Redcar & Cleveland Council confirms ransomware attack

Redcar & Cleveland Borough Council in northern England has confirmed it has fallen victim to a ransomware attack targeting its server estate, which has kept it offline since the weekend of 8 February.

The attack, which has been extensively reported by local media, has left local residents unable to access the many services the council provides online, such as making council tax payments or checking their rubbish collection dates.

Concerns have also been raised over the upcoming National Offer Day for applications for secondary school places in September 2020, which is scheduled for 2 March.

Council leader Mary Lanigan took to Facebook to provide an update, given that the council’s websites remain offline.

“Our absolute priority since the first day of the attack has been to protect our frontline services, ensuring the safety and wellbeing of the most vulnerable people in our community, while rebuilding our IT systems so they can return to full functionality,” she said.

“Significant progress has been made. Our staff, working alongside support from the government, continue to work tirelessly round the clock to minimise any disruption or delays.”

Lanigan added: “All frontline services have continued, payments continue to be processed as normal, and there is no evidence so far to suggest any personal information has been removed from our servers.”

The council has now built a new server and website and deployed a temporary contact centre, said Lanigan, but it is likely to be some time before its IT capabilities are fully restored, so further frustration for local residents is inevitable.

“I’d also like to thank our residents for the resilience and patience they have shown,” the council leader added. “And I’d like to place on record my gratitude and admiration for our council staff and all of those who have responded to this complex and challenging situation.

“We notified the relevant authorities of the attack swiftly and the investigation is being led by the National Crime Agency. We are working with the National Cyber Security Centre [NCSC] and the National Crime Agency [NCA], and I would like to thank their staff for all the assistance they have provided.

“As a council, we have always taken cyber security seriously, and we will continue to engage with the relevant authorities to ensure our systems are as secure as possible in the future.”

Kaspersky research on ransomware attacks against local and municipal governments, released in December 2019, reported a 60% rise in ransomware attacks against such bodies compared with the previous year. The most often used ransomware strains were Ryuk, Purga and Stop.

The average ransom demand clocked in at $1,032,460 (£790,000/€930,000), although the amounts extorted from smaller local authorities were often much smaller than those extorted from larger ones, suggesting that the various cyber criminal groups behind the attacks are conducting very specific, targeted attacks.

Kaspersky said most municipal breaches come about through social engineering or phishing, or because of unpatched software on old IT estates that local authorities often lack the funds to replace or protect.

Kaspersky said: “First of all, the cyber security budgeting of municipalities is often more focused on insurance and emergency response than on proactive defence measures. This results in cases where the only possible solution is to pay the criminals and facilitate their activities.

“Secondly, municipal services often have numerous networks that include multiple organisations, so hitting them causes disruption on many levels at the same time, bringing processes across entire districts to a halt.

“What is more, the data stored in municipal networks is often vital for the functioning of everyday processes, as it directly concerns the welfare of citizens and local organisations. By striking such targets, cyber criminals are hitting a sensitive spot.”

Carl Wearn, head of e-crime at Mimecast, said that up to now, cyber attacks on local government have been more widespread in the US, with UK authorities unscathed. But this now seemed to be changing.

“Mimecast’s latest threat research shows a clear concentration of threat actors’ effort on the insertion of ransomware,” said Wearn. “Ransomware continues to be the preferred attack method for threat actors due to the monetary gains available if successful.

“It should be considered a key threat across all regions, not just in the UK, as criminals seeks to exploit the perceived success of this form of cyber attack before significant regulatory and industry-based resilience measures render this attack more difficult to carry out.”

Matt Rahman, chief operating officer at IOActive, said Redcar & Cleveland Council had been far too reactive, and calls for a serious review of its systems were justified.

“Organisations need to look at their infrastructure from a hacker’s perspective – adding defensive mechanisms after the event is simply too late,” he said. “Incidents like this are only going to become more common as more products and systems become connected. The digital transformation that’s occurring is changing how everyone looks at security, but it is still possible to be secure.

“Organisations need to look at the process from end to end, how it’s being digitised, how devices are being used, connected and who is using them, to truly get a strong gauge of their cyber security posture.”

Wearn added: “Sensible precautions such as non-networked backups, email and archiving fall-backs need to be utilised as a matter of course before this current tide can be stemmed.”