Ransomware and spyware: the “most immediate danger to UK businesses”

Ransomware is now “the most immediate danger to UK businesses and most other organisations” according to the National Cyber Security Centre (NCSC). However, the NCSC’s CEO, Lindy Cameron, believes that many companies are not adequately prepared, in particular due to organisations lacking incident response plans and failing to regularly test their defences.

This is particularly problematic given the proliferation and increasing sophistication of attackers. Cameron highlighted the risk posed by state actors including Russia, which is believed to have orchestrated the attack on software company SolarWinds which ultimately enabled the attackers gain access to the systems and data of over 30,000 public and private organisations that made use of SolarWinds’ Orion software.

Another prominent example that has attracted a lot of attention is Pegasus, a military-grade spyware package developed by the NSO Group which can be used to infect iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls, and secretly activate microphones. NSO says its software was intended to be used solely by governments to combat terrorism and serious crime. However, the software has been traced to the phones of journalists and activists across the world and appears to have been used by a variety of state actors for a far broader set of objectives. In a sign of growing wariness around Pegasus and its reach, the NSO Group has just been placed on a blacklist by the United States, having acted “contrary to the foreign policy and national security interests of the US”.

But for businesses, even more danger lies in the growing accessibility of ransomware and spyware technology. Companies are increasingly vulnerable to attacks from smaller groups with fewer financial and technical resources. Cameron noted the threat posed by the growth of a “commercial market for sophisticated cyber exploitation products”, which allows a much wider range of actors to carryout sophisticated cyber-attacks.

Software such as Pegasus enables those with comparatively limited technical ability to carry out sophisticated attacks. Where hackers have the requisite technical skills, but lack criminal sophistication, they can increasingly turn to criminal groups offering ‘ransomware-as-a-service’. For example, the ransomware attack against the Colonial Pipeline Company in May 2021 was carried out by ransomware-as-a-service outfit DarkSide, which offers a range of services (from negotiation of ransoms, to the arrangement of crypto-currency payments) to enterprising hackers. Until its dissolution, this collective made it easier for hackers to link up and carry out ransomware attacks.

Software like Pegasus and services like DarkSide have lowered the entry point for spyware, ransomware, and other forms of cyber exploitation, making these technologies ever more accessible to threat actors. In turn, this means that a larger range of companies (and all other institutions) could find themselves targeted. As demonstrated by ransomware attacks on Hackney Council and Ireland’s Health Service Executive, it is not only multinational corporations or state governments that are at risk. Every business, no matter how small, must treat cybersecurity as a priority.