SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Rebuilding after ransomware – The case of The British Library
Thu, 4th Apr 2024

It started with an innocuous message on the website explaining to customers there was an "online outage" It ended with one of Britain's most revered institutions being cast back to the pre-digital age.

The British Library, a bastion of the knowledge economy with a storied history stretching back almost three centuries, was brought to its knees by a group of rogue Russian cyber thugs.

While the doors remained open, the British Library's operations were severely hampered. Its website, phone lines, ticket sales, digital cataloguing all rendered useless, as the employees were locked out of their computer systems. Not even the gift shop was spared, with card transactions down.

Here was an institution whose catalogue made it through the Blitz. Now, a vicious ransomware attack was threatening its future. The malware had encrypted everything that touched the network, rendering computers, devices and servers inoperable. To add insult to injury, the attackers had also downloaded a tranche of customer data, with a long list of names and addresses to flog on the dark web.

Three months after the October attack, the British Library, which honourably refused to pay a ransom to the hackers, was still rebuilding its systems to get back online.

Ransomware – The sharpest tool in the hacker's arsenal

The British Library attack shows just how devasting a ransomware attack can be when leveraged to its full capacity. It's a situation all New Zealand organisations should take note of.

Ransomware is unique for several reasons. Firstly, because it is often a multi-staged attack. That is, the bad actors steal your data and then 'lock' you out of the file system by way of encryption. Then, they doubly extort you by threatening to continue to disallow access to your files and release the stolen data to the public. This is, of course, unless you agree to the ransom demand and pay the hackers in cryptocurrencies such as Bitcoin or Monero.

Secondly, the attack is normally coupled with brazen tactics to pressure victims to pay. We've seen cybercriminals recently report their own data breaches to the authorities when it was clear the ransomed company weren't intending to pay the actor and report the breach. Even threats of physical violence have been made.

Ransomware is on the rise, too. A recent report by ThreatLabz found ransomware attacks increased by over 37% in 2023, with the average enterprise ransom payment exceeding US$100,000. 

And as the frequency of ransomware attacks rises, so does the number of businesses that would consider paying a ransom. Recent Kordia research found the number of business decision-makers at NZ's largest organisations who would consider paying a ransom rose 23% year on year.

There's still some speculation as to how exactly the attackers got a foothold in the network, however the cyber gang that took responsibility, Rhysida, has been known to use exploitations of external-facing remote services to access its victims' systems.

Regardless, this paints a textbook picture of how attackers probe around until they can find a weak point in an organisation's perimeter to get inside. Once in, they explore the entire network, steal whatever data of value they can find, and then inflict a final blow by injecting malicious code to paralyse all systems.

To pay or not to pay
Ransomware extortion puts organisations in a tricky position. Do you take the cybercriminals at their word, pay what is being demanded, and gamble on the hope of a simple resolution to restore your systems?

Or do you take the arguably more labour-intensive route of rebuilding from your backups – in severe cases even starting from scratch.

There is a degree of risk, whichever route you choose. If you pay, what guarantees are there that the hackers will honour their end of the bargain? If you refuse to pay it takes significant effort and time as each endpoint and server needs to have undergone a restore and testing process before it is trusted. No matter the decision made, this is going to be an expensive journey and will take months to recover properly.

For the British Library, paying the £600,000 ransom demand was entirely out of the question.

"It is just basic practice that you don't pay money to criminal blackmailers," Chief Executive Roly Keating told the Guardian.

"It was important for us to articulate choices, to set a tone."

While it's admirable that the British Library resisted the cybercriminal's demands and spent months rebuilding, not all businesses or infrastructure providers are in that same position.

While a library being offline is hugely disruptive, it doesn't have the same criticality as, say, an electricity or water provider. If lifeline utilities suffer downtime, there is a real risk to the health and safety of the general public. This puts additional pressure on victims to pay their way out of trouble.

While a library might seem an unlikely target for a cybercriminal, symbolically this attack ought to rattle the country's legislators and government officials.

The British Library holds 13th Century copies of the Magna Carta, the only surviving copy of the medieval masterpiece Beowulf and The Diamond Sutra, claimed to be the world's oldest dated printed book. The role it plays in preserving and digitising such important historical works makes the library a cornerstone of the Commonwealth's democracy. Over the past decade, there has been a concerted effort to shift the British Library from its paper-based foundations to a modern and cutting-edge resource for digital research.

Step inside the central library of any New Zealand city, and you'll see how it plays a major role beyond just a book lender. From researching digital archives of historic newspaper articles to using the Wi-Fi, accessing music and checking out eBooks, it is arguably the online systems that enable the customer experience for libraries today.

If there's one takeaway from this attack, it's that no institution is immune from a ransomware attack – and the need to be able to restore and recover from a major cyber incident is imperative for any organisation of national significance.