By J Connolly
A report released this week by security firm Barracuda revealed that over 25 per cent of the UK’s local authorities have been affected by a ransomware attack. Revealed by a series of FOI requests, 115 of the councils surveyed were affected by the malicious software which encrypts data on a computer to either cause damage or extort a ransom to be unlocked.
Fortunately, most of the authorities were able to restore their systems from back-up. One unnamed authority apparently did pay the attackers, but did not reveal how much they paid or if this was successful. The report also did not specify the scope of the attacks – there is a huge difference between a single employee being infected and widespread chaos as in the case of WannaCry.
The survey does highlight though how widespread ransomware has become, and how much it can affect the public sector.
We tend to focus on mass collection of data in the private sector. But your council has potential access to a huge amount of information about its residents, from council tax to library books to child protection information. Ensuring this data is protected is essential. The survey in question estimated the average council stores 64TB of data, and the proliferation of ransomware and the number of councils affected shows the difficulties LA’s will face in protecting this information.
You also can’t talk about ransomware and the public sector without citing the widespread damage caused by WannaCry to NHS computers. This highlighted how huge the impact of ransomware could be in the public sphere. 70,000 devices were affected, from computers to MRI scanners and delays in operations were caused as trusts took preventive action by turning computers off. WannaCry was unusual in that it was able to spread internally across the network using the EternalBlue windows vulnerability. Most ransomware will be confined to the individual infected machine, but with the sophistication of malware only improving, the public sector may need to move quickly to prevent large scale disruption to public services.
Local authorities like enterprises face plenty of challenges in this threat landscape. In 2015 31% of local authorities were using unsupported Windows XP, this will in no doubt have improved, but unsupported and un-updated machines still run rife, as shown by the revelation that Greater Manchester Police are still using 1518 computers running XP.
The other challenge is user education. Users are at the front line of protecting organisations against ransomware, which frequently enters the system through phishing and malicious attachments. Speakers at this week’s Enterprise Cyber Security Conference highlighted the challenges and opportunities the public and private sector face in harnessing their user base as a line of defence.
As ransomware attacks increase, the temptation will always be to pay the attackers to release critical data. One council admitted to paying the ransomware writers, suggesting that they lost important information or capability to even consider paying off the dubious outfit. So when critical information is lost, should the public sector pay up?
Famously, the UK government does not pay ransoms for British citizens. The rationale is that by paying up even once will encourage future crime and make Brits more of a target in future.
Does the same logic apply to ransomware? In a sense, yes. Money is definitely a motivation for ransomware writers and if no one paid the ransom there would be far less of the malware out there. However, the cost and risk of writing malware is reasonably low, and ensuring that no one pays the attacker is unlikely meaning it is impossible to remove the financial incentive.
There is also no guarantee that your data will be unlocked by the hackers. Individuals can be forgiven for wanting to salvage their personal data, but when it is taxpayer’s money on the line, it is much harder to argue for paying criminals with no guarantee of success.
All in all, though the prevalence of ransomware is disturbing, the news from this report is actually pretty positive. Councils are doing what they should be doing – backing up their data properly to ensure minimum disruption after attacks. There are clearly issues around updates and user education if so many authorities have been affected, but ransomware is currently a huge problem worldwide and backing up properly still remains the best defence against long-term harm.