Businesses are facing a new threat that is more likely to sink them than even a recession: hackers holding their data to ransom.
In the past two months Royal Mail, KFC and the Guardian newspaper have all been attacked by hackers using “ransomware”, a name given to software that will lock up computer systems until a sizeable ransom payment has been made.
These attacks are usually set-off with a “phishing” email, a message that poses as being from a friendly contact but will actually contain malicious software (“malware”) that will infect the recipient’s computer.
This software then spreads like a virus, replicating itself throughout a company’s internal network, stealing data along the way and encrypting it so that the firm cannot access it.
Smaller companies may just be a stepping stone to the bigger firms they supply, Tim Wallen, regional director in the UK for Logpoint, a firm that provides protection and analysis for digital security “events”, explains.
“If you think of a large defence contractor, they will be digitally connected to hundreds of suppliers,” he adds. If the hackers can’t get into the large company, they may hack smaller companies that are connected to the bigger one to find a way in. Hackers can also co-ordinate attacks across multiple companies to snake up a supply chain from multiple angles.
If online attackers manage to get access to a company’s internal network and steal important data, research from Cisco and the National Centre for the Middle Market shows that 60 per cent of affected businesses go bankrupt within six months.
There are two broad approaches the hackers take: a “smash and grab” attack, where they try and steal the data quickly before moving on to the next target and a longer-term approach, where they will hack a system and stay in there undetected for months at a time.
In order to regain control of their systems, or to access to their data once more, these companies are told they have to pay a ransom that often reaches hundreds of thousands of pounds.
The average ransom paid by companies to ransomware owners in 2022 was $812,360 (£657,000), according to security software firm Sophos. Just under half of companies who were targeted paid up.
Around 11 per cent of 5,600 organisations from across the world that were hit by these attacks last year paid ransoms of more than $1m. In one instance, a US insurance company reportedly paid $40m in order to unlock their systems.
But the true scale of the attacks is likely to be far higher than previously thought as small and medium-sized businesses are paying up and not telling anyone about the attacks, for fear or customers considering them careless with their data.
The impact on businesses is not just financial, too. It can take out vital systems for days or even months, leave security vulnerabilities which need urgent fixing, or harm customers’ trust, something that can be worth millions if lost.
Yum! Brands, which runs 300 branches of Pizza Hut, KFC and Taco Bell around the UK, had to close all of its locations for a day last week as it worked to find out the extend of the attack.
The Guardian’s incident was bad enough to collapse key It systems used to put together the newspaper, with some staff locked out of the office, and data including bank details, salaries and passport numbers belonging to staff compromised.
Royal Mail, meanwhile, was hit on Thursday 12 January, when some members received a note from the hackers saying “Your data are stolen and encrypted” unless they paid a ransom worth millions. Royal Mail stopped sending parcels as a result, and is only just bringing its systems online two weeks’ later.
The threat posed by ransomware is growing. Two in five businesses were hit by attacks in 2021 and 2022, according to a Government report and US telecoms firm Verizon has said the number of “security breaches” – or successful attacks – logged last year increase 13 per cent. That increase is more than the growth in this kind of attack in the previous five years.
Heightened geopolitical tensions are fuelling the attacks, says Wallen. Russian groups are very active in this area, and working to undermine the Ukranian military operation.
“We’ve seen that ransomware attacks can be really destructive and not just financially motivated,” he adds. “Our friends in Ukraine have recorded that frequently in the past year.”
Perhaps as a result, as of November 2022, the majority of meetings held by the British government’s “Cobra” crisis management team were dedicated to tackling the threat of ransomware. The World Economic Forum name cybersecurity as the most pressing risk facing the world as we head into 2023.
Away from the headlines, the UK’s smaller companies are also increasingly targeted and vulnerable, said Oliver Noble, a cybersecurity expert at NordLocker. His firm’s research shows that smaller firms are the targets of 58.8 per cent of ransomware attacks.
Tactics are evolving, warns Eleanor Fairford, deputy director for incident management at the National Cyber Security Centre. Historically, ransomware attacks were carried out by established crime groups who would build their own special version of the malware, have their own method of targeting and have their own brand. In 2023 some of the leading names are LockBit, BlackCat, newcomer Black Basta, and Karakurt.
Now, however, the notion of “Ransomware as a Service” has emerged. Attackers will lease their software out to affiliates, allowing almost anyone to carry out a ransomware sting. Buyers do not need to be technically skilled or to really know anything about ransomware, but they can borrow the means to do it from one of these groups.
At their core, each attack depends on a human error to grant that first point of access. Hackers can stay undetected within a computer system for hundreds of days at a time waiting for the perfect time to strike. That human element is key, says Wallen, who adds that no amount of digital protection can negate social engineering. “None of the technical measures you put in place will work if your staff are not adequately trained and actually covering the basics,” he warns.
Another issue is that companies are – unsurprisingly – not very happy about telling the world that they have been hacked, a problem compounded for smaller companies who are that much less resilient.
For Fairford, who is co-ordinating the NCSC’s response to cyber incidents, transparency is the best weapon against ransomware. “We want to encourage the victims of crime to come forward as much as possible,” she concludes. “The more openly we can talk about it, the better that everyone will be able to defend themselves as a result.”
How to avoid a ransomware attack
The Government’s cyber agency launched a ransomware hub in March 2022 in order to help organisations improve their resilience to attacks.
In short, the NCSC offers four key actions to take to prepare for an attack.
First among these is to make regular back-ups of important data, to reduce the likelihood that attackers can hold it for ransom.
It also offers various tips for preventing malware from being downloaded onto devices, which include filters on email accounts and internet security software, and the extra steps to prevent it from being run on devices.
Finally, it offers several steps to help organisations prepare to recover from a ransomware attack as quickly as possible. This includes identifying the most important assets in their systems, developing a strategy to communicate an attack to clients and other stakeholders, and sharing plans for how to respond attacks widely.
On the topic of paying ransoms, the NCSC and law enforcement agencies are clear. Paying the ransom gives you no guarantee that you will have access to your data returned, it will not stop your computer being affected and it will make you more likely to be targeted in the future, the NCSC says. Above all, by paying the sum you are directly funding criminal groups.