Government Sanctions: No Ransomware Please, We're BritishUK Toughens Anti-Cybercrime Stance by Sanctioning Accused Operators for First Time
The British government elevated its estimate of the risk posed by ransomware, putting it on the same level as international terrorism and major natural disasters.
During a Thursday unveiling of sanctions against seven Russian nationals for their roles in developing and managing TrickBot malware, Westminster also declared ransomware to be a tier 1 national security threat (see: US and UK Sanction Members of Russian TrickBot Gang).
In 2010, the government identified four tier 1 - or top - national security threats: an international military crisis between states that drew in the U.K., a major accident or natural disaster affecting multiple regions, international terrorism, and hostile online attacks targeting the U.K. launched by nation-states or large crime gangs.
Now ransomware is also a tier 1 national security threat. "I think it's a significant pivot, especially combined with warrant action against TrickBot," British security expert Kevin Beaumont said via Mastodon. "It suggests the scope of action is widening."
What exactly ransomware's advancement into the top level of recognized risks means is unclear. "If they aren't developing exploits for CobaltStrike and IM platforms and infiltrating ransomware groups as members, I want my tax money back," Beaumont added.
It's as if the government is simply highlighting that, among cybersecurity threats, ransomware is top dog.
The Foreign Office didn't respond to a request for clarification.
"I suspect it's a matter of pushing it to the front of the stage rather than giving it any new resources beyond the 'significant' ones that are already being brought to bear," says Alan Woodward, a visiting professor of computer science at England's University of Surrey. "There are many ongoing international operations in which the U.K. is active, attempting to disrupt the gangs behind ransomware and particularly ransomware as a service."
Last November, National Cyber Security Center CEO Lindy Cameron warned that "ransomware remains the most acute threat that businesses and organizations in the U.K. face" and urged all British organizations to have "mitigation measures" in place. Those include having multifactor authentication and prepared, well-practiced, robust incident response plans (see: Ransomware Attacks Pose Biggest Threat to UK Organizations).
In recent years, experts say the volume of ransomware attacks appears to have remained constant. Recent big-name victims in the U.K. have included The Guardian newspaper and the national postal service, Royal Mail. On Wednesday, which marked five weeks since Royal Mail was hit by LockBit ransomware, the postal service was still struggling to restore all export services.
Due Diligence Required
The seven Russians jointly sanctioned last week by the U.S. and U.K. have been accused of aiding or participating in multiple ransomware and cybercrime enterprises known by a variety of brand names and code names, including Conti, Gold Blackburn, TrickBot, Trickman, UNC1878 and Wizard Spider.
Collectively these groups "have been responsible for the development and deployment of: TrickBot, Anchor, BazarLoader, BazarBackdoor as well as the ransomware strains Conti and Diavol," and for deploying Ryuk ransomware, the British government says (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
While some of those groups are defunct, at least some of the individuals seem to remain active. "The seven individuals are now subject to travel bans and asset freezes and are restricted in their use of the global financial system," say Jonathan Armstrong and André Bywater, attorneys at London-based Cordery.
Due to the sanctions, the attorneys say, ransomware victims should conduct rigorous due diligence prior to paying any ransom. This can be a challenge with "Russian nationals, given the fact that names can appear differently in Russia and the fact that criminals can use false names," they say. For example: One of the newly sanctioned individuals, Vitaliy Kovalev, has used such aliases as "Bentley," "Bergen" and "Alex Konor."
Individuals who violate sanctions risk financial penalties and jail time: up to 1 million pounds in fines and seven years' imprisonment in Britain and up to $1 million in fines and 20 years' imprisonment in the U.S.
Clearly, disrupting cybercriminals' revenue stream is now firmly part of the British government's national security agenda.