British government minister told council to keep quiet after ransomware attack
An unnamed British government minister told the leader of Redcar and Cleveland Borough Council to keep quiet about the impact of a “catastrophic” ransomware attack two years ago, a parliamentary committee was told on Monday.
The pressure from central government to not discuss the impact of the attack “caused us a lot of issues,” said Mary Lanigan, who has led the council since 2019, during a witness session held by the Joint Committee on the National Security Strategy (JCNSS).
The JCNSS is holding an inquiry into whether the United Kingdom’s national security strategy is effectively addressing the threats posed by ransomware.
Lanigan told the committee that a minister from central government told her "Whatever it is, we'll meet the cost," although they ultimately failed to do so — costing the council about £7 million ($8.6 million) — millions in excess of the cash it held in reserve.
The attack on Redcar and Cleveland Council struck in January 2020, just as the COVID-19 pandemic was beginning and the resources of local authorities throughout the United Kingdom would be put under enormous pressure.
The borough, in North Yorkshire on England's east coast, has a population of just over 130,000 and is among the more deprived areas of the country.
“Children and adult services — everything had been wiped out completely,” described Lanigan. “So you can imagine any reports coming in from members of the public regarding children and services and things like that [were missed]. It was devastating.”
Lanigan added that the attack not only locked up the council’s records, but shut down their access to telephone lines, email, computers, printers and other electronic devices. “We couldn't even take in payments for [business] rates or for any bills,” she said.
“We were advised not to go into a great deal of depth about what had happened. The public knew that we'd been hit with a ransom attack, but not how serious that was... it was catastrophic, not just for the council but for the residents and the people that we serve across the board,” said Lanigan.
GCHQ staff slept in council building to get Children’s Services running
The council leader credited staff at the National Cyber Security Centre, a part of GCHQ, with helping the council prioritize getting its Children's Services back up and running as quickly as possible. Those specialists, alongside the council's own IT staff, "were actually staying in the building, we actually put beds in for them in order to see how quickly we could do that [recovery] and move that forward.”
“We were fortunate — maybe not fortunate, GCHQ are experts in their field — and they got [Children’s Services operating] as quickly as they could. That could have impacted on foster carers and what was happening and we were lucky in that regard. But it was due to GCHQ that we got that section up first,” she added.
Although some services were operating within weeks, in total it took the council more than eight months to be functioning again — a period during which the United Kingdom had gone into lockdown and council revenues and services faced additional challenges.
Aside from the engagement from the cyber response teams, Redcar and Cleveland Borough Council found that “although we informed central government that we were under attack, we were left to our own devices for the first week or so. We had to ring private security. Central government left us. I have the paperwork here,” the council leader told the committee.
“What I was getting from central government was 'don't say anything,' which made it very difficult — although my cabinet knew what was going on — and it seemed that we had to keep it really tight,” said Lanigan. “And maybe because of security, I absolutely understand that, but then in hindsight it caused us a lot of issues because we couldn't actually go out there and say ‘this is what's happened.’”
A government spokesperson had not responded to The Record’s questions as of publication.
‘No idea’ why Conti provided the decryption key
Alongside Lanigan, the JCNSS heard from John Ward, the interim Chief Technology and Transformation Officer at the Republic of Ireland's Health Service Executive, about the attack which crippled the country’s national health service in May 2021.
Ward said that going public was a major benefit for the HSE's response. “While the attacker posted a ransom note, the HSE and the Irish government confirmed on the day of the attack that we would not engage to pay a ransom to the attacker either directly or through a third party,” he said. “Despite that, a week after the attack, the attacker posted the decryption key on the dark web.”
The HSE’s incident response provider tested the key and, Ward said, found it to be viable and effective — but even with the decryption key, recovering the HSE’s entire network was “a significant undertaking.”
“We prioritized the systems in terms of patient administration systems, radiology, diagnostics, however, despite having the key, it still took us four months to recover 99% of the systems. I couldn't tell you, had we not had that key, how long it would have taken,” he added.
Ward told the committee he had no idea why the Conti ransomware group decided to post the decryption key.
“However, what I would say is, I believe at the time of the attack, we were probably the first national healthcare system victim of a ransomware attack,” something which he thought may have played in their favor as many ransomware groups claimed they did not want to cause any harm.
“I think the other thing that the Irish state did, they went very public. They went out and they said we are not paying the ransom. And [said] this [attack] is putting lives at risk. So whether that had a you know, somebody had a change of heart, we were grateful… but at the same time, it still took us a number of months to recover even with the decryption key.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.