Rawf8 - stock.adobe.com

Let’s put an end to secrecy and cover-ups in ransomware attacks

The NCSC and the ICO are calling for organisations to bite the bullet and be more open about cyber security and ransomware incidents, and the community is firmly behind them

This article can also be found in the Premium Editorial Download: Computer Weekly: How to secure your software supply chain

The UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have banded together to urge those affected by cyber incidents, especially ransomware, to be more open about the issues, and to put an end to a culture of secrecy and cover-ups that they argue is hindering the ability of society at large to mount an effective response.

Eleanor Fairford, deputy director of incident management at the NCSC, and Mihaela Jembei, director of regulatory cyber at the ICO, said they were increasingly concerned about the number of attacks that are not reported and pass quietly by, pushed aside, with ransoms paid swiftly to make the problem go away.

“The NCSC supports victims of cyber incidents every day, but we are increasingly concerned about the organisations that decide not to come forward,” said Fairford.

“Keeping a cyber attack secret helps nobody except the perpetrators, so we strongly encourage victims to report incidents and seek support to help effectively deal with the fallout.

“By responding openly and sharing information, organisations can help mitigate the risk to their operations and reputation, as well as break the cycle of crime to prevent others from falling victim,” she said.

“It’s crucial that businesses are aware of their own responsibilities when it comes to cyber security,” said Jembei. “The fact remains that there is a regulatory requirement to report cyber incidents to the ICO, but transparency is more than simply complying with the law. Cyber crime is a borderless and global threat, and it’s through knowledge sharing that we can help organisations help themselves.

“It’s also really important that businesses do not lose sight of their basic cyber hygiene practices in a world where we are always hearing about new and exciting technologies and the risks they may pose.”

The importance of data sharing

Raj Samani, senior vice-president and chief scientist at Rapid7, said: “The latest report from the NCSC and the ICO is a fitting warning to alert companies of the importance of data sharing and cross-collaboration. It is a major responsibility of businesses to take part in data sharing to help reduce the probability of future attacks. 

“With the NCSC and ICO dispelling common myths believed by organisations, perhaps cooperation can be increased, in turn making it quicker to get to the bottom of attacks and identify the key issues and indicators that come alongside cyber crime. This will assist organisations in developing effective incident response plans to aid future investigations into cyber attacks. 

“When organisations are hit by a cyber attack, we would encourage the sharing of indicators of the attack such that it can benefit the defences of other organisations to mitigate future incidents targeting other companies,” he said.

Those myths in full

The NCSC and the ICO are keen to target six common myths that many organisations still cleave to:

  1. If I cover up the attack, everything will be OK.
  2. Reporting to the authorities makes it more likely your incident will go public.
  3. Paying a ransom makes the incident go away.
  4. I’ve got good offline backups, I won’t need to pay a ransom.
  5. If there is no evidence of data theft, you don’t need to report to the ICO,
  6. You’ll only get a fine if your data is leaked.

Fairford said it was understandable that people find it hard to stand up and admit to being victimised, but that they should imagine they arrived home to find they had been burgled and doing nothing about it.

Every single cyber attack that is hushed up without investigation or information sharing makes more attacks inevitable because nobody except the cyber criminals have learned anything from it.

Read more about ransomware

For those who may be fearful of public reporting, she said there are secure and trusted environments where this can be done safely – the NCSC itself has CISP for information sharing between organisations, as well as sector information exchanges and trust groups. Other industry bodies may operate similar forums.

She also pointed out that reporting the experience of a cyber attack enables victims to access more assistance from the NCSC itself or law enforcement, as well as ongoing support. For victims where word of attacks may reach the public via social and traditional forms of media – such as the ongoing Capita ransomware incident – it also offers communications support to navigate national newspaper coverage and crisis PR.

“We encourage organisations to be open when an incident happens, but ultimately, it’s your choice, and we will support you either way,” she said.

BlackFog CEO Darren Williams said delayed reporting has become very common as organisations try to stay out of the newspapers and avoid the stigma of becoming a public victim, but the reality is that sweeping an incident under the carpet is not an option.

“Organisations with robust incident response plans and good communication can limit damage and prevent a catastrophic hit to their reputation, as the sooner organisations announce a data breach, the faster law enforcement can respond and help guide the situation towards resolution,” he said.

“Most business leaders would immediately call the police if their headquarters was ransacked, yet when their digital assets are stolen by cyber criminals, they hesitate.”

Regulatory responsibilities

The NCSC and ICO urged organisations to consider and remember their regulatory responsibilities. This applies even if you do not initially think there is any evidence of data theft, as per myth number five.

Indeed, said Fairford, the NCSC has seen many cases of ransomware victims who were utterly convinced no data had been stolen – even going to the extent of telling the media so – only to have to backtrack with their tails between their legs when their data popped up on the dark web weeks or months later.

Seeking support early and communicating openly will not only reduce the risk of an unpleasant surprise later on, but will also stand you in better stead with the ICO, which should be informed at the outset. It is also important to note that victims won’t always be fined if data is leaked.

Additionally, the ICO’s approach to deciding a regulatory response takes into account how proactive organisations are at responding to incidents. If a fine does end up being levied, it can even be reduced on this basis.

Jembei additionally pointed out that the ICO does not function as a mechanism to disclose details of an incident, and if asked will only confirm that one has taken place.

“Regulators won’t be fooled,” BlackFog’s Williams told Computer Weekly. “Most countries have very clear policies that stipulate what is required for organisations who are victims of cyber attacks, with many, including CISA and GDPR, requiring notification within 72 hours.

“Delayed reporting will be discovered by regulators eventually. There is no such thing as a secret when it comes to ransomware. If it’s on the internet, it can be discovered by anyone. In fact, BlackFog collects this data on a daily basis and often knows of the attack before the victim has even been notified. The best approach is always full disclosure as soon as possible to limit the damage and any fallout from the attack.”

Don’t listen to ransomware gangs

Ransomware gangs are well-practiced operators, and often have a remarkable grasp of UK data protection law despite being usually based in Russia. They are also tactically savvy negotiators, and it’s important for victims to remember that they will try to prey on some of these myths and misconceptions should you choose to enter a negotiation chat with them.

Fairford said the NCSC has been privy to multiple ransomware negotiations where the gang’s negotiator tried to convince the victim it was worth paying a certain amount of money on the basis that their organisational profit was so high that the ICO’s fine would be higher. Such a tactic was tried on Royal Mail by LockBit, although as Royal Mail’s negotiator pointed out at the time, the cyber criminals seemed to have done their sums wrong. In any instance, said Fairford and Jembei, the guidance is “don’t listen to them”.

“Being open about an attack by seeking support and communicating openly with the NCSC and ICO in the days following it can only help you, while sharing information about the attack with your trust communities later on will ultimately improve the threat landscape for everyone,” they said.

“And don’t just take our word for it; others are saying the same thing. In the US, CISA director Jen Easterly has written about how reluctance to report to government creates a race to the bottom, while the Google president of global affairs talks about the need to ‘weave transparency’ into a cyber security response.

“Make sure cyber security lessons are learned to protect yourself and help prevent future attacks for everyone,” they continued. “And remember, the cyber incident reporting service helps UK organisations access the right support if you need it.”

Read more on Data breach incident management and recovery