Redcar Council’s multi-million pound ransomware hack: it won’t be the last

16 Mar 2020

What’s the cost of a ransomware attack on a local council? A few thousand? A few hundred thousand? A million?

Well, Redcar and Cleveland Council, in the north-east of England, have just broken the bank with a clean-up bill of possibly £18 million.

And one insurance broker has stated that local authorities and councils up and down the UK are now being hit by an average of 800 cyber attacks every hour, many of which have resulted in loss of data.

And since their data is often your data, it could now be available on the Dark Web to the highest bidder.

So, what is it about local authorities and councils that makes them apparently so vulnerable? What is the elephant in the room?

‘Do you back up your data?’ No comment.

A clue to this lies in some research done in 2017 by cybersecurity firm Barracuda Networks. They asked 430 UK councils if they had data backup in place. Around 70% responded that they did. But the other 30% didn’t respond at all.

Why is this worrying?

Firstly, because properly backed-up data that can be rapidly restored from a source that the hackers can’t touch renders the encryption of data by ransomware pointless. The ransomed data is simply reinstated from the backup source.

Essentially, it’s a remedy for ransomware – yet many councils seem loath to confirm that they have it.

Secondly, it makes it seem highly unlikely that these councils are abiding by National Cyber Security Centre (NCSC) recommendations, which state that organisations should use a reliable point-in-time backup that is not affected by ransomware.

So what are they hiding, and why? And can we even trust the kind of backup the 70% are using?

Poor data backup: a public sector meltdown?

Here’s what our own customer research has taught us about this, and why it could potentially trigger nationwide public sector IT crises that not only reach far beyond local councils, but force taxpayers to foot cleanup bills at the expense of other public services.

1. On-site backups: highly vulnerable

The reality is that many councils only back up their data to on-site systems, but these are often just as vulnerable to ransomware as the main systems, so if they become infected, there is no backup.

2. Cloud backup: not immune to ransomware

Some councils use offsite cloud services, but these are all too often incorrectly configured, or poorly designed, meaning that the backup can easily be infected by ‘ransomcloud’ attacks – again, leaving the organisation with no backup.

3. Microsoft Office 365: ransomware everywhere!

The entire public sector, not just councils, is moving its email systems to Microsoft Office 365, but these organisations often do not understand that Office 365 is not backed up by Microsoft, as we were already explaining months ago in this post.

It’s only a matter of time until these systems become infected by a new strain of ransomware – and if no effective data backup is in place, that’s potentially many multi-million pound losses across the sector, not just one in Redcar!

4. Storage is not backup

A similar misconception is common in councils with regard to online storage and sync services like Dropbox, OneDrive, Google Drive and others. Yes, these services store data in the cloud – but they do not back it up to enable you to get it back if something goes wrong.

5. Buy cheap, regret at leisure

Council IT Departments are locked in a seemly unending war with Finance Departments for funding. Sadly, this inevitably results in them choosing the lowest-cost solution, which tends either to be onsite only (see the risks outlined above), or a cheap / free, US-based cloud data backup.

The latter risks exposing them to an infringement of GDPR compliance, accompanied by significant weaknesses around accessing and restoring backed-up data, and poor technical support.

6. They are putting our kids at risk too

Schools are, equally, persistently exposed. In our experience, schools regularly back up just a fraction of their data - again, often because they don’t have the funding support needed for a complete backup service.

This isn’t just a potential ransomware incident. Schools are bound by the Government’s Schools Financial Value Standards (SFVS) regulation to back up, daily and offsite, any data that protects the school’s core IT systems. And should that data not be backed up securely, ( your) children’s personal details are potentially up for sale on the hidden internet.

That’s two prosecutions, right there.

Backup: a magic bullet for ransomware?

It is true that, even if these potential repeat victims do up their game and put backup in place that can restore data back into the organisation almost as instantaneously as it was encrypted, ransomware hackers are upping their game too, as we remarked in another post recently.

In short, there’s no one magic bullet for ransomware.

But at least effective backup stops councils inadvertently (arguably, in many cases, negligently) playing Russian roulette with their data.

And ours.