At least one-quarter of all councils - a form of local government - in the United Kingdom have fallen victim to ransomware attacks.
That finding comes via Freedom of Information, or FoI, requests sent to 430 U.K. councils, asking not only if they'd been a ransomware victim, but also if they paid a ransom, as well as how much data they regularly back up. The FoI requests were submitted by technology vendor Barracuda Networks, which helps maintain the No More Ransom portal that provides free decryptors for some types of ransomware, allowing victims to recover their data for free.
"The biggest surprise is the extent of solid backup solutions being in place, that's good news, certainly for us as taxpayers."
Of the 430 councils queried, one-third didn't respond to the FoI request questions on the grounds that they had outsourced their IT services.
But 42 percent said that they had not been hit with ransomware outbreaks, while 27 percent of the councils - or 115 in total - said they had suffered at least one ransomware infection.
No council admitted to paying a ransom to recover its data. If true, that need not be surprising, since all councils that do not outsource their IT report that they have backup systems in place that would allow them to recover from a ransomware outbreak without having to pay a ransom (see Please Don't Pay Ransoms, FBI Urges).
The FoI requests did not query organizations that suffered a ransomware attack as to the source of their infection.
But Chris Ross, international senior vice president at Barracuda, tells me that based on the company's research, "email continues to be the single biggest threat vector - so it would be safe to assume that the greatest proportion of threats came via email."
Paging UK Local Government
Kudos to Barracuda for querying every council in the United Kingdom over ransomware.
"It's something we've been working on for the past few months," Ross tells me.
The need to individually query so many local government bodies to ascertain how they've fared against ransomware is due to there being more than 400 councils in the United Kingdom. Most every council will be responsible for its own IT systems, and therefore its approach to defending against ransomware.
Local government in the countries of Scotland, Wales and Northern Ireland are straightforward: Each is divided into "single tier councils" - 32 in Scotland, 22 in Wales and 11 in Northern Ireland.
Local government in England, however, often features a much more complex arrangement, resulting in more than 350 different types of councils - some standalone, others mixing "upper tier" county councils with "lower tier" district councils.
The FoI requests revealed "no huge variation" between the different countries when it comes to councils that have, or have not, fallen victim to ransomware, Ross says.
Good News: Councils are Backing Up
Ross says the finding that 27 percent of councils reported experiencing a ransomware attack was not surprising "because of the data we'd seen with other organizations." Barracuda says that its previous studies of small, midsize and large organizations has found that about half have suffered ransomware outbreaks.
Ross says one question often raised from these types of studies is whether organizations - in this case, councils - are spending enough money to defend against ransomware. But he says the real question should be if they are spending money on the right types of defenses.
Thankfully, councils appear to be taking this threat seriously. "The biggest surprise is the extent of solid backup solutions being in place. That's good news, certainly for us as taxpayers - councils thinking about how they can keep their services backed up and able to get back online," Ross says.
On average, councils say they are each backing up about 64 terabytes of data.
Councils that outsource their IT are not magically immune to ransomware attacks. But security experts have long recommended that all organizations consider outsourcing their IT services, whenever possible, not least because it can lead to lower costs as well as dramatic information security improvements.
Ross says it's essential when migrating to Office 365 to "understand how you're backing up up your data" as well as to ensure that organizations have the e-discovery and archiving capabilities they require. While Barracuda sells such technology - and other options are available - security experts say that having the right tools in place from the get-go can save time and money later.
As with any type of disaster recovery - including recovering from ransomware outbreaks - putting good plans in place in advance also helps ensure less downtime later. "Don't underestimate the impact of a business - be it in the public or private sector - being taken offline for even a day," Ross says (see FedEx Warns NotPetya Will 'Negatively Affect' Profits).
Cloud Security Considerations
Using cloud services such as Office 365, however, can have its wrinkles. Microsoft, for example, requires all Office 365 and hosted Exchange users to reset their passwords every 90 days, despite British intelligence agency GCHQ, among others, now recommending that in most cases, forced-password resets should be abolished because they lead to poorer security.
In addition, such services may not require two-factor authentication, and they may allow users to pick poor passwords, which leave accounts susceptible to brute-force, password-guessing attacks (see Parliament Pwnage: Talk Weak Passwords, Not 'Cyberattack').
Update (Sept. 26): Revised to note that no councils said they paid a ransom after suffering a ransomware outbreak. Barracuda had initially reported that one council paid a ransom. But after reanalyzing the data, it found an error, leading it to revise that statistic.