Ransomware incidents now make up majority of British government’s crisis management 'Cobra' meetings

Ransomware incidents in the United Kingdom are now so impactful that the majority of the British government’s recent “Cobra” crisis management meetings have been convened in response to them rather than other emergencies.

The need to regularly hold cross-departmental meetings reveals how little progress Westminster has made to address the risks ransomware poses to the country, according to multiple sources with knowledge of the government’s response, speaking to The Record on the condition of anonymity because they were not authorized to openly discuss the matter.

They noted that despite the repeated warnings of the National Cyber Security Centre’s (NCSC) chief executive Lindy Cameron describing ransomware as the most acute threat facing the country, there did not appear to be a proportionate level of ministerial interest. Successive Home Secretaries have instead prioritized the issue of small boat crossings of migrants in the English Channel.

The non-ministerial gatherings took place in the Cabinet Office Briefing Rooms (COBR) from which they get their nickname. Historically they have been convened to bring together officials from different departments in response to terror attacks, but are now increasingly focused on cybersecurity incidents affecting critical services.

According to the NCSC’s annual review, the U.K. was impacted by 18 ransomware incidents this year which “required a nationally coordinated response” including attacks affecting the South Staffordshire Water utilities company and the National Health Service software supplier Advanced. The increased focus on these incidents at COBR meetings has not previously been reported.

Ransomware 'sprints'

The surge in COBR meetings follows a cross-Whitehall “sprint” — a project management term — on ransomware which concluded last December. Its intention was to come up with recommendations to deal with the issue that would be signed off on in advance of the G7 meeting of interior ministers at the end of 2021. However a year on from the conclusion of that “sprint” the government has still delivered no actionable decisions.

The sprint featured several different strands — approaches to different aspects of the ransomware ecosystem — that explored potential mechanisms to disrupt ransomware attacks, each led by different departments across Whitehall. These included a strand on ransomware payments, one on mandatory reporting, one on insurance, one on dealing with cryptocurrency exchanges, and another on international engagement.

Although the existence of the sprint was confirmed in the NCSC’s annual review, the topics it focused on and its outcomes are not public. The annual review stated: “A government ransomware ‘sprint’, led by the Home Office, improved understanding of the scale and complexity of the threat, and helped it to better prioritize, focus resources, refine advice and be more targeted in its engagement.”

But the initial intentions for the sprint were more ambitious, according to multiple sources involved in the process. They said the NCSC’s description that it “improved understanding of the scale and complexity of the threat” said more about the government’s starting position than where it finished.

The sprint established several things which the government would not do; it would not prohibit ransom payments, nor would it introduce a “mandatory reporting” obligation on companies to disclose incidents to the authorities; but "there hasn't been any tangible, deliverable outcomes at this stage," one source acknowledged to The Record.

Introducing mandatory reporting was desired because authorities lack visibility on the true scale of the ransomware problem beyond critical incidents requiring a national response. “Organizations often do not report the compromises,” warned NCSC in its annual review. This known unknown — of how prevalent ransomware attacks actually are — has led to friction between government departments.

Although cyber policy officials at the Home Office do not feel that they lack support from other colleagues in Whitehall, The Record understands that the Home Office has launched its own ransomware research project to try and find out the true number of incidents in the U.K. due to frustrations with data provided by the Department for Digital, Culture Media and Sport (DCMS).

DCMS compiles an annual cyber breaches survey, the most recent edition of which found there had been a fall in ransomware attacks from 17% of all incidents in 2020 to just 4% in 2021. However officials who spoke to The Record questioned the utility of the self-reported survey, which has a bias against those who do not want to disclose any incidents, and is produced from data collected a year prior, a time during which the ransomware ecosystem has changed substantially.

“We shouldn’t be basing policy on an incomplete evidence base,” said one source with knowledge of the policy process.

At the launch event for its 2022 annual review, The Record asked NCSC’s management board whether central government was doing enough given that both the agency’s chief executive and the head of the intelligence agency GCHQ, Sir Jeremy Fleming, had in speeches that morning described it as such an acute threat to the country.

Paul Maddinson, NCSC’s director of national resilience and strategy, responded that government policy change wasn't the only response available, and that businesses being prepared to deal with a ransomware attack could also effectively undermine the business model: “A lot of it is to get organizations to understand that they have agency. You can stop ransomware attacks, or you can stop them being as disruptive as they might be, and I think that’s a really important message.”

