The consequences of ransomware attacks are becoming increasingly damaging, as recently experienced by the UK and Sri Lankan governments. A massive ransomware attack that is believed to have begun roughly two weeks ago, on August 26, and cost the Sri Lankan government four months of data quickly spread to UK government offices, including the Cabinet Office, which also lost irretrievable data covering the period May 17 to August 26.
The UK Cabinet Office is linked to Sri Lanka’s Lanka Government Network (LGN), as the British government uses the mail@gov.lk email domain. According to the UK’s Information and Communication Technology Agency (ICTA), around 5,000 email addresses could have been affected. Although the system was brought back online within 12 hours of the attack, several months’ worth of potentially highly sensitive data was lost.
The online backup system was also corrupted
There was no offline backup for around two-and-a-half month’s worth of data, as the online backup system was also corrupted in the attack. ICTA has been planning an upgrade to the email facility to the latest version since 2021, but it is believed to have been delayed because of budgetary considerations. The LGN system has been in place since 2007, when it was shipped with Microsoft Exchange for government use and upgraded to Microsoft Exchange 2013, for which Microsoft ended support on April 11, 2023. Microsoft Exchange 2013 was in use until the recent ransomware attack, despite Microsoft asking customers to migrate systems to Microsoft 365, Office 365, or Exchange 2019 as early as February.
ICTA is now working closely with the Sri Lanka Computer Emergency Readiness Team to attempt to retrieve the lost data but both face a difficult challenge, as it was encrypted by the attackers. Although ICTA did maintain backups of all the data in the LGN cloud, the encryption process was also replicated across the online backup systems.
The perpetrators of the attacks remain anonymous at the time of going to press. Still, the likely culprit is a government employee opening a weaponized link in a phishing email, a standard way of delivering ransomware to a targeted company. Government organizations should, therefore, ensure that staff are educated and trained to be cautious when opening unexpected emails with links, even if they appear to come from a trusted source.
