Held to ransom: How criminal gangs are weaponising AI in the name of cyber-extortion

It was Christmas Eve 2020 and staff at the Scottish Environment Protection Agency (Sepa) were logging off ahead of a well-earned festive break. The agency is used to responding to emergencies – part of its remit is managing the risk of flooding which has grown increasingly severe with the impact of climate change. But what was about to befall it was something entirely new – a cyber-attack more costly than any flood. The clear-up operation would still not be complete more than three years later.

At one minute past midnight hackers activated ransomware, malicious software which encrypts a computer’s data and stops its user accessing files until money, usually in the form of digital currency, has been handed over. That morning the organisation’s then chief executive, Terry A’Hearn, was informed of the attack in a phone call with Sepa’s head of governance and within hours national cyber resilience agencies were helping to coordinate a response. 

The Sepa cyber-attack has cost the taxpayer many millions of pounds. According to figures published in 2022, costs associated with the incident totalled more than £5m, a figure that is likely to have grown since. An Audit Scotland report from the same year said the hack was likely to have been caused by “human error”, possibly an employee being duped by a phishing email. After failing to obtain a ransom, the criminal gang behind the incident, Conti, published thousands of internal documents online.

Sepa had not been ill-prepared for such an incident; the organisation wasn’t playing fast and loose with its cybersecurity. On the contrary, both Police Scotland and Audit Scotland concluded that it had robust protective measures in place. But just as the sturdiest of flood defences can be breached by the rising waters of a winter storm, so too can cybercriminals find a way through. The lesson from the Sepa hack was that if it can happen once, it can happen again.

While some cyber-attacks are hugely sophisticated, involving weeks if not months of planning on the part of the hackers, others are more opportunistic. And while Sepa didn’t pay out, other targets have. In 2021, the world’s largest meat processing firm, JBS, paid an $11m ransom after an attack shut down some of its operations in North America and Australia. It followed a cyber-attack on Colonial Pipeline which paid more than $4m after a ransomware attack forced the shutdown of pipelines in the US. On both occasions, the White House blamed Russia. 

A cyber-attack on Ireland’s healthcare system, caused by someone opening a compromised spreadsheet, led to medical records being stolen and procedures being cancelled in 2021. The group behind the Sepa attack was responsible. Only when the attackers posted a link to an encryption key – possibly because of political pressure from the Kremlin – did recovery work begin. And last year it emerged that a security breach at the Electoral Commission allowed criminals to access the data of 40 million voters. The Commission said the names and addresses of all voters registered between 2014 and 2022 had been open to “hostile actors”. 

When the British Library fell victim to a “deep and extensive” attack last year, hundreds of thousands of files were published on the dark web, including customer and personnel data. Rhysida, the group which claimed responsibility and which takes its name from a type of centipede, had initially demanded a ransom of £600,000. While the library refused to pay, the Financial Times has reported that it will spend around 40 per cent of its £16m reserves recovering from the attack. Meanwhile, the library says it is continuing to experience a “major technology outage” with many of its services expected to be disrupted for several months.

Ciaran Martin, the former chief executive of the National Cyber Security Centre (part of GCHQ), says the hackers should have known the library was never going to pay out. “It has been the undeclared but fairly evident British government policy for years that public authorities will not pay,” he says. “There was no way in hell the government was going to allow the British Library to pay, so it was a bit of a stupid target. However, the message the criminals are implicitly sending to the private sector is that if you don’t pay, look what will happen in terms of your ability to operate.” 

Martin is clear that the vast majority of ransomware attacks originate in Russia. While they may not have the express backing of the Kremlin, there’s an understanding that Russian law enforcement will turn a blind eye as long as Russian companies are not targeted, he says. Conti, the group which targeted Sepa, is estimated to have extorted $180m in 2021 alone. When Russia invaded Ukraine two years ago, the group pledged its support on the dark web, threatening those who opposed Vladimir Putin’s “special military operation”. Last year, the UK Government imposed sanctions on members of the gang who had targeted UK schools, hospitals and businesses, earning around £27m from 149 British victims. 

The attacks have taken on new geopolitical significance with the deterioration of relations between Russia and the West due to the war in Ukraine and the recent death of Alexei Navalny. Just last week, an international policing operation led by the UK’s National Crime Agency disrupted Russia-based LockBit, described as the world’s “most prolific” ransomware group which, according to Europol, has caused billions of euros worth of damage. 

“Russia certainly more than tolerates this activity,” says Martin, who describes the country as the world’s “largest criminal safe haven”. “Its deal with the criminal gangs is, leave Russians and Russian interests alone and the police will not be interested in you. For a while big American companies were installing Russian keyboard software and running Cyrillic script to stop ransomware.” 

While scams, particularly phishing emails, have been an unfortunate part of the internet since it started becoming a feature of our homes and workplaces in 1990s, they have, in the past, been fairly easy to spot. But Dr Natalie Coull, head of the cybersecurity division at Abertay University, says those working in the field are currently engaged in an “arms race” with the hackers, particularly with advances in artificial intelligence (AI) making it harder to differentiate phishing attempts from bona fide correspondence.  

