The ransomware juggernaut rolled inexorably onwards in 2024, yet again, leaving more devastated victims in its wake. This year, the UK’s NHS found itself at the receiving end of some particularly nasty attacks, but there were other high-profile victims as well.
Meanwhile, state-backed cyber intrusions from the likes of China and Russia continued apace, driven by global geopolitical uncertainty, with many long-running cyber espionage campaigns exposed.
But if 2024 proved one thing only, it was that shining a light on the cyber underworld is working, and the British are definitely coming for the bad guys, as new attributions from the National Cyber Security Centre (NCSC), takedowns led by the National Crime Agency (NCA), and proposed legislation highlighting ransomware threats to critical sectors is proving.
If 2024 is remembered for anything in the cyber community, it may just be the year in which the good guys took the gloves off and fought back properly.
Here are Computer Weekly’s Top 10 Cyber Crime stories of 2024.
The effects of the British Library ransomware attack at the end of 2023 continued to be felt into 2024 as the venerable institution continued to struggle to bring its crippled systems back online.
In January 2024, it emerged that the scale of the ransomware attack was so immense and its effects so devastating, it could end up costing the British Library up to £7m, dwarfing the £650,000 ransom demand.
Later in the year, in a remarkable display of transparency, the British Library’s leadership published a detailed breakdown of their experience at the hands of the Rhysida ransomware crew, to help others learn and understand.
Also in January, Cozy Bear, the Russia-backed hacking outfit behind the SolarWinds Sunburst incident, was back in action, breaking into Microsoft’s systems with a brute force, password spraying attack and from there accessing corporate accounts belonging to leadership and security employees.
Microsoft is one of a number of suppliers that finds itself at the receiving end of such intrusions, thanks in part to its global reach and scale, and its in-depth relationships with Western governments, and has faced tough questions over its security posture in recent years as a result.
One of the biggest stories of the year unfolded dramatically on a dull February day, when the infamous LockBit ransomware gang was taken down and its infrastructure hacked and compromised in Operation Cronos, led by the UK’s National Crime Agency (NCA).
In the immediate aftermath of the takedown, Computer Weekly took the temperature of the security community, finding upbeat sentiment, but also tempered by the knowledge that one swallow does not make a summer.
Throughout the year, the NCA has been sharing a trove of information it gathered during the exercise, as well as taking time to mock and troll LockBit’s leader, since named as Dmitry Khoroshev, who at one time boasted of his luxury lifestyle as he toyed with law enforcement.
In April, threat intel leaders Mandiant formally “upgraded” the malicious activity cluster known as Sandworm to a full-blown, standalone advanced persistent threat (APT) actor to be tracked as APT44 – other companies have different taxonomies, Mandiant’s is alphanumeric.
APT44 is run out of Russia’s Main Intelligence Directorate (GRU) within Unit 74455 of the Main Centre for Special Technologies (GTsST) and is described as one of the most brazen threat actors around.
Although it confines its activities to those in service of the Russian state rather than financially motivated criminality, the links between cyber crime and cyber espionage continued to blur during 2024, with some nation state APTs even acting as initial access brokers (IABs) for ransomware gangs.
In early June, a major cyber attack on Synnovis, a pathology lab services provider that works with Guys and St Thomes’ and King’s College hospitals in London, as well as other NHS sites in the nation’s capital, was laid low by a Qilin ransomware attack.
This intrusion resulted in a major incident being declared in the NHS, with patient appointments and surgeries cancelled, and blood supplies running dangerously low. The ramifications of this truly callous cyber attack are still being felt six months on.
All eyes were on Westminster in July for the first King’s Speech held under a Labour government in over a decade, and for the security community there was plenty to pick over as Keir Starmer’s administration proposed implementing compulsory cyber incident reporting – including ransomware – for operators of critical national infrastructure (CNI), in a new Cyber Security and Resilience Bill.
According to the government, the law will expand the remit of existing regulation and give regulators a more solid footing when it comes to protecting digital services and supply chains, and improve reporting requirements to help build a better picture of cyber threats.The Bill will likely be introduced to Parliament in 2025.
In September, the UK and its Five Eyes allies joined forces with European Union (EU) and Ukrainian cyber authorities to highlight a dastardly campaign of cyber espionage conducted by Unit 29155, another Russian APT.
Unit 29155 targets victims to collect information for espionage purposes, sabotages websites and daily operational capabilities, and tries to cause reputational damages by selectively leaking important data. It has conducted thousands of exercises across Nato and the EU with a notable focus on CNI, government, financial services, transport, energy and healthcare.
It is also particularly notable for its involvement in the Whispergate campaign of destructive malware attacks against Ukraine in advance of the 2022 invasion.
US-based financial services and money transfer outfit MoneyGram was another high-profile cyber attack victim to emerge in 2024, with its systems taken down in an apparent ransomware attack in September 2024.
Moneygram’s customers in the UK include the Post Office, which cancelled its contract with the beleaguered supplier shortly thereafter with immediate effect – apologising to its subpostmasters for giving them barely 24 hours’ notice of this.
It has since emerged that MoneyGram customer data was stolen in the attack, which most likely began through a social engineering attack on its IT helpdesk.
Proving that social engineering, unfortunately, works, a British national now named as 22 year-old Tyler Robert Buchanan was charged in the US in November 2024 with offences relating to the Scattered Spider cyber attacks.
A year previously, Scattered Spider hit multiple companies, including high-profile Las Vegas casino operators, and many others, via audacious social engineering attacks that often targeted helpdesks, frequently by exploiting Okta identity services.
The Scattered Spider gang was unusual in the current threat environment in that its core members were all US and UK-based, proving once and for all that not all cyber criminals have Russian accents. Buchanan faces over 40 years in prison in the US.
It is a well-established fact that ransomware gangs have it in for healthcare providers such as the NHS but to this list of preferred victims we might now also add the people of Liverpool as at the end of the year a series of attacks on multiple hospitals on Merseyside made national headlines.
Such bodies control a wealth of extremely private and highly regulated data, and are often operating IT and security on shoestring budgets with legacy technology – what red-blooded felon could pass up such an opportunity?
Among the victims was the nationally famous Alder Hey Children’s Hospital, which alongside two other area hospitals found itself hacked through a shared digital gateway service. This was likely a result of the exploitation of the Citrix Bleed vulnerabilities known about for over 12 months, demonstrating that prompt patching really is the best medicine.