Richard LaTulip, a Field Chief Information Security Officer at Recorded Future.
The UK’s proposed Cyber Security and Resilience Bill represents a significant shift in how the nation approaches ransomware and wider cyber threats, with lasting implications for the public sector. As the government aims to tighten rules around ransomware reporting and payments, organisations are set to face stricter expectations for transparency, incident response, and cyber resilience.
Under the proposed legislation, all public sector and critical national infrastructure bodies could be banned from paying ransomware demands. It would also require organisations to report a ransomware attack within 72 hours, sharing details about the ransomware demand, whether the attackers are identifiable, and resilience capabilities.
The public sector ransomware payment ban is designed to turn essential public services into unattractive targets for cybercrime. Public sector suppliers are also being urged to take action, with NHS England asking suppliers to help tackle the “endemic” threat of ransomware attacks, and a voluntary public charter due to launch later this year.
These changes are positive steps towards improving cyber hygiene, but they cannot replace the need for immediate action. Waiting for the UK to take action is not an option, as cyberattacks are already disrupting public services and pose a mounting threat
A key enabler of ransomware attacks is phishing, especially highly targeted ‘spearphishing’ campaigns that trick employees into handing over access credentials. Criminal groups, like the one behind the widely reported Medusa ransomware, use phishing to gain a foothold in networks, and phishing attempts are often the start of a much more damaging ransomware event. However, public sector organisations can bolster their defences through sophisticated threat intelligence.
Rise in phishing
Relentless risks of cyberattacks have seen organisations make cybersecurity a strategic priority. Technology and software will be deployed to enhance security and protect operations against malicious activity. A by-product of this positive intent is that cyber threats adapt. Rather than spending time and resource trying to crack robustly protected networks, criminals prioritise the exploitation of individuals to obtain genuine user credentials. This form of attack is seen as a more effective route for getting past extensive authentication checks, with a belief amongst attackers that employees are the weakest link in a strong chain of security defences.
The phishing threat landscape is evolving and increasingly becoming ‘sprearphishing’, where attacks are much more targeted and seem even more plausible. Extremely personalised attacks will be directed at specific individuals to deceive them into sharing trusted credentials and confidential information.
Sprearphishing will be carried out via channels such as email, SMS and other messaging platforms, and phone calls. Artificial Intelligence (AI) is being exploited by criminals to make these personalised attacks scalable and effective.
AI-powered phishing
Generative AI is often used by threat actors to quickly generate thousands of unique, native language lures. Scam emails seem credible, because the language used appears authentic and less suspicious. For example, email copy may deliberately include typical spelling and grammatical errors in a message, and colloquial terms, so that it appears to originate from a plausible, human source.
It’s also possible for AI to harvest and analyse data about the target of the attack, as well as the supposed party that’s requesting information. This is where spearphishing becomes very personalised. An email received from a supposed senior colleague seems genuine, because it’s able to impersonate a trusted source and contains what appears to be real and relevant references.
Criminals are also using the voice generating and changing capabilities of generative AI to impersonate support services such as an IT helpdesk. The AI contacts an employee and tricks them into divulging confidential and sensitive information. It’s an evolution of a social engineering scam, which takes advantage of an employee’s likely frustration with an IT problem and their willingness to quickly fix problems. The AI voice sounds plausible and builds trust.
A key step for preventing spearphishing attacks is to build awareness amongst employees – they need to know what types of risk they are facing, if they are to prove an effective line of defence. Running simulated attacks can help employees to understand the capabilities of AI and show how it is being used by criminals. It also important to strengthen resilience through faster threat identification and sustained intelligence. Monitoring threat actors and spearphishing campaigns can enable organisations to stay ahead of potential attacks.
Impersonated brands
Phishing techniques are also evolving to spoof widely trusted and well-known brands. Genuine organisations like Microsoft and DocuSign provide products and services used regularly throughout the public sector. Employees interact with these types of platforms on an almost daily basis and, in most cases, won’t think twice about how they use them. Criminals know this and prey on it.
Attackers create sophisticated impersonations of trusted platforms, which seem realistic and genuine. Users are misled by these lookalikes, and what is typically regarded as a safe website to share passwords and credentials, becomes a data-capture exercise for criminals. These types of attacks are evolving with more sophisticated domain impersonations, including lookalike domains and homoglyph attacks that evade traditional email filters.
The threat of phishing is growing and evolving, and it will continue to do so as organisations strengthen their defences against ransomware. With the proposed Cyber Security and Resilience Bill introducing a tougher stance on ransomware payments and incident reporting, the public sector is under increasing pressure to act now.
Legislation alone will not build resilience. Phishing remains one of the most common and effective ways for ransomware actors to gain initial access. To protect essential services, public sector organisations need to prioritise effective threat intelligence.
Building knowledge of the threat landscape can help to prioritise which phishing attacks pose the most realistic risks of a breach and avoid defences becoming overwhelmed. Informed decisions can be made and proactive steps taken to drive preventative action, helping organisations to stay ahead of potential breaches. Threat intelligence can provide valuable insights that reduce vulnerabilities and lessen the effectiveness of phishing, even when it’s extremely personalised.
Recent Comments