The Royal Mail cyber attack and responding to ransomware attacks

What is ransomware?

Ransomware is malicious computer software that effectively segregates and encrypts data or systems. The "ransom" to release the data is usually required to be provided in cryptocurrency, to avoid traceability, and can be significant. In the Royal Mail attack, £67m was demanded by hackers thought to be linked to Russia. Ransomware attackers exploit gaps in organisations’ IT systems to install malicious software. Often, access is gained via “phishing emails - tricking the receiver into downloading the malware from a seemingly safe website or email attachment. Attackers also try to exploit “open” ports within remote access solutions. Once the malware triggers, an organisation’s data becomes unusable by the organisation. Servers are locked out and the attackers demand money to release the data or, where they have succeeded in exfiltrating the data, to avoid having stolen data published online. Cyber-crimes of this type are conducted by organised criminal groups. 

Ransomware is not new, though the specific malware in use evolves over time as cyber criminals adapt to improved technological defences. As with other major ransomware attacks, such as NotPetya and WannaCry, the ransomware in this case, Lockbit, has the potential to spread and cause significant disruption.

The damage caused by cyber attacks can be significant. Aside from entire systems effectively becoming unusable, ransomware attacks can lead to permanent loss of data, loss of control over the data or even the data being used maliciously by third parties. The National Cyber Security Centre recognises ransomware as the biggest cyber threat facing the United Kingdom.

Our top tips on reducing the risks of a cyber attack

As criminals will usually exploit gaps in organisations’ security systems, implementing safe IT measures such as multi-factor authentication for remote access, regularly updating software, having adequate anti-virus protection and monitoring suspicious activity is essential to reducing the risks of such attacks. It is also important to train staff in relation possible red flags such as phishing emails, including by sending them "test" emails to check their response. The ICO can impose fines on organisations which it considers have failed to keep personal information safe.

To reduce the risks of cyber-attacks, we can provide strategic risk management advice to address any breach of sensitive data security with minimal disruption, provide on-site data protection audit services to ensure that your systems comply with the relevant legislation and advise on data sharing activities, and to ensure that transfers of data within and outside the EEA comply with the relevant legislation and so maintain the safety of your systems.

Our top three tips on responding to a cyber-attack­

Tip 1 - focus appropriate resources on the issue

Ideally you will have a sound, practiced incident response procedure that guides you through the containment, recovery, assessment, notifications and remediation actions required. Risk must be carefully considered at the outset to ensure you have the right people dealing with the cyber-attack.

Your incident team needs to be pre-determined, they need to know who they are and be familiar with the relevant procedures, and you need to have worked out how decision-making is going to happen in what can be a very fast-paced and stressed situation. It is important to prepare your team in advance of a breach occurring. Ideally, your team will have had the opportunity to practice a response in a pretend environment.

In case of a cyber-attack affecting personal data, you are required to notify the ICO of a personal data breach without undue delay and no later than 72 hours after having become aware of it as mentioned above, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Once a data breach has occurred, there must be a risk assessment to determine risks to individuals over the loss of their personal data. Mills & Reeve has recently undertaken a cyber-attack survey and is about to publish its report on cyber-attacks. When we asked respondents how much of the mandatory content for a breach notification form, they would be able to identify within the 72 hour time limit to report a cyber-attack, it is notable that there was doubt expressed for every aspect. This shows that it is extremely difficult to identify quickly the effects of a cyber-attack. It can often take weeks or months to understand the full effect of a cyber-attack which is why it is so important to have the right people on the job as soon as possible, so that you have the best possible chance to mitigate the effects of the attack.

Tip 2 - anticipate the type of cyber incidents you may suffer

Again, this could and should be considered before a cyber-attack to give you the best possible chance of minimising the effects of the cyber-attack on your organisation. What impact would each incident have for you? If your website suffers a denial-of-service attack, would that impact on operations in any way, or would it be more of a reputation management issue? If you have a malicious third party who enters your servers, how will you handle that? Which servers are most critical and could cause you the most issues? If email is compromised, do you have alternative methods of communicating? What type of data does your organisation hold? Certain categories of data and children’s data require a higher classification by the ICO.

By anticipating the type of incidents that you may suffer, you can pre-prepare plans to be relied upon in an emergency and help deal with swiftly with the effects of the cyber-attack and implement relevant processes such as a disaster recovery plan. You can also identify appropriate professions to help support you.

Tip 3 - seek to protect your documents and communications

At the time a cyber breach occurs, management’s biggest concerns are often operational and reputational. It’s entirely understandable. However, communications and other documents created while investigating a cyber breach may be disclosable to regulators and in the event of threatened litigation, to the other side. During an incident, there is disruption and people will be incautious in what they both say and write down. Positions are taken, and admissions are made, based on an often incomplete understanding of both the facts and the law.

To avoid having to disclose and explain unhelpful documents to regulators or courts, where possible consider surrounding your response to an incident with legal privilege. To protect that material, lawyers need to be the hub via which instructions are given - copying lawyers in is not enough. If you can protect your documents with privilege, this may prevent unhelpful statements or admissions being provided to the regulators, Court or aggrieved third parties.