An evolving cyber threat landscape – ransomware in focus

Answer

Cyberattacks are rising year-on-year with ransomware being the most prominent cyber threat in the UK, accounting for more than $1 billion in global ransom payments in 2023.

What's ransomware?

‘Ransomware’ is a form of malware, malicious software that encrypts an individual or organisation’s files on their devices, preventing access until a ransom payment is made (typically in cryptocurrency, for example Bitcoin). Information may also be stolen in the background while files are encrypted (also known as ‘double extortion’). This information may then be sold on the dark web or leaked online.

A ransomware attack, if successful, can affect the availability or accuracy of the victim’s files and wider computer systems, but it can also lead to potential increased incident management and recovery costs, loss of business and regulatory compliance costs (eg, a fine).

What do the consequences look like in reality?

• In October 2023, the British Library refused to pay a £600,000 ransom to a ‘ransomware-as-a-service’ group resulting in 500,000 files, including its employees and visitors’ personal data, being published for free on the dark web. The National Cyber Security Centre (NCSC), the UK technical authority for cyber security, stated that this was “one of the worst cyber incidents in British history”, with the British Library committing around £6 million to £7 million to rebuilding its digital services and a further £250,000 in payments to cyber security consultants.

• In June 2024, Synnovis, a pathology laboratory responsible for processing blood tests for six NHS trusts, refused to pay a $50 million ransom to a Russian cybercrime group. This resulted in the publishing of administration information online (including personal data, such as names, NHS numbers and test codes), and the inability to use certain systems to run blood tests, reducing capacity and delivery times.

In both cases above, you can see that the British Library and Synnovis didn’t pay the requested ransom. However, even if a ransom is paid (where this is even possible), there’s no guarantee that it’ll result in the desired outcome of return or decryption of the data and paying a ransom. It may also jeopardise insurance payouts and may be unlawful. Law enforcement, the NCSC and the Information Commissioner’s Office (the UK data protection regulator) don’t encourage, endorse or condone ransom payments, and alternatives should be considered (eg, whether there are available back-ups of the data).

This is where prompt communication and advice from cyber insurance providers, cyber security consultants, lawyers and regulators is key to manage risk following a ransomware attack.

What developments should you keep a close eye on?

1. Security and data protection by design and default

Where have we been?

In the technology industry, many organisations have historically followed a “move fast and break things” approach, focusing on the launch of innovative, new technologies and then dealing with potential issues as they arise – one of those being security.

This has largely been seen in Internet of Things (IoT) products, for example, products that connect through the internet, such as smart doorbells, displays and baby monitors. A push by consumers for low-cost, convenient products has sometimes led to security being an afterthought. Do you remember the last time you updated any of these devices?

The WannaCry ransomware attack in 2017 is a prime example of where neglecting security can have disastrous consequences. Following a notification of a potential weakness in Microsoft’s Windows operating system, Microsoft released a security patch. Many individuals and organisations didn’t install this patch, and two months later 200,000 PCs in 156 countries, including some belonging to FedEx, Nissan and the NHS, were infected with ransomware, encrypting files and demanding Bitcoin.

Where are we going?

Now more than ever there’s a push towards both security and data protection by ‘design-and-default’ in technology. But what is this? It’s the idea that security and data protection principles are considered and embedded throughout the design process and the product lifecycle beyond, and that the most protective settings are applied by default.

The EU’s Cyber Resilience Act (CRA) aims to integrate cybersecurity requirements into products containing a digital component (eg, IoT products, software and hardware). The CRA only recently came into force on 10 of December 2024, but its main obligations will apply from 11 of December 2027. Manufacturers, EU importers and distributors (eg, retailers) will be impacted to varying extents. An idea of what the obligations will look like includes:

• undertaking product risk assessments during development and maintenance;
• complying with certain cybersecurity requirements, managing vulnerabilities; and
• applying a CE mark to certify compliance.

The UK has implemented a lighter touch equivalent to the CRA, the Product Security and Telecommunications Infrastructure regime, which came into force in April 2024.

2. Use of AI

AI is being used by bad actors to launch ransomware attacks, and organisations and advisers to defend against those attacks. AI can identify vulnerable devices and networks, run speedier, targeted attacks, and encrypt files efficiently. On the other side of the coin, AI can predict potential attacks and identify and group together unusual system activities and then flag to a human for review.

In November 2024, the NCSC, alongside a number of international partners, published an advisory note of the ‘top 15 routinely exploited vulnerabilities’, with more than half of the list being ‘zero-day’ (eg, unknown to the software supplier or the customer and no fix yet being offered). As AI becomes more sophisticated, zero-day vulnerabilities may be more easily exploited by ransomware operators; however, AI may also play a role in identifying those vulnerabilities more quickly.

3. Legislative reform

Cyber Security and Resilience Bill

In the UK, the Cyber Security and Resilience Bill will be introduced to Parliament in 2025 to update the existing cyber security regulations in the UK (eg, Network and Information Systems (NIS) Regulations 2018).

The existing NIS regulations focus on improving security of network and information systems that are identified as critical to the provision of essential digital services. The act will boost these regulations by:

• including more digital services and supply chains within its remit;
• providing a stronger footing to regulators to recover their enforcement costs, and powers to proactively investigate potential vulnerabilities; and
• mandating increased incident reporting with a focus on ransomware.

The EU is also looking to bolster cybersecurity, through the second Network and Information Security Directive, which came into force in 2023 and requires all EU states to transpose it into national law. It’s not yet known exactly how these national laws will differ from the UK bill, but it’s certainly worth keeping an eye on the bill to stay on top of UK developments.

Digital Operational Resilience Act

The EU’s Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and applies as of 17 January 2025. DORA applies to financial institutions within the EU and their critical third-party ICT service providers (even if operating outside of the EU), focusing on the resilience of the financial sector to service disruption through cyberattacks and ICT incidents.

DORA sets out various obligations, including implementing a risk management framework to identify, monitor and detect risk, incident reporting, systems testing, information sharing and contractual requirements.

UK financial regulators have implemented their own approach to operational resilience via Financial Conduct Authority and Prudential Regulation Authority policy requirements and guidance first published in 2021. The transitional period for UK-regulated financial firms to get ready to comply with these requirements ends on 31 March 2025. The UK’s approach overlaps with DORA to an extent; however, DORA has some more wide-ranging requirements, and so financial institutions and critical third parties with a presence in both the UK and EU may elect to adopt DORA’s requirements as a “gold standard”.

Consultation on ransomware legislative proposals

As of 14 January 2025 (a very recent development!), the Home Office published a consultation into potential legislative reform in the ransomware space, which includes a targeted ban on ransomware payments for all public sector bodies, including local government, and certain owners and operators of Critical National Infrastructure, a requirement for ransomware victims to engage with the authorities and report their intention to make a ransomware payment before doing so, and a threshold-based mandatory reporting requirement.

It's worth following this consultation and any feedback that’s published by stakeholders and others interested or affected in this space after 8  April 2025.

Olympia Critchley is a trainee solicitor at TLT LLP.