Your company has been hacked. The clock is ticking. Here’s who to call

The British Library discovered it had a problem shortly after 7.30am. It was the morning of Saturday, October 28, 2023, when one of the library’s tech support staff realised they couldn’t connect to its network. Within minutes the scale of the problem was becoming apparent. Everyone was logged out of their systems. Payroll, HR records and internal documents were unavailable. Arguably even more seriously, no one could access the library’s archives or digitised copies of books in its collection. Even tourists were affected: as the library tried to open for business, it had no means of selling or even scanning tickets for its exhibitions.

By 9.15am the library’s tech team realised they were dealing with a cyberattack, and by 10am it had been escalated all the way to its “gold crisis response team” — an emergency panel of the organisation’s top executives, convened on this occasion via WhatsApp because their email systems were down.

It would take months for the full extent of the damage to become apparent. Hackers had gained access to the British Library systems three days before they were discovered, probably via a tool used by the library’s third-party IT contractors to remotely access and update its systems. They had quietly managed to steal nearly 600 gigabytes of sensitive data including HR records and personnel files, plus any document using the words “private” or “confidential”, before encrypting all of the library’s systems and its back-ups. The motive was a double extortion: they were holding the systems hostage and also threatening to release the sensitive data if the ransom wasn’t paid.

The demand, made via a note left behind on the hacked systems, was for 20 bitcoins — worth about £600,000 at the time — or else the library’s computers would be left inaccessible and the sensitive data published. As a public institution the British Library refused to pay up. On November 27, nearly a month after the initial attack, the hackers made good on their threat, publishing the data to the dark web, where it is available to this day.

Even without paying a ransom, the financial damage was significant: the hack cost at least £7 million, a little under half of the library’s reserves. That was the estimated cost of rebuilding its IT systems because the old infrastructure could not be made secure. It had to buy in new software and the staff to install it, then repopulate the data. For months researchers had virtually no access to the library’s archives. Now, more than two years later, many of its digital records are still offline. Britain’s most famous research institution is still not fully open for business.

The nightmare at the British Library is an increasingly familiar one to Britain’s executives. It has been a year of mega-hacks. In April Marks & Spencer was targeted by a hacking attack that left it unable to restock its shops for more than a week, and which took its online shop offline for months — costing an estimated £200 million. An attack on the Co-op’s supermarket systems the same month cost it a similar £206 million in lost sales.

These were dwarfed by an attack on Jaguar Land Rover (JLR) that shut down manufacturing lines, leaving its suppliers in crisis and landing the carmaker with losses that analysts estimate could end up north of £2 billion (JLR says it expects the final figure to be lower). For a company such as JLR, missed sales may not come back either: we buy a car every few years, not every few weeks, meaning potential buyers might have gone to rivals. “Some of the volume we will get back, some we will not,” the chief financial officer, Richard Molyneux, noted on a call to investors.

Our biggest institutions are being extorted by criminal gangs — with millions if not billions in collateral damage along the way. Most of us, though, know almost nothing about what happens behind the scenes in those minutes and hours after a hacking attack — who do you call when you’re the victim of a cybercrime? And how do you negotiate with a gang that has just taken down your entire business?

• Jaguar Land Rover reveals devastating impact of cyberattack

Tim Rawlins probably won’t be the man directly on the other end of the phone during a crisis, at least not at first, but if your situation is bad enough you could find yourself on a Zoom call with him soon enough. Rawlins, 59, is a father, stepfather and step-grandfather who can usually be found with his artist wife walking their dog on their local common or kayaking on the nearby rivers when not supporting clients through their hacking calamities.

He had a decades-long “government” career in counterterrorism and counterintelligence operations — polite parlance for a spy — before going on to serve as security director for a broadcaster, operations director for the O2 arena in London and chief security officer for Credit Suisse. Today he’s a director and senior advisor at NCC Group, one of eight companies authorised by the UK government to handle the most serious hacking incidents, up to and including those affecting critical infrastructure. NCC Group was the company brought in after the British Library hack and many other prominent attacks — though Rawlins scrupulously avoids talking about individual incidents. For him, trouble usually starts on a Friday night.

“The Friday afternoon telephone call is something that all insurance companies and cyber-incident response companies are well used to,” he says wearily. A company that has been targeted by hackers often spends a day or two trying to handle it independently — or deludes itself about the scale of the damage. But as the end of the week draws near, with no solutions in sight, “they’ve reached the end of their tether. They’re now stuck. They don’t know quite what to do or who to report to or how to manage it, and they finally bite the bullet and they ring us up and go, ‘Can you come and help?’

“Immediately, that is going to cost them more. Because, you know, everybody charges double time for a weekend,” he says with a slight shrug.

For bigger companies, or those who are well prepared, Rawlins and his team might be on the scene earlier because they’re on retainer. Either way, once they’re called in there are two immediate tasks. A digital forensics team starts looking into the attack itself, trying to determine how bad it is, how the attackers got in and whether they’re still in the systems, not least because sometimes they’re even spying on the response.

“There have been cases where they [the hackers] have been on the call with the organisation, or on the Teams chat, watching what’s happening, what’s going on inside. We’ve seen it for real,” he recalls.

