British intelligence is tipping off ransomware targets to disrupt attacks

On average, every 72 hours for the past three months, cyber experts inside one of the United Kingdom’s security and intelligence services have detected the beginnings of a new ransomware attack against a British organization and then tipped off the target in a bid to prevent the attack from being executed.

The experts have built a unique system using the intelligence community’s access to several information feeds unavailable to anyone else — alongside public, commercial and closed-source inputs — that has almost certainly prevented a significant number of ransomware attacks from succeeding, according to multiple sources who briefed Recorded Future News on the condition of anonymity.

They say the free system, called Early Warning — run by the National Cyber Security Centre (NCSC), a part of GCHQ — could help a larger number of U.K. organizations tackle cybersecurity threats before they become full-blown incidents. But more organizations need to sign up to receive these alerts, the sources said.

Only 1 in 50 targeted organizations get alerted

Detecting the precursor malware that allows criminals to launch a full-blown ransomware attack is the easiest part of the process, but notifying the potential victims has proven to be more difficult. Currently only around 2% of organizations receive a tip-off from Early Warning after it detects an event.

The first challenge for the system is that when it spots something that looks like an active compromise of a network, or even just potentially malicious activity, it isn’t always obvious from the technical data which organization is being hacked.

After the wizardry needed to identify the potential victim, staff then face a secondary challenge — trying to actually make the notification. For all the technical skills and resources given to the agency, it doesn’t have the budget for a telesales department, and those particular skills aren’t a focus for its recruiters.

“We often struggle to find the correct contact information, or the person believes they’re speaking to a scammer,” an NCSC spokesperson told Recorded Future News. The agency publishes guidance on differentiating contacts by its officials from criminals' attempts to trick people into transferring money or revealing sensitive information.

The spokesperson added that there have been cases where it has taken so long to make the notification that by the time NCSC has managed to speak to the right person, the ransomware has already been deployed.

Getting around the notification challenges

The point of offering signups to Early Warning — which are available to any organizations in the United Kingdom with a static IP address or domain name — is in addressing both of the challenges around notification by allowing the system to automatically associate targets’ networks with a dedicated contact mechanism.

“We encourage organizations to sign up to the Early Warning systems as it receives a lot of data from potential malware infections in the UK and without it, the NCSC cannot notify organizations that have been impacted by most malware easily,” a spokesperson said.

As of the end of 2022, there were just 7,819 organizations signed up to the service, a fraction of the total eligible from the country’s estimated 5.5 million private sector businesses, as well as the more than 160,000 registered charities, and over 32,000 schools — alongside healthcare institutions and other sectors targeted by hackers.

A spokesperson said it was “difficult to say how many ransomware attacks the NCSC has stopped via Early Warning,” explaining the team “isn’t always informed if an organization has been notified in time or if they did anything about it.”

“In the last 90 days I know that 30 or so of the notifications the NCSC has sent out were to do with the kinds of malware that we often see shortly before ransomware,” they added.

Last year more than 5,900 of the service’s user organizations were alerted about events detected by the Early Warning system and over 2,200 warned about vulnerabilities on their networks. Active malware infections were discovered and reported to 570 user organizations, and 56 received an alert from the automated service about pre-ransomware malware infections, according to the annual report.