Breach Notification , Cybercrime , Endpoint Security

Guardian Ransomware Attack May Presage Holiday Blitzkrieg

Expert: Victims More Likely to Pay Quickly to 'Start Recovery and Go on Holiday'
Guardian Ransomware Attack May Presage Holiday Blitzkrieg
The Guardian's headquarters in London (Photo: Bryantbob via Wikimedia Commons)

Stop the presses: Britain's Guardian newspaper publishing group has been hit by a "serious IT incident," believed to involve ransomware, that appears to have encrypted numerous systems.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The Guardian's systems began to get disrupted Tuesday night. While the precise details of this attack are still coming to light, security experts say the timing of the incident - just five days before Christmas - is notable.

"As a general rule of thumb - you will see more ransomware attacks in coming days as people typically do them right before Xmas and New Year, because managers at orgs are more likely to scramble to pay so they can start recovery and go on holiday themselves," says British cybersecurity expert Kevin Beaumont in a Mastodon post.

With the IT disruption, The Guardian, which is based in London, issued an all-hands bulletin to staff, directing many to begin working from home.

"As everyone knows, there has been a serious incident which has affected our IT network and systems in the last 24 hours. We believe this to be a ransomware attack but are continuing to consider all possibilities," Anna Bateson, chief executive of Guardian Media Group, and Editor-in-Chief Katharine Viner told employees Wednesday, The Guardian reports.

Guardian Media Group publishes a daily newspaper with a circulation of 105,000 and runs what the Press Gazette reports is the seventh-most-read news site in the world, which in November counted nearly 390 million visits.

The attack doesn't appear to have imperiled its ability to produce newspapers, while the online production capability remains "largely unaffected," The Guardian reported.

But from an IT standpoint, "The Guardian outage looks pretty bad. Everything in ASN 35825" - IP ranges assigned to the organization - "is offline. They had various on-prem systems, VPNs, FTP servers, etc. that have gone MIA," Beaumont reported on Wednesday.

While The Guardian's cloud infrastructure remains online, he said "it looks like the on-prem Windows infrastructure has bit the dust. The external network links are up, BGP looks fine, but they've taken the internal network offline entirely."

How long it takes The Guardian to recover from the apparent attack remains unclear. "Our technology teams have been working to deal with all aspects of this incident, with the vast majority of our staff able to work from home as we did during the pandemic," Viner and Bateson told employees. "With a few key exceptions, we would like everyone to work from home for the remainder of the week unless we notify you otherwise."

Hackers Love Holidays

If the attack against The Guardian involves ransomware, it isn't clear when its network may first have been breached, says David Stubley, managing director of cybersecurity at British information security consultancy 7 Elements.

"The vast majority of ransomware attacks are opportunistic in nature. However, the initial compromise is often days prior to the actual deployment of ransomware, which is usually timed to have most impact - oftentimes weekends or holidays," Stubley says.

Catching organizations "off guard" remains attackers' priority, says Allena Matheson-Dear, an ethical hacker who works with the Scottish Business Resilience Center. In 2020, for example, the Conti ransomware group hit the Scottish Environment Protection Agency at one minute past midnight on Christmas Eve. In 2021, social care organization Aspire in Glasgow was hit with ransomware on Good Friday.

Lying in Wait

The average time from intrusion to ransomware being activated is 11 days, says Peter Mackenzie, director of incident response at Sophos, based on incidents it handled this year.

The imperative for defenders is to spot the signs of intrusion before files can be encrypted. "Over 80% of ransomware victims had what we class as warning signs prior to the ransomware deployment," Mackenzie says. "These attacks are relatively noisy, and by that I mean mistakes - the attackers use tools and techniques that will get detected by your security solutions."

Unfortunately, ransomware attacks don't just compromise uptime and productivity, but also the health and well-being of defenders, says Sam Curry, CSO at threat-intelligence firm Cybereason. "Think about what it's like: You go home, you have a hard-enough job, and you're called in again and again on the holidays, whether or not the attackers are successful," he says.

For everyone from IT staff to executives, he says, "it leads to burnout. It leads to substance abuse in many cases, and that's an awful human cost."

Prepare, Practice, Repel

Sophos' Mackenzie says the imperative remains to have effective defenses in place and a variety of regularly updated incident response plans. "Ask questions like: What would happen if all our servers got encrypted today, and we had to rebuild everything? How long would it take to get this department new laptops?" he says.

Regularly practice responding to such incidents too. "I absolutely love anyone doing tabletop exercises," Mackenzie says (see: Healthcare: Essential Defenses for Combating Ransomware).

The lead-up to major holidays is a great time to revisit these efforts, Matheson-Dear said in an SBRC blog post last week.

"We are urging people to check their cybersecurity the same way they would physically check their homes and protect them before they go on holidays - and ask them to remind staff about phishing emails," she says. "Our incident response line will be covered over Christmas and New Year's if anyone does need support."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.