Ransomware – The Threat That Keeps On Giving

I know I’ve banged on about this quite a bit recently, but I make no apologies for it.  It has sprung to the front again following the Panorama programme on Monday night which highlighted the often catastrophic effects of ransomware on companies, and had interviews with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA), with an NCA rep saying that 2025 is shaping up to be the worst year ever for ransomware and the CEO of NSCS calling on businesses to face up to the issue and sort out their cyber defences.

The programme highlighted that Ransomware as a Service (RaaS) now enables less skilled attackers to run ransomware, complete with support and updates. Over 70% of attacks now use these services.

Attackers have shifted to double/triple extortion schemes, encrypting data, threatening to leak it, and sometimes targeting associated partners or customers.

Next-gen ransomware, e.g. LockBit 4.0, BianLian etc, is rolling out advanced stealth, data theft, and automated lateral movement techniques, using an initial breach to jump across to other parts of your network or that of your partners and customers. 

You’ll have to forgive me for being a bit smug as the programme highlighted issues that I’ve been talking about for a long time now.  Firstly, it’s not just the corporates that are targets for this.  SMEs are also very much in the firing line.  The programme highlighted an example I’ve quoted before.  Knight of Old (part of the KNP Logistics Group) suffered consequences that they just couldn’t recover from.

In June 2023, the Akira ransomware gang infiltrated the company via stolen credentials and encrypted critical systems, including freight-tracking, payments, and internal servers, displaying this chilling message: 

“If you’re reading this, it means the internal infrastructure of your company is fully or partially dead.”  

The group also threatened to release over 10,000 confidential documents (payroll, invoices, financial files) as a form of double extortion.

Despite having cyber insurance and backups, they couldn’t fully restore financial systems, and some backups were also destroyed.  Insurers covered only the initial cleanup (~£250k) and $1M policy, but this fell far short of covering the estimated $2.7–$5.3 million ransom or the broader economic damage.  Operational disruption prevented them from producing reports and financial statements, essential for securing bank funding. A sale fell through, as buyers wanted director guarantees they couldn’t offer. 

The company entered administration in September 2023 and ceased operations.  Around 730 out of 900 employees lost their jobs, including many long-serving drivers and staff who were owed unpaid wages.    Local impact was severe: furloughed staff lost homes, cars, and some experienced severe personal hardship. 

It appears that the attack was perpetrated via a weak password and the absence of multi-factor authentication (MFA), with the gang using a brute force method to crack the password.  It underscores the fact that even companies with cyber insurance and accredited systems are vulnerable. 

Obviously, we’re not party to the full facts but the company’s directors have been quite candid in interview, and we have to wonder if something as simple as good cyber awareness training and the introduction of MFA could have stopped this attack in its tracks.  There are other factors to consider though.  The backups seemed to have failed, with some of them being destroyed by the attack, suggesting that these backups were on the same network as the main system. 

Clearly what is needed is defence in depth, based on the tried and tested method of risk management.  The idea of defence in depth stems from military defences, where there are multiple layers to a defensive system.  In cyber security we talk about People, Process and then Technology.  I’ll once again trot out the quote from Bruce Schneier, ‘If you think technology will solve your cyber security problem, you don’t understand the problem and you don’t understand the technology’.  This aligns very well with the opinion of both NCSC and NCA that the majority of these attacks are more in line with scams than with technical hacking. 

Rather than bore you with the components of risk management in cyber, I’ll just point you towards a short video we produced on the subject. 

Risk Management - a short video 

We produced another video which highlights social engineering.  That is the method by which much of these attacks are undertaken which are not particularly technical in nature.  It’s the People part of the risk management process and is arguably the quickest and cheapest win any company can take.  It’s a continual source of wonder amongst cyber security professionals that a large focus remains on technology whilst ignoring this vital element.  Our short video tries to hit the highlights but in this changing landscape, we haven’t hit them all. 

Social Engineering - A Short Video 

The takeaway from this should be that no one is safe or immune from a ransomware attack, particularly ransomware as a service.  This latter means that the attacker doesn’t need to be technically proficient, just determined.  It enables attackers to target multiple companies at once.  If they, for instance, attack 1000 companies at the same time, using the same service, and ask for moderate amounts of ransom, they only need to hit around a 40-50% success rate to make a decent profit.  Add in AI which makes this so much easier to do, and you’ve got an idea of how much of a business this is for criminal and nation state sponsored gangs. 

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services. 

To learn more about the services we provide please click here https://www.hah2.co.uk/

Or book a call via our Calendly link 

Alternatively, please feel free to give us a call or email 

T: 0800 4947478

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure