Cybercriminals from Russia and neighbouring states are behind the majority of online extortion conducted against businesses and other organisations in Britain, according to the chief of the UK’s cybersecurity agency.
Lindy Cameron, the chief executive of the National Cyber Security Centre (NCSC), said ransomware “presents the most immediate danger” of all cyber threats faced by the UK, in a speech to the Chatham House thinktank.
“We – along with the NCA [National Crime Agency] – assess that cybercriminals based in Russia and neighbouring countries are responsible for most of the devastating ransomware attacks against UK targets,” Cameron said.
Her remarks represent one of the firmest attempts yet by a British intelligence chief to pin the epidemic of internet extortion on Russia, which is accused of sheltering criminal hackers who seek to extract millions by seizing corporate data.
In May this year the then foreign secretary, Dominic Raab, used more nuanced language when he said states like Russia ccould not “wave their hands” and say ransomware gangs operating from their territory had nothing to do with them.
Since then the west has sought to ramp up the pressure on the Kremlin. Joe Biden twice raised the issue with Vladimir Putin over the summer and he hinted that the US would be prepared to attack computer servers belonging to the gangs if nothing was done.
Hackney council in London was hit by a serious ransomware attack last October, affecting housing benefit and other council systems for months. The council is believed to have refused to pay the hacker’s ransom demands, but fixing systems could cost up to £10m.
Cameron said ransomware was the most important immediate cyber risk to the UK, encompassing organisations “from FTSE 100 companies to schools; from critical national infrastructure to local councils,” and she warned that many still “have no incident response plans or ever test their cyber defences” against the threat.
Hackers typically infiltrate key systems to encrypt or otherwise take control of critical data, and demand cash to restore full access. Cameron said their techniques were evolving. “In addition to shutting down an organisation’s ability to function, many now also threaten to publish exfiltrated data on the dark web.”
Many business do pay ransoms, partly because they are covered by insurance. Travelex, a UK provider of foreign exchange services, paid $2.3m last year after hackers shut down its networks, although the company subsequently fell into administration.
Cameron said paying ransoms “emboldens these criminal groups”, but it is not illegal to do so because many of the criminal gangs are not designated as proscribed groups. Britain’s extortion laws only prohibit the payment of ransoms to terrorists, and were drawn up largely in response to the threat of kidnapping.
Experts say Russia, along with other former Soviet states outside the Baltic region, have chosen to turn a blind eye to the gangs’ activities as long as their efforts are aimed abroad – although one notorious gang called REvil did go offline in July after Biden’s complaints.
Other groups are thought to have generated vast sums: one study estimated that the Wizard Spider or RYUK gang had made $150m.
Russia remains the most serious cybersecurity threat, Cameron said, but China also presents significant issues. She said Beijing was a highly sophisticated actor and had shown “a proven interest in our commercial secrets” – having been previously accused of trying to steal vaccine research secrets, a claim it denies.
But she said it was not certain what would happen next. “How China evolves in the next decade will probably be the biggest single driver of our future cybersecurity,” she said, arguing that the UK needed to “protect ourselves against Chinese practices that have an adverse effect on our own prosperity and security”.
