According to the Police Federation, the attack on the PFEW, which represents 119,000 police officers across the 43 forces in England and Wales, was first noticed on March 9. Upon learning of the ransomware attack through a system alert, PFEW responded quickly and was able to isolate the malware before it spread to additional branches, the announcement said.
Though the full extent of the damage remains undisclosed, the FAQs section of the announcement noted that “a number of databases and systems were affected. Back up data has been deleted and has been encrypted and became inaccessible. Email services were disabled and files were inaccessible.”
The investigation remains ongoing, but the PFEW tweeted, “All indications are that the malware did not spread any further than they systems based at our Surrey headquarters, with none of the 43 branches being directly affected.”
The initial announcement suggests that the attack was not targeted, though ransomware generally is not a targeted campaign, according to Matt Walmsley, EMEA director at Vectra. Walmsley added that ransomware is more opportunistic in nature, and its actions create a lot of noise, making it comparatively easier to spot than more stealthy targeted or advance attacks.
“Whether they had a regulatory or legal need to inform the ICO isn’t clear – particularly if there has been no data breach. The launch of a criminal investigation may help salve anger and frustration but is unlikely to result in accurate attribution, never mind a conviction, even if they’ve called in their friends from the National Computer Crime Unit. However, their transparent reporting, even if it’s a number of days after the instance, should be commended for its candor. Defenses are imperfect, always,” Walmsley said.
The PFEW reported that it is continuing to work with experts to restore systems and minimize damage, which is the goal in the aftermath of a successful ransomware attack, according to Tim Erlin, VP of product management and strategy at Tripwire.
“Every organization should have a plan in place for a successful ransomware attack. While prevention is preferred, the reality is that no security control is perfect. The key to responding to a ransomware attack is to detect quickly, limit the spread and restore systems back to a trusted state. Functional backups are key to recovery, but so is a clear understanding of how systems are configured. Finally, restoring from backups is only useful if you can close the attack vector that allowed the ransomware to gain a foothold in the first place.”