“The criminals are putting all their efforts into this and with advances in AI, it’s just a constant arms race with them trying to stay one step ahead,” she says. “There are a lot of tools out there which use AI and machine learning to spot what might be perceived as malicious traffic on a network – it’s often how anti-virus solutions work…to look for patterns of behaviour which might indicate something is malicious.”

But it’s a double-edged sword, she says, because the criminals have also started to exploit systems such as ChatGPT, making their attacks increasingly sophisticated.

“It used to be really obvious if you got a phishing email because the language would be so off and that was often part of the training materials for spotting phishing attempts. Now it’s so easy for them to write a phishing email which appears really professional and with flawless spelling and grammar. That makes it so much harder for people to spot.”

Both Microsoft and OpenAI, the company responsible for ChatGPT, have warned that hackers in Russia, North Korea, Iran and China are using large language models (LLMs), a type of AI algorithm, to refine their cyber-attacks by researching their victims and improving their malware. Microsoft said the Iranian group known as Curium had been using LLMs to generate phishing emails and even code for avoiding detection by antivirus applications, while North Korean group Thallium had been using LLMs to research publicly reported vulnerabilities and target organisations. Scammers are also understood to be using ChatGPT to create chatbots designed to impersonate young women. 

Even before recent advances in AI, extortion in the virtual world was having real-life consequences. In 2013, Scottish teenager Daniel Perry took his own life after being blackmailed by a Filippino crime gang with footage from webcam chats he thought he had been having with a girl in the US. Despite attempts to extradite a suspect to Scotland, no one has ever been brought to justice in connection with Daniel’s death. In December, Murray Dowey, 16, took his own life after being blackmailed by a predator who had posed as a young woman. His father said Murray’s “world would have crashed around him at the thought” of deeply personal information being shared without his consent.

Indeed, while the financial implications of cyber-crime are clear, the human cost is often overlooked. A recent report by the Royal United Services Institute (Rusi) found small business owners were left suicidal following attacks, while one engineering firm hired a post-traumatic stress disorder (PTSD) team to help its employees following an incident.  

Martin, who previously held senior roles in the Cabinet Office including negotiating the basis of the 2014 independence referendum while Constitution Director, says the cyber-attack on the Irish healthcare system was the most dangerous he has ever seen due to the threat to life. He says that while the public sector takes cybersecurity seriously, preparedness can be “patchy”.

“Quite rightly, we focus a lot on assets such as the power grid and aviation because so much depends on it. But there are other things which would never reach the top of a national risk register – and the British Library is a good example of that – which can be really quite painful [when attacked].”

Yet despite the huge and growing challenge, Coull says the cybersecurity sector continues to struggle to attract young talent, even though past students have graduated and gone into jobs with a starting salary of £80,000. When the UK Government launched a recruitment campaign in 2020 featuring a ballerina and the strapline, ‘Fatima’s next job could be in cyber’, it was mercilessly mocked, particularly against a backdrop of a struggling arts sector. The campaign was later dropped. 

“[Ransomware] is not a problem that is going away,” she says. “But I’m very conscious of just how few people we have coming into the cybersecurity pipeline. One of the problems with the public sector is that while they may have very complex layers to their organisation, they often may not be able to recruit at a sufficient level within their IT and cybersecurity departments because they simply can’t match private sector salaries. There’s a huge shortage of people working in the industry and it’s incredibly difficult getting young people to consider a career in tech and in cybersecurity.”

More than three years on from the cyber-attack, Sepa continues to count the cost. The agency declined to contribute to this article despite previously being complemented on its openness and transparency in relation to the incident. In a statement, it said it was determined to “build back better” rather than simply re-establish legacy systems. 

“The cyber-attack was not a change opportunity Sepa would have wanted to face under such severe circumstances, but it is one the agency was determined to take,” a spokesperson said in an email. “We continue to make strong progress with our recovery, and security is an integral part of our new processes and systems to limit the impact of a future attack.” 

Future attacks across the public sector are not only certain but also potentially far more damaging than anything seen to date. In December, the Joint Committee on the National Security Strategy (JCNSS) said a “catastrophic” ransomware attack could take place at any moment, describing the UK Government’s planning for such an incident as “lacking”.  It said swathes of UK critical national infrastructure – much of it operated by the private sector – remained vulnerable to ransomware, particularly in sectors still relying on legacy IT systems. Dame Margaret Beckett, the Labour MP who is chair of the JCNSS, called on cybersecurity to be afforded a higher priority by government, saying the UK held the “dubious distinction” of being one of the world’s most cyber-attacked nations.

According to the government, it is “almost certain” that Russian actors sought to interfere in the 2019 general election. The National Cyber Security Centre has said that in the run-up to this year’s vote, “we can expect to see the integrity of our systems tested again”. While cybersecurity is unlikely to be an issue which features in any campaign literature or political speeches, it will nevertheless become an increasing priority for whoever forms the next government.