Cyber_bytes - Issue 60

Welcome to Cyber_bytes, our regular round-up of key developments in cyber, tech and evolving risks.

UK Government Faces Risk of Catastrophic Ransomware Attack, Parliamentary Committee Warns

In the recently released report, "A Hostage to Fortune: Ransomware and UK National Security," the UK Parliamentary Joint Committee on National Security Strategy has issued a warning regarding the elevated risk of catastrophic ransomware attacks. The findings highlight the pressing need for improved planning, increased investment, and enhanced cybersecurity measures.

Key findings from the report:

1. Sophisticated Ransomware Landscape: The report underscores the rise of a sophisticated ransomware ecosystem, with advanced malware becoming more easily accessible by criminals leading to potentially significant attacks.
2. Critical Infrastructure Vulnerability: Critical national infrastructure, particularly that relying on outdated legacy systems, remains highly susceptible to potential attacks. Supply chains are also identified as weak points, with the interconnectedness posing risks across multiple sectors.
3. Challenges in Resilience Implementation: Implementing cyber resilience measures involves practical challenges, emphasising the need for a cross-sector regulator. The government is urged to enhance oversight and establish effective regulatory measures to oversee cyber resilience upkeep and implementation.
4. Support for Local Authorities: Some local authorities lack active support in preventing and responding to cyber-attacks. The report calls for funding to establish a robust cyber resilience program for these entities.
5. Support for the Wider Public Sector: Ransomware victims, particularly smaller organisations, receive limited support from law enforcement. The report proposes funding for the National Cyber Security Centre and National Crime Agency to offer negotiation and recovery services for public sector victims.

In response to the report's findings, businesses in the UK are urged to take immediate action to enhance their cybersecurity measures. This includes the critical need for regular assessment and upgrading of cybersecurity protocols, especially within sectors constituting critical national infrastructure. Allocating resources to modernise legacy infrastructure, particularly in areas vulnerable to cyber threats, is highlighted as a crucial step. Additionally, businesses are advised to ensure compliance with the 2018 Network and Information System Regulations and prepare for upcoming cyber resilience standards for critical national infrastructure by 2025. The active participation in the National Exercise Programme is recommended to effectively prepare for the potential impact of a major national ransomware attack.

Click here to read the Parliamentary Committee's report.

RUSI's In-Depth Analysis on Cyber Insurance's Impact

A recent report by the Royal United Services Institute (RUSI) sheds light on the growing threat of ransomware and emphasises the need for robust cybersecurity measures.

The key points raised in the report include:

• Ransomware-as-a-service (RaaS), a model where criminals sell or rent ransomware to affiliates, is on the rise. These affiliates, equipped with RaaS tools, are responsible for executing ransomware attacks. The report underscores the need for a collective response to tackle this evolving threat.
• The report explores the role of cyber insurance in dealing with ransomware incidents. While cyber insurance is not seen as fuelling the ransomware epidemic, it is criticised for not instilling satisfactory ransom discipline among insureds. The low market penetration of cyber insurance outside the U.S. poses a challenge in improving cybersecurity practices on a broader scale.
• RUSI recommends several measures to enhance collaboration between the cyber insurance industry, government agencies, and law enforcement. It suggests tougher policy language mandating the sharing of forensic reports with insurers and the distribution of threat intelligence and government services through insurers. Additionally, there's a call for increased reporting of ransom payments via insurers to improve policy development and law enforcement efforts.
• The report delves into incident response services provided by cyber insurance policies, including legal counsel, digital forensics, crisis management, and more. Different models, such as lawyer-led, insurer-led, and those led by insurer-owned incident response firms, are discussed, highlighting the various approaches insurers take in responding to ransomware incidents.

