How has the UK response to ransomware worked?

Three years ago DPA published a primer, crafted for it by those working on the standards of the day, on  Cyber Insurance as a Catalyst for Good Security Practice What has happened since? Does current UK (and/or US/EU) public policy support or get in the way of good practice?

On Monday 13th June, 14.00 – 16.00 Baroness Neville-Jones will chair a Hybrid Meeting of the DPA Cyber Security & E-Crime Group with senior representatives from law enforcement and the legal & cyber insurance sectors to discuss support for the evolving role of authorities to address ransomware

Ransomware became the most significant cyber threat facing the UK in 2021, according to the National Cyber Strategy 2022. Attackers have adapted their methods to target large organisations and exfiltrate data, and the increase in frequency and severity of ransomware attacks observed was in line with expectations noted at a previous DPA Group meeting.

What incentives will not inadvertently re-victimise organisations, while reflecting that ransom payments support the development of criminal business models and reporting improves public responses to threats?

The group is likely to explore potential policy approaches, such as those discussed at the G7 Interior and Security Senior Officials’ Extraordinary Forum on Ransomware on the need to both  increase reporting and reduce payments.

The DPA’s Cyber Security and E-Crime Working Group aims to create, identify and support key partnerships to cut online crime and nuisance, reduce risk, increase awareness and confidence in online safety and security and establish UK leadership in Internet policing and governance. Reports of the DPA Cyber Security and E-Crime Group meetings are available to members & observers at: https://www.dpalliance.org.uk/about-cyber-security-group/.

This meeting is for DPA members and registered observers only.  If you are interested in becoming a member we would welcome your attendance as a taster, but before any further participation, you would then need to join us.  More details are available at: https://www.dpalliance.org.uk/join-us/.

My son is rapporteur for this DPA group and the last meeting he organised was particularly interesting for the revelation that ransomware is less of a problem for UK business than for those in the US and most EU nations.

There were a variety of reasons, some contentious, but the most striking was that UK business was less likely to pay up and their insurers were more likely to undertake “asset recovery” action – using a mix of civil and contract law along attack and payment chains to sue those who do not help identify the attackers and intercept/refund payments.

One can argue how successful they were and how “fair” it is that only the wealthy can get justice – but it did appear to have a deterrent effect.

We were told that most ransomware gangs begin with their own due diligence – to calculate how much the victim (or insurer) will pay before reporting. They are likely to move on and find a victim who will not report, refuse to pay and fight back, supported by an insurance company who will also retain an asset recovery team (motivated with a performance bonus) to get at least of their money back.

I also look forward to hearing how things have moved on since then.