UK takes action over cybercrime

The UK and the US joined forces last week in an initiative to try to combat ransomware attacks, by sanctioning seven Russian nationals believed to be members of a hacking network.  Together with US authorities, the UK’s Foreign office has reportedly identified the individuals in question, frozen their assets and imposed travel bans in respect of them.

Ransomware is a type of malware that typically renders systems or data inaccessible, often due to the encryption of files.  Devices are often locked, and data may be leaked in addition to being encrypted or deleted, unless and until the victim pays a “ransom” in return for decryption to the actors who deployed the ransomware. 

Cyber criminals tend to focus on entities that they believe are most likely to capitulate in respect of the largest ransom demands and structure their campaigns to result in the greatest disruption for organisations (for example, many healthcare-related organisations became victims of ransomware during the COVID-19 global pandemic).  Many UK-based organisations (both businesses and public sector organisations) have been targeted with ransomware in recent months, including the Guardian newspaper, the Royal Mail, JD Sports and multiple educational establishments. 

In the UK, ransomware is regarded as a tier 1 national security threat.  Lindy Cameron, the UK National Cyber Security Centre’s (NCSC) Chief Executive Officer, noted that: "Ransomware is the most acute cyber threat facing the UK, and attacks by criminal groups show just how devastating its impact can be.” 

In particular, the UK National Crime Agency (NCA) has identified 149 UK-based victims of the Ryuk and Conti ransomware, who have paid approximately £27 million collectively in response to ransom demands. This is notwithstanding the fact that payment of ransom demands is discouraged by law enforcement on the basis that payment does not guarantee that access to systems or data will be restored, may encourage future attacks, and involves payment to cyber criminals, among other consequences.  Following the imposition of the recent sanctions, it is worth noting, however, that making funds available to the sanctioned individuals, such as by paying ransom demands, is prohibited.

On the basis that prevention is better than cure, organisations should ensure that they take appropriate steps to protect their systems and data (including, among other things, personal data) from ransomware and other cyber attacks.  The NCSC recommends a “defence-in-depth” strategy to try to combat potential malware and ransomware attacks, which involves using a number of layers of defence with multiple mitigations at each layer. 

The NCSC suggests various steps to help mitigate the impact of any malware and ransomware attacks, including making regular backups, (for example, the NCSC recommends focusing on the most important files, ensuring that offline backups are segregated from the network and systems and regularly patching products used for backups).  The NCSC also highlights various ways to preventing malware from being delivered and spreading to devices, (such as filtering to only permit file types that organisations would typically receive and blocking known malicious websites). 

Various ways to prevent malware running on devices are also highlighted by the NCSC, (for example, by centrally managing devices to allow only applications trusted by the enterprise to run on devices and considering the use of up-to-date anti-malware and anti-virus products).  The NCSC also recommends actively preparing for malware and ransomware attacks (for example, by implementing a robust incident management plan and conducting cyber incident response exercises).

The recent sanctions are an indication of how significant an issue the UK Government considers ransomware to be and come after a significant investigation headed by the NCA.  

The NCA’s director general, Graeme Biggar, described the sanctions as a “hugely significant moment for the UK” and it appears that the UK authorities will continue to act to try to obstruct ransomware attacks in both the UK and the US in coordination with their associates.  Notwithstanding this, organisations should also ensure that they have robust cybersecurity measures, policies and procedures in place to try to guard against the impact of ransomware attacks.