and Cleveland Borough Council in February 2020.

The cause was a ransomware attack which received wide coverage, including by the BBC. A more detailed account of what unfolded on that day was later given by council leader Mary Lanigan in her testimony to the Parliamentary Joint Committee on the National Security Strategy (JCNSS) in January 2023.

“You can imagine the devastation. I had staff running about with pieces of paper. We brought in another telephone system that we could use, but that took time. It was catastrophic, for the council and for the residents we serve across the board.”

This was more than a bit of inconvenience for citizens. “Social workers were unable to access its systems for managing children’s services, including reports about children from concerned members of the public,” noted the final December 2023 JCNSS report that mentioned the attack as part of the analysis of the threat ransomware now poses to U.K. Critical National Infrastructure (CNI).

The incident exemplifies how ransomware attacks are already disrupting the U.K.’s institutions. The 2017 WannaCry attack that crippled the NHS is often mentioned. Still, recent incidents include the equally paralysing January 2022 attack on the Royal Mail and the attack on the British Library in October last year. In the latter case, one of the country’s most famous institutions remains digitally crippled with costs now said to have risen to £7 million.

These were isolated attacks on single organisations. And yet, as the Committee’s report makes clear, there is nothing to stop ransomware groups from targeting multiple organisations at once to cause more widespread and serious disruption, including putting critical infrastructure out of action for weeks or months.

Needless to say, this possibility has alarmed a lot of people who believe that it is only a matter of time before ransomware causes a major incident.

What is the JCNSS and is it important?

Established in 2010, the JCNSS is a cross-party select committee of MPs interested in the issue of national security as it relates to issues such as climate change, biosecurity/pandemic response, and more recently, cyber security. Until its December report A hostage to fortune: ransomware and UK national security received widespread media coverage its influence has rarely extended much beyond the committed few who pay attention to Parliamentary affairs. However, these days cyber security is suddenly topical, boosted by the obvious connection between recent ransomware attacks and the Russian state. People don’t always take the danger of cyber attacks seriously enough, but the involvement of a hostile foreign power is newsworthy.

The ransomware pandemic

After assessing the evidence from 37 written submissions, five in-person evidence sessions, and guided by a panel of specialist experts drawn from academia, its findings make uneasy reading.  It’s no secret that ransomware surged during 2021. What’s less appreciated is that while the number of incidents more than doubled the number of victims paying off the attackers probably quadrupled.

Although 2022 saw a levelling off of attacks (possibly influenced by Russia’s Ukraine invasion), by 2023 they’d risen back to 2021 levels again.  The report paints a picture of a criminal sector that is well-organised and resilient, using a cell-like structure historically adopted by other types of organised crime to resist disruption. The advent of ransomware-as-a-service (RAAS) has also put the power of this type of attack in the hands of any criminals who want in on that action in return for a fat subscription.

The Russian state seems to encourage these attacks for geo-political gain privately. This explains why the U.K. is one of the two or three most targeted nations for ransomware.

Ransomware evolution – where next?

As with all crime, the bad actors innovate while defenders evolve to block them. In the case of ransomware, this is not sustainable. As larger companies and their supply chains secure themselves, this could send attackers to seek weaker targets, principally vulnerable public and critical infrastructure.

The Modus Operandi (MO) of extortion is to demand payment to avoid a bad outcome. Every time defenders mitigate this outcome ransomware must then up the ante to maintain a consistent threat. For example, attacks are used to encrypt files. When people improved backup and restore, ransomware started stealing and threatening to release sensitive data. As this becomes harder, the next step up is to target essential services such as hospitals, physical systems inside water plants, shipping navigation, and airports. Extortion has no scruples.

Worst case scenarios

One possibility mentioned by the report is an attack on the energy grid in London and the South East of England, resulting in weeks of rolling blackouts. The Office of Budget Responsibility (OBR) estimated that the Government would need to spend £16 billion supporting the economy if such an event were to occur.

Can this be prevented? It would be wise to plan in case it can’t. The National Crime Agency (NCA) has voiced particular concern about the vulnerability of CNI supply chains.  For an attacker, targeting supply chains is a no-brainer. Every service provider depends on dozens of smaller companies, mostly SMEs. Those SMEs are likely to be less well-defended. Disrupting even a single SME supplying a key component or service is an easy way to cause short-term chaos. Too many of these organisations still have out-of-date systems lurking on their networks, which are often impossible to secure. States the JCNSS:

“As a result of these vulnerabilities, a coordinated and targeted attack has the potential to take down large parts of UK CNI and public services, causing severe damage to the economy and everyday life in the UK.”

Having a plan B

The Home Office has shown little interest in the risk posed by ransomware. To counteract this, the report recommends that responsibility for cyber-resilience and CNI vulnerability should be transferred from the Home Office to the Cabinet Office, taking accountability closer to the Prime Minister and Deputy Prime Minister.

The National Crime Agency should get a lot more resources to cope with the challenge. The U.K. should also conduct regular exercises to test its cyber-resilience under various scenarios. The takeaway is the need to plan for the worst by investing in redundancy and resilience.

SMEs and cyber-resilience

Ransomware has been an SME worry for years. What governments add to this is pressure for organisations in CNI supply chains to boost their security or risk losing business. This will only increase in the coming years, more quickly if ransomware causes a major outage similar to the 2017 WannaCry disruption of the NHS.

Regulation and reporting rules will increase, costs will rise, and the old excuses of a lack of skills and budget will start to ring hollow. SMEs need to stop assuming they are cyber-resilient. In the past, assumptions about security were rarely tested. In the changed world of ransomware with decades of geo-political tension ahead of us, this no longer washes. Nobody can say they haven’t been warned.