JCNSS: UK at Risk of Catastrophic Ransomware Attack


December 13, 2023

World map

The UK’s Joint Committee on the National Security Strategy (JCNSS) warned that is a “high risk” the nation will experience a “catastrophic ransomware attack at any moment” due to the British government’s failure to address the growing ransomware threat, according to a harsh parliamentary report published this week.

The report particularly calls out former Home Secretary Suella Braverman for having “showed no interest in the topic” despite her department being the lead government agency on national security risk and policy.

“We found that the Home Office’s public output on cyber security and ransomware has been almost nonexistent, and has been dwarfed by its focus on small boats and illegal migration,” The Record reported the JCNSS report as stating.

“The UK has the dubious distinction of being one of the world’s most cyber-attacked nations. It is clear to the Committee that the Government’s investment in and response to this threat are not equally world-beating,” said Dame Margaret Beckett, chair of the JCNSS.

She went on to warn that “in the likely event of a massive, catastrophic ransomware attack, the failure to rise to meet this challenge will rightly be seen as an inexcusable strategic failure.”

The report noted that government “knows that the possibility of a major ransomware attack is high, yet it is failing to invest sufficiently to prevent catastrophic costs later on.”  

Takeaway: So, what can governments do to protect organizations from this onslaught of ransomware attacks? From what we have witnessed so far, not much at all.

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had very little impact in disrupting ransomware operations.

The UK, US and allied governments are in a tough position regarding what actions to take to stem disruptive ransomware attacks, namely because there is so much ambiguity in determining root attribution for the attacks.  

Law enforcement actions and government sanctions against ransomware operators are necessary, but even if they are arrested or their operations disrupted, there will quickly be someone to take their place.

At some point, these ransomware attacks are going to cross the line from cybercriminal activity to a national security event, especially when we are talking about attacks on critical infrastructure Defense Industrial Base targets.

We know rogue nations tacitly or directly support and/or control these ransomware operators to an extent, and these attacks are starting to look more and more like state-sponsored terrorism, and perhaps we should be addressing them as such.

Even if the ransomware attack itself is resolved, the fact remains that the attackers may have exposed incredibly valuable intelligence for foreign adversaries, and this can potentially mean that an entirely different set of rules kick into place.

Cybercriminal activity is the purview of law enforcement. They investigate, collect evidence of a crime, indict and prosecute when possible. But when an attack drifts into the national security space, there are different rules of engagement, and they can include offensive action deemed appropriate and proportional.

So, what might it take to cross that line? It may be in the targeting of critical Linux systems.  

Linux systems run many of the most critical operations behind the scenes, including a good deal of most any nation's critical infrastructure, and recently more ransomware groups have been introducing Linux versions.  

If these systems are disrupted by a ransomware attack, it could spur the catastrophic event that the CNSS is warning about.

Ransomware attacks on these systems could make events like the Colonial Pipeline disruption in the US look like a blip, so we should be making all necessary preparations to address this rapidly growing threat.  

Unfortunately, this fact makes Linux even more alluring to today's ransomware gangs — many of which are affiliated with nation-states that have unlimited resources.

Linux runs approximately 80% of Web servers and is the most common operating system for constrained, embedded, and IoT devices used in sectors such as energy and manufacturing. Linux also drives most government and military networks, financial and banking systems, and runs the backbone of the Internet.

Furthermore, Linux runs most organizations' database servers, file servers, and email servers. Linux unifies the IT stack and makes the network more easily managed. So, if an attacker gains access to a Linux environment, it has access to an organization's most critical systems and data.

Given its lack of market share for desktops and laptops, Linux security offerings tend to be an afterthought. In fact, most endpoint security solutions don't even cover Linux, so options are few. This makes defending Linux systems a major challenge.

Over the course of 2022, ransomware attacks targeting Linux systems increased by 75% from the previous year, and ransomware gangs have been introducing new Linux versions at an increasing pace.

Attackers are increasing their attention on Linux servers for a few reasons — namely, disrupting Linux servers holds the potential to inflict a lot of pain, and attackers know that more pain translates to more dollars in their pockets from higher ransom demands.

The "always on, always available" nature of Linux systems paints a huge target for threat actors, and compromising Linux systems provides a strategic beachhead for moving laterally throughout a targeted organization's network. And Linux is open source, which means attackers have a great deal more insight into how Linux systems are running, and have a head start in customizing attacks.

The targeting of Linux systems has the potential to cause serious disruptions far beyond the scale of what we have seen in any ransomware attacks to date. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic, but we can reduce the threat of a major disruption and its potential impact by preparing now.

Specific measures to ensure an organization is resilient after a ransomware attack will come from the organizations themselves, and they should not hold out hope that the government will be able to offer anything in the way of preventative protection beyond some symbolic gestures.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.