When ransomware visits your network, resolve to build it back better. And if you’re tempted to pay the ransom, don’t. That money is better spent on new defenses to prevent a repeat incident.
These are some of the takeaways from a remarkable British Library report, Learning Lessons From The Cyberattack, that analyzes the paralyzing ransomware attack that hit the famous institution in October 2023.
Anyone interested in ransomware should read this post-incident report. Ransomware attacks might be routine these days but it’s rare for organizations (even public sector ones) to draw back the curtain and share their painful learning with others.
Some highlights:
One Weak Server
How did the attackers get in? The destructive nature of the attack made it hard to tell but the best guess is via a Windows Terminal Services server installed in 2020 to improve remote access for third parties. Unfortunately, for complex technical reasons, this was not protected using multi-factor authentication (MFA) ahead of a planned upgrade.
Like a Wet Paper Bag
Once inside, the attackers were able to move around easily enough to locate and steal 600GB of data relating to employees and library users. They did this using keyword searches (e.g., “passport”), by copying some drives wholesale, and by hijacking native network tools to initiate backups of 22 databases.
Data Headache
Working out what data was or wasn’t compromised created huge amounts of work for the Library’s security team. Incident response tends to be seen as a technical exercise; in a ransomware attack on complex data assets, the issue of data management can take up almost as much time. This effort will last years.
Server Destruction
Forget encryption; today’s ransomware gangs know that simply damaging servers will cover their tracks and tie down restoration efforts. It’s all about increasing the pressure to pay. As the report says:
“It is this last attack type that has had the most damaging impact on the Library: whilst we believe that we will eventually be able to restore all of our data, we are hampered temporarily by the lack of viable infrastructure on which to restore it.”
Ransomware Changes Everything
The analysis makes clear that the attack has changed the library’s systems forever:
“Our major software systems cannot be brought back in their pre-attack form, either because they are no longer supported by the vendor or because they will not function on the new secure infrastructure that is currently being rolled out.”
Recovery Costs
Interestingly, while all ransomware attacks are expensive, some of the costs resulting from this attack were covered by bringing forward security upgrades that would have happened anyway. Call this clever budgeting.
Legacy Risk
The report notes that legacy technology was an important vulnerability. This included a complex network topology, out-of-data processes for handling data (which increased the chances of exposure), and legacy software:
“Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack.”
Remember WhatsApp
The attack took down normal communication channels such as email, forcing the Library to use WhatsApp. Organizations can run this application on-premises but being able to turn to the public WhatsApp service proved vital. Unhindered communication between staff as an attack escalates is a security feature.
Moving to the Cloud
Another vulnerability was the Library’s reliance on on-premises systems the attackers were able to target. Its cloud finance and payroll systems, by contrast, remained unaffected. It now plans to invest more heavily in cloud infrastructure. However:
“Moving to the cloud does not remove our cyber-risks, it simply transforms them to a new set of risks that should be easier to manage given the necessary resources and capacity.”
Telling the World
Perhaps the best and bravest aspect of this report is that it’s been made public at all. There have been occasional examples of organizations affected by ransomware doing this before, but they’re still frustratingly rare.
Arguably, this is what a meaningful disclosure rule would look like—tell everyone what happened, not only the regulators. The British Library and the report’s authors are to be commended.