Hacking Havoc: How the UK was Targeted by Cybercriminals
The UK was a prominent target for ransomware gangs between April 2022 and March 2023. During that time:
- The UK was the world's second most attacked country
- The greatest known ransom demand was made against Royal Mail: £58 million
- Education was struck much more severely than in other countries
- Vice Society, which focuses on education, chose the United Kingdom as a primary target
A ransomware attack on IT supplier Advanced in August 2022 caused major failures across the UK's National Health Service (NHS), Europe's largest employer and the world's sixth largest. Patient referrals, ambulance dispatch, after-hours appointment reservations, mental health services, and emergency prescriptions were all impacted by the attack.
Later that year, the British newspaper The Guardian was hit by a large ransomware attack, which forced the shutdown of a portion of its IT infrastructure. The event was described as a "highly sophisticated cyberattack involving unauthorised third-party access to parts of our network," most likely initiated by a successful phishing effort, by The Guardian, which operates one of the most frequented websites in the world.
LockBit, possibly the world's most destructive ransomware, attacked Britain's global mail service, Royal Mail, in January 2023, demanding the most ransom we have ever seen anywhere, in any country: £58 million. Royal Mail refused the demand, calling it 'absurd’. LockBit then published the stolen files alongside an illuminating transcript of the two parties' negotiations.
The UK and the US
Between April 2022 and March 2023, the UK had the second-highest number of recorded ransomware attacks worldwide, following the United States. However, the number of ransomware attacks in the United States far outnumbers that of the UK. Given the large discrepancy between the two countries, it would be simple to conclude that ransomware is, first and primarily, an American problem.
Fragile State of Education
The BBC stated that Vice Society, the second-most frequent ransomware attack after LockBit, had attacked 14 institutions in the UK in 2023 alone, including Carmel College in St Helens, Durham Johnston Comprehensive School (hacked in 2021, documents put online in January 2022), and Frances King School of English in London/Dublin.
Vice Society does not reinvent the wheel when it comes to breaking into its victims' networks. To gain a foothold, it employs well-known techniques like as phishing, compromised credentials, and exploits. To escape detection by security technologies, Vice Society is also known to employ genuine software in its attacks. This approach, known as "living off the land," allows the gang to remain hidden on the victim's networks. Windows Management Instrumentation (WMI), which allows administrators to manage and monitor PCs from a remote location, is one of the tools it prefers. The only viable approach to detect attackers living off the grid is to use EDR software managed by trained security personnel or a service like MDR.
We can only surmise as to why Vice Society is so interested in UK schools, colleges, and institutions, but we do know that the industry is not exactly flush with cash. Following an increase in inflation in 2022, the UK's main teaching union opted to strike in order to improve wages for its members. The strikes are not the source of education's susceptibility to ransomware, but they are indicative of the UK education system's deteriorating financial status.
Our hypothesis: cybersecurity was one of many responsibilities being carried out by a small number of IT professionals who were under immense pressure, underpaid, and ill-equipped to deal with a ransomware gang like Vice Society.
Overall, there was no safe haven for organizations in the UK over the last year. Ransomware gangs targeted the whole Anglosphere, not just the United States. As a member of that alliance, the United Kingdom was and very definitely will stay on the front lines fighting ransomware.
The UK education sector should be concerned that, despite having a plethora of targets to pick from, ransomware gangs have chosen it for disproportionate attention. To ward off the determined attentions of attackers who smell an opportunity, it will need to rethink, reskill, and retool its response to ransomware more than any other sector.
How to Prevent Ransomware
- Block common entry points. Create a plan for swiftly patching vulnerabilities in internet-facing systems; block or harden remote access such as RDP and VPNs; and utilize endpoint security software capable of detecting exploits and malware used to spread ransomware.
- Detect intruders. Make it more difficult for intruders to function within your organization by carefully segmenting networks and allocating access privileges. EDR or MDR can be used to detect anomalous behaviour before an assault occurs.
- Put an end to malicious encryption. Deploy Endpoint Detection and Response software, such as
, which detects ransomware using several detection algorithms and performs ransomware rollback to restore affected system files.
- Make remote and offline backups. Backups should be kept offsite and offline, out of reach of attackers. Test them on a regular basis to ensure that you can quickly restore critical business functions.
- Avoid being attacked twice. To avoid being attacked again, once you've isolated the outbreak and ended the first attack, you must delete all traces of the attackers, their malware, tools, and ways of entry.
- Engage the services of a team of experts who can keep your data safe.