Ransomware attacks continue to plague businesses

March 2023

How damaging could an attack be? How prepared are we? Should we pay or not?

Ransomware attacks are a significant concern as more organisations fall victim. Non cyber-attacks may account for more than two-thirds of data breaches reported to the UK’s Information Commissioner’s Office (ICO), but being held to ransom can bring a business to a standstill.

What is Ransomware?

Ransomware is a malicious software used by bad actors to encrypt a target an organisation’s system folders or files. Sometimes the data may be exfiltrated (exported) too.

A ransom demand often follows, asking for payment. This could be a huge sum of money, paid in exchange for the decryption key and an assurance the data, the attacker claims to have, will be deleted. In other words, it will not be published on the dark web or shared with others. But there are no guarantees!

These attacks are becoming increasingly sophisticated. It’s now possible for a bad actor to buy an ‘off the shelf’ cyber-attack via the dark web, or tailor a package to suit their needs. A really unwelcome development.

Robert Bond, Senior Counsel, Privacy Partnership Law:

“My experience is that ransomware attacks are not necessarily aimed at personal data but rather any information that is an asset. Often what is attacked contains confidential data such as business secrets and so personal data is the least concern.”

Ransomware attacks could cause a personal data breach, but this may be only one of a number of risks to the business.

Recent high-profile ransomware attacks

  • Royal Mail were hit by a LockBit ransomware attack on 10th January 2023 and had to suspend their overseas letter & parcel services. LockBit threatened to publish Royal Mail’s data and the ransom was set at £65 million!

Royal Mail notified the ICO and engaged help from the National Cyber Security Centre (NCSC) and National Crime Agency (NCA). Royal Mail refused LockBit’s demands.

LockBit then released the entire negotiation history with Royal Mail. No data appears to have been leaked via LockBit’s blog at the time of writing. Links to data dumps were included in the chat history, but the links quickly expired.

  • Ion Group, a supplier of software to the financial services industry, were also attacked in February 2023. The incident crippled the ability of many City of London traders to do their jobs.

LockBit threatened to publish Ion’s data. A LockBit spokesperson later confirmed that a ransom had been paid by a “very rich unknown philanthropist”.  We can’t be sure if this is true, as Ion refused to comment. But if a ransom was paid, this goes against accepted cyber security best practice.

These are big organisations, but there’s evidence all businesses small and large are potential targets.

Last year a solicitor’s firm was issued with £98K ICO fine after they fell victim to an attack. In its ruling the ICO made it clear while primary culpability rested with the attacker, a lack of sufficient technical and organisational measures gave the attacker a weakness to exploit.

Be prepared

These increased threats are persuading some organisations to invest more time and money into additional security measures aimed at preventing attacks. It’s also worth making sure you have robust procedures to follow should the worst happen. Incident response playbooks (procedures) are being created and simulations being run.

The ICO’s fine demonstrates organisations need to take ‘appropriate steps’ to protect their systems from a ransomware attack. In addition to updated cyber security and penetration testing, having a robust backup and disaster recovery plan can prove critical to getting business operations up and running quickly following an attack.

Our employees are vital too. Making sure they understand and follow information security best practice and are able to recognise security risks. The absence of knowledge and a clear procedure for reporting incidents and breaches, could mean a cyber-attack initially goes unnoticed, causing more damage.

Download DPN Data Breach Guide

Ransomware demands – to pay or not to pay?

A crucial consideration for businesses which suffer an attack and receive a ransomware demand, will be whether to pay or not.

For it’s part, the ICO is urging businesses not to pay. The Regulator says ‘Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.’

In reality a business might find its operations crippled following an attack and paying the ransom can feel like the only option to keep the business afloat. The problem is, the more ransomware demands that are paid, the more bad actors will continue to make demands. And as said, there are no guarantees the data will not be leaked.

It’s definitely worth noting the ICO wouldn’t expect you to pay, it urges those effected to engage with them and the National Cyber Security Centre at the earliest possible opportunity.

Ransomware attack impacts

So what could be the impact if our business is targeted?

1. Financial loss

The costs can be substantial. There’s the sum of the ransomware payment itself, if a business decides to pay it. Plus, costs to resolve the issues the attack has left behind, such as contracting specialist expertise to investigate the attack, restoring data from backups, and implementing additional security measures. Not to mention lost revenue…

2. Disruption to normal business ops

An organisation’s routine business operations can be massively disrupted by a ransomware attack if it limits or entirely prevents access to data and systems, needed to perform basis day-to-day tasks.

Delays, missed deadlines, and lost business can follow, as well as firefighting to placate upset customers, business partners and so on. In the worst cases, businesses may have to shut down completely until the data is decrypted or reloaded to systems via back-ups.

3. Reputational damage

We’ve all seen the headlines; a ransomware attack can damage a business’s reputation and harm customer trust. Customers naturally expect organisations to take all appropriate measures to protect their data. A ransomware attack could indicate to customers, staff and trade partners that a business has failed in its duty to protect the data.

A ransomware attack can have legal consequences, especially where particularly sensitive or special category data is affected. An attack could lead to a regulatory investigation, a possible fine and potential class actions.

Final thoughts

We know ransomware attacks can cause an enormous amount of harm and pose considerable risks to organisations. They are costly, disruptive and can be reputationally damaging.

Robust measures are needed to protect organisations. Patch management, encryption, pen testing… the list goes on. Alongside this, a well-developed playbook enabling you to react quickly and decisively to an attack can only help to minimise the impact.

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.