UK authorities concerned over under-reporting of ransomware attacks
Representatives from the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have aired their fears that many organisations and people are not reporting when they fall victim to ransomware attacks and that they are simply quietly paying hackers “to make them go away”.
Eleanor Fairford, deputy director of incident management at the NCSC, and Mihaela Jembei, director of regulatory cyber at the ICO, made the remarks in a co-written post on the NCSC blog overnight.
The pair — and their organisations — worry that failure to report ransomware attacks and just paying will embolden threat actors and lead to more attacks in the future.
“They are the attacks that aren’t reported to us and pass quietly by, pushed to one side, the ransoms paid to make them go away,” the two wrote. “And if attacks are covered up, the criminals enjoy greater success, and more attacks take place. We know how damaging this is.”
The post goes on to debunk a number of myths, such as the idea that covering up an attack means “everything will be okay”. The pair compare this to what might happen if a number of houses are broken into, but no one reports the crime to the police: everyone pays, and no one can track what the burglar is doing, or how they are getting in.
“Every successful cyber attack that is hushed up, with no investigation or information sharing, makes other attacks more likely because no one learns from it,” the post said.
Another myth busted is that not reporting an incident means it is likely that the public will not hear of it. In this case, there are clear regulatory issues that are likely to cause far greater problems, and without reporting, organisations have less access to a wealth of support information and expertise.
Some incidents, even when properly reported, do not need to be disclosed at all, but even so, in many cases, it needs to be in order to ensure that more people aren’t made into victims.
The idea is that paying a ransom solves the problem — but it does not. Decrypting files can be a lengthy process, and there are no guarantees that the hacker who encrypted them in the first place will keep their end of the bargain.
In the words of Fairford and Jembei, ransomware victims are “basically accepting a pinky promise from criminals”.
The pair address a couple of more myths, but the bottom line is — unsurprisingly — that better outcomes are achieved by following proper reporting procedures. Better outcomes for companies and organisations, and certainly better outcomes for the people and customers affected by data breaches and ransomware attacks.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.