Who caused the recent increase in ransomware attacks in the UK?

The Greater Manchester police force has been hit by a common type of cyberattack known as ransomware.

Glenn Burgess

On Thursday, the Greater Manchester police revealed that a third-party supplier, which had information about its employees, had suffered a security breach. It appears that the hack may have exposed details such as officers’ name badges, including their ranks, photos, and serial numbers.

In a similar incident, the Metropolitan police disclosed in August that data belonging to their officers and staff had also been compromised in an attack on the same supplier.

Throughout this year in the UK, various companies and public organisations have fallen victim to ransomware attacks. Among them are the Royal Mail, outsourcing company Capita, and the Barts Health NHS trust. Even The Guardian experienced a ransomware attack last year.

What is a ransomware attack?

Ransomware is a harmful computer program that infiltrates an organization’s computer network. It can infiltrate through a “phishing attack,” where a staff member is deceived—often through email—into downloading the malicious software. Once inside, this software encrypts the computers it has accessed, making it impossible to access their contents.

The criminal group responsible for the attack then demands a ransom payment, typically in cryptocurrency, in exchange for decrypting your network, hence the term “ransomware.”

Another tactic used in ransomware attacks is called “double extortion.” In this scenario, the attacker not only encrypts data but also takes it, using it as leverage during negotiations. They threaten to sell or release the data into the public domain unless the ransom is paid.

According to the Information Commissioner’s Office (ICO), the data protection authority in the UK, there were 706 reported ransomware incidents last year, a slight increase from the 694 incidents reported in 2021.

Have police forces been targeted deliberately?

Ransomware attacks are widespread, affecting both the public and private sectors, according to cybersecurity firm Secureworks.

Rafe Pilling, a director for threat research at Secureworks, emphasises that this issue isn’t limited to the public sector or its supply chain alone. It’s a problem that affects organisations of all sizes and types. He notes that Secureworks has observed victims from various sectors, with manufacturing being particularly vulnerable.

Nonetheless, Pilling underscores the importance of entities, especially those dealing with sensitive data like law enforcement agencies, being cautious when selecting third-party suppliers who handle their information.

He points out that even seemingly harmless suppliers can be vulnerable to attacks, which can have significant consequences in terms of data exposure.

Who is behind these attacks?

Many ransomware groups are associated with regions in Eastern Europe, former Soviet republics, and notably, Russia. This year, several high-profile organisations, including British Airways, the BBC, and Boots, fell victim to an attack orchestrated by the Clop group, named after the specific strain of ransomware they deploy.

“There are multiple criminal gangs conducting this activity at the moment,” says Pilling. “The vast majority are Russian speaking or have Russian links.”

Is it legal to pay a ransomware group?

Paying ransomware groups is strongly discouraged by UK authorities. Last year, the UK’s data watchdog and the National Cyber Security Centre made it clear that they did not endorse the payment of ransoms, although such payments were typically not considered unlawful.

However, it is illegal to pay a ransom if you have knowledge or suspicion that the funds will end up in the hands of terrorists.

Despite these warnings, UK companies continue to make ransom payments. According to Sophos, a British cybersecurity firm, the average ransomware payment made by UK organizations is higher than the global average, standing at $2.1 million (£1.7 million).

Do the police forces face punishment from the data regulator?

The Information Commissioner’s Office (ICO) is likely to conduct an investigation into whether both Greater Manchester Police (GMP) and the Metropolitan Police (Met) followed appropriate procedures in selecting their third-party supplier and executed a proper contracting process.

It’s important to note that the ICO indicated last year that it intended to decrease the use of fines on public sector organisations for breaches of the UK’s implementation of GDPR.

However, the supplier in question, Digital ID, based in Stockport, will also come under scrutiny. Digital ID is known for producing identity cards and lanyards for various UK organisations, including several NHS trusts and universities.

Overall, ransomware remains a persistent threat in the UK’s cybersecurity landscape, underscoring the importance of robust cybersecurity measures, proper vetting of third-party suppliers, and a cautious approach to handling sensitive data.