The report contains recommendations to UK policymakers. These include:

1. Enhanced Oversight: Insurers should mandate written evidence of negotiation strategies and outcomes, fostering transparency and oversight.
2. Best Practices Development: Select ransomware response firms based on predefined criteria, including a proven track record, operational relationships with law enforcement, and compliance with anti-money laundering laws and FATF (Financial Action Task Force) standards.
3. Government-led Study: Commission a study to understand specialist ransomware response firms better, identifying best practices and fostering industry-wide benchmarking.
4. Licensing Regime: Explore a dedicated licensing regime for firms facilitating cryptocurrency payments. Ensure registration as money service businesses, aligning with national financial crime reporting requirements.
5. Market-wide Consensus: Collaborate to establish a market-wide consensus on conditions and obligations before considering whether to meet a ransom demand.
6. Reporting Obligations: Requiring policyholders to notify Action Fraud and the NCSC before paying a ransom. Regulators should intervene if necessary.
7. Integration of NCSC's Early Warning Service: Trial integration of the NCSC's Early Warning service into ongoing assessments of policyholders, enabling the distribution of intelligence at scale.
8. Operational Collaboration: Recruit secondees from the cyber insurance industry into the NCSC-led Industry100 cybersecurity secondment initiative, fostering deeper operational collaboration.
9. Financial Crime Reporting: Ensure existing financial crime reporting mechanisms are suitable for reporting ransom payments. Encourage cyber insurers to report ransom payments via the NCSC's or other channels.

Click here to read RUSI's report.

RPC Annual Insurance Review – Cyber

RPC has now published its Annual Insurance Review, outlining the events that shaped the insurance market in 2023 and discussing what to expect in 2024.

In the chapter focusing on Cyber, RPC looks at the following:

• The European and UK cybersecurity regulatory landscape expanded significantly, notably with the introduction of the NIS2 Directive at European level and the passing of the Online Safety Act 2023 in the UK. The NIS2 Directive broadens the scope of network security obligation requirements on to social network platforms, data centres, and managed service providers.  Whilst not implemented into UK law yet, NIS2 will have a direct impact on UK organisations offering services in Europe.  Also, Online Safety Act 2023 seeks to regulate online speech and media over user-generated content.  This will directly impact social media platforms and websites which allow user comments.
• Looking at 2024, organisations can anticipate increased scrutiny on basic security protocols amidst rising cyber threats. Ransomware incidents and business email compromises continue to surge, prompting a focus on implementing stronger cyber resilience measures. Cyber insurance underwriters are emphasising the need for security assessments, with regulators highlighting the importance of enhanced measures to protect personal data. This reflects a growing emphasis on elevated security standards across the market in light of ever-ingenious cyber-attacks.

Click here to read RPC's Annual Report.

Ransomware 2024: Exploiting Vulnerabilities, Law Enforcement Challenges, and Dark AI Risks

The cyber security consultancy firm S-RM has published an article outlining key cyber trends to watch out for in 2024. These centre around ransomware incidents whose frequency is not expected to abate. 

1. Exploitation of Software Vulnerabilities: Ransomware groups, focusing on exploiting software vulnerabilities, are anticipated to persist. The automation of exploitation before system patches is a growing concern, exemplified by the mass exploitation of vulnerabilities over 2023 in platforms like Atlassian Confluence and Citrix NetScaler.
2. Law Enforcement Actions: While law enforcement made strides in 2023 targeting ransomware groups like Ragnar Locker and ALPHV, the continuous rebranding and re-emergence of these groups post-takedowns suggests a need for sustained global efforts. Sanctions and disrupting flow of funds are strategies expected to be adopted at national level.
3. Evading Defences: Ransomware groups are likely to enhance methods of bypassing traditional security solutions, such as multifactor authentication (MFA) and endpoint detection and response (EDR). The acquisition of security tools for testing bypasses in dummy environments demonstrates their increasing sophistication.

Additionally, the migration of cybercrime to the Cloud is a cause for concern, emphasising the need for robust security measures and data backup strategies in cloud-based environments. Lastly, the use of AI in cybercrime, with the dark web featuring "Dark AI" models for malicious purposes, is expected to gain prominence, posing challenges to organisations in combating sophisticated attacks. Overall, businesses are urged to stay on top of the dynamic cyber threat landscape and fortify their defences accordingly.