Dr. Ian Levy, the agency’s outgoing technical director, added: “More than any other type of cybercrime, ransomware is driven by money. Obviously. And if you look at the economic model behind it and can work out where to intervene — where there’s an asymmetric benefit for us — it can have a big effect on their ability to monetise with relatively small amounts of effort.

“I apologize in advance, but you’re not trying to beat them, you’re trying to send them to France. The whole point is to make the U.K. more risky, less profitable, less useful, less scalable for ransomware while we fix the underlying problems.”

'No light at the end of the tunnel'

In response to a list of questions regarding all of the statements in this report, a government spokesperson told The Record: “Defending the U.K. from ransomware attacks is a core priority for this government. Given the complex nature of the threat, we are working collaboratively across departments, with law enforcement and agencies, and our international partners to strengthen our cyber capabilities and build the U.K’s resilience.”

They added that there are ongoing reviews of the government's policy and operational approach to tackling ransomware, including through consistent collaboration with industry and international partners.

Officials dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem.

They said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”

Discussions have continued in government since the conclusion of last year’s sprint, with sanctions for foreign cryptocurrency exchanges described as the most fruitful.

The Home Office has also introduced provisions in its Economic Crime and Corporate Transparency Bill that are intended to allow law enforcement to seize cryptocurrency assets “associated with illicit activity such as money laundering, fraud and ransomware attacks.” While the law is intended to empower law enforcement to force cryptocurrency exchanges to hand over data relating to potential criminal enterprises, it is not clear how it would be used internationally. The Supreme Court earlier this year ruled law enforcement cannot compel information from businesses based outside of the United Kingdom.

The international aspects of the ransomware ecosystem contribute to it posing “one of the toughest policy challenges of our times,” according to one official. In its annual review, the NCSC stated: “Most of the ransomware criminal groups that target the UK continue to be based in and around Russia. While it is not clear the degree to which these ransomware groups are directed by the Kremlin, those operating from within Russia’s borders benefit from the tacit consent of the Russian State.”

The Record understands that the National Cyber Force has been working closely with American partners in several offensive operations intended to address cybercriminal groups, although the British security and intelligence community is generally less public about its activities.

These activities have had a significant impact on the ransomware ecosystem according to British officials, who said that up until the severe impact of ransomware attacks on the Colonial Pipeline and meat-packer JBS last year it had been they who had been pushing for their American colleagues to do more on the issue.

In the wake of those attacks, which drove political interest in America to tackle ransomware actors, the groups themselves deliberately scaled down their targeting, said multiple officials. “They are sailing a little bit below the radar so they're less likely to hit the front pages, and if you are less likely to hit the front pages then there's less political will generated,” one added.

In its annual review, the NCSC concurred: “It is apparent that the public outcry and heightened political interest has raised the stakes for cyber criminals. In response it became clear that some groups modified their techniques to avoid law enforcement, sanctions and other operational responses.”

Since the law enforcement actions of 2021 “the whole ecosystem has diversified enormously” with a more street-gang oriented underworld contributing to the threat. During the COVID-19 pandemic some groups had said they wouldn’t target hospitals — whether honestly or not, they attempted to suggest there were policies they would enforce regarding targeting — but now “random criminals, affiliates, are just launching attacks indiscriminately,” said one official, while the large groups are taking a conscious effort to avoid attention.

The challenge of addressing ransomware is not unique to the United Kingdom, which joined with a coalition of nearly 40 other countries earlier this month at the international Counter Ransomware Initiative to discuss how they can collectively tackle the global national security threat.

The initiative pledged to focus on combating the ecosystem's ability to profit by “implementing and enforcing anti-money laundering” measures for “virtual assets and virtual asset service providers," as well as disrupting the ransomware actors "to the fullest extent permitted under each partner's applicable laws” however it did not publicly advance any specific solutions regarding the apparent safe haven that these groups and their infrastructure have in Russia. 

Clarification (Nov. 22, 2022): The use of the term "Cobra" in this story has been updated to reflect that it is an unofficial nickname for COBR — or Cabinet Office Briefing Rooms — meetings. For the purpose of clarity, the reference to the Civil Contingencies Committee has been removed, as it does not convene all COBR meetings and was not responsible for those referenced in this story.