Ransomware Remains Top Cyberthreat, Former NCSC Chief SaysCiaran Martin Warns High-Profile Attacks Will Increase in 2023
Ransomware continues to be the United Kingdom's most prominent cybersecurity threat, and the country can expect to see a surge in destructive attacks in 2023, warns the former head of the U.K.'s national cybersecurity agency.
Ciaran Martin, a Sans Institute director and professor of practice at the University of Oxford, says that overall ransomware activities across the world slumped in 2022 but that attacks are likely to surge in the coming months.* He adds that recent hacks against The Guardian newspaper and the British Royal Mail are examples of these early-stage attacks.
Martin, who was the U.K. National Cyber Security Center's CEO until 2020, says one of the contributing factors behind the success of ransomware continues to be that most criminal groups operate out of Russia, which he says is a "safe haven" for the crooks to "operate with impunity."
"Cybercriminals thrive in weaker states. They don't thrive in France, in the United States or Canada," Martin tells Information Security Media Group during the CyberThreat 2022 conference in the U.K. this week. "So, for the foreseeable future, I think this region is likely to be a source of significant cyber."
The 23% decline in ransomware attacks in 2022, which is based on a SonicWall report, is likely tied to disruption caused by the ongoing war in Ukraine and Russia, and most ransomware operators in the region are being forced to flee or join as conscripts in the state security service, he says.
"In 2023, the early signs, sadly, are that there's a bit more of it around," he says. "So, I think we can expect a few more high-profile cases, especially against organizations in the West."
This analysis is also supported by the European Union Agency for Cybersecurity, which in its November 2022 threat report warned of increased targeted attacks against critical infrastructure in Western and NATO countries, especially by ransomware-wielding, pro-Russian, state-backed hackers in retaliation for supporting Ukraine (see: More State-Sponsored OT Hacking To Come, Says ENISA).
In a December 2022 report, security firm Palo Alto Networks revealed that a hacking group believed to be tied to Russia targeted a large petroleum refining company based inside a NATO country during the early stages of the war in Ukraine (see: Russian Hackers Targeted Oil Refinery Firm in NATO Country).
Martin adds that the prevalence of weak corporate networks across the Western nations and the success of the current ransomware models, as most victims choose to pay the ransom, are two enablers for ransomware growth.
"The notion that it is just easier to pay the ransom is a pro-criminal narrative," he says. "The fact is: Victims have more agency than they think they do and what they don't realize is that the cost of recovery is most of the time cheaper than paying out ransom," Martin says. He points to the Harris School Federation in London, which recovered its files for $600,000, as opposed to the ransomware hackers' initial demand of $4 million.
Martin also says that implementing a national-level policy dissuading potential ransomware victims from paying the ransom remains a challenge that continues to elude policymakers.
"Twenty years ago, British government took a very difficult decision to outlaw payment of ransoms to terrorists who kidnap. It led to some really difficult decisions, but ultimately it worked as fewer British nationals were kidnapped," Martin says. "What strikes me is that whilst there are significant challenges with implementing a ban on ransom, we haven't actually done the work to see if we can overcome that ban."
*Update Jan. 24, 2023 16:32 UTC: Updates Martin's title to reflect that he joined the Sans Institute as director of the Sans CISO Network and Summits EMEA.