As the forensics experts work out how bad things are — and make sure the hackers aren’t listening in as the executive team responds to the incident — Rawlins has a different job, reassuring not just panicked executives, but also board members, customers, insurers and others. Part of his USP is the fact he has been there and done that when no one else in the room has.

One priority is working out what the hackers actually want. Some, often backed by hostile nation states, are trying to steal trade secrets or compromise internal information, though this is a relatively small fraction of attacks. The majority are so-called “ransomware” attacks, of which there are two sorts.

The first locks up all of an organisation’s critical systems and offers to provide a key to decrypt it if a ransom is paid by a deadline, or delete it otherwise. The second involves stealing an organisation’s sensitive data and threatening to release it if a ransom isn’t paid — or delete their stolen copies of the data if it is. Savvy modern hackers typically try to do both in one attack.

If hackers want a ransom, they usually make it obvious this is the case. This often involves leaving an unencrypted file for the IT team to find — typically called README.txt. More recently, frozen computers might display a QR code giving instructions on how to contact the hackers, including a helpful tutorial on how to download a chat app on the dark web that lets them talk with their victims in an encrypted environment that’s hard for law enforcement to monitor.

• How not to get scammed at Christmas: a fraud expert reveals all

Hacking is now a serious and organised crime, typically conducted by experienced gangs, almost always located outside the UK. The era of a lone hacker working from a basement is all but over, according to Hamish Krebs, 36, executive director of digital forensics and incidence response at the global cybersecurity firm CyberCX.

“We know when it’s a group,” he explains. “There are a couple of ways you can tell that. For example, there are multiple things happening simultaneously on multiple computers.”

Hacking, Krebs continues, is essentially a job. The kind of repetitive digging needed to break into a corporate system is mostly boring drudge-work, done for money. “A lot of hacking at some level — even though it is kind of scintillating, maybe — is just work. It’s not all fun,” he says. Enterprising groups are experimenting with outsourcing some of this repetitive work to AI, sparking a race among AI companies to build tools to detect and prevent misuse of their services.

These modern hacking gangs dole out the work like any other company. Their equivalent of the tech team do the actual hacking, bosses call the shots, and the business of negotiating the ransom is left to their equivalent of customer services — which, just as in real corporations, is sometimes outsourced entirely.

“They often have affiliate models,” Krebs says, describing the cordial relationships between different criminal enterprises that resemble outsourcing in the non-criminal world. For instance, a group with good English speakers — given hackers are often located in Russia or east Asia and may not speak a word — but limited hacking skills might handle negotiation for a percentage commission of whatever ransom payment they collect. The hackers have specialist, experienced negotiators, meaning the companies need one too.

• The biggest myths about being hacked, debunked

The question of ransoms is an uncomfortable one for everyone in the field, who typically become very cautious as soon as the topic is raised. The official stance of the UK government is that it discourages companies from paying ransoms to hackers, and doesn’t ever pay them itself. But it has stopped short of banning or criminalising payments, quietly accepting that sometimes paying up is necessary.

Given the hackers are keen to get their reward for their efforts, they make themselves easy to get hold of — usually leaving instructions behind on how to join a chat room on the dark web and discuss paying a ransom using cryptocurrency. The big companies such as NCC Group and CyberCX, though, generally don’t do the negotiations themselves. That’s farmed out to specialist companies that do almost nothing except gather intelligence on hackers and negotiate with them.

Magnus Jelen, 41, a trained hostage negotiator and former Danish intelligence officer, works for Coveware, one of the two main companies that specialise in just this. It’s a strange role, he explains.

“It’s somewhere in the middle between a commercial negotiation and a hostage negotiation, and it will have elements of both,” he says. The emotional stakes are much lower than in a kidnapping, even if serious money is at stake.

Jelen, however, will typically be negotiating with someone who has also done this before, which isn’t true of most hostage-takers. The result is a strange hybrid negotiation, not least because he will often be posing as a confused mid-ranking executive at the targeted company.

It’s less emotional than a hostage situation but it’s not just a normal business deal either. “The victim is forced to be there,” Jelen notes wryly. He won’t be drawn on the details of actual negotiations. Hackers can read newspaper articles too, he points out, so anyone who would discuss their tactics is probably an amateur.

Through my various conversations, however, I can put a basic picture together. If nothing else, the cybersecurity firm and the victim want to buy time to see how bad things are: how much data have they lost? Is the data recoverable? Are there any back-ups and so on. That means they’d like to look as if they’re negotiating to buy some time, though experienced hackers will often be well aware that’s what they’re doing.

The security firms will also be trying to identify the group behind the attack. Because companies such as Coveware deal with so many negotiations — 50 to 100 incidents a month, according to Jelen — they collect detailed statistics on each group. These include how often paying the ransom actually works and what the lowest and highest ransom payments a particular group has accepted are.

As the main negotiations are going on, a series of other talks takes place. Many large companies now have insurance against severe hacking incidents — and an insurer, on the hook for damages that can run into millions of pounds a day, may insist that a ransom is paid or else it will stop covering ongoing costs. In a case such as Jaguar’s, where production came to a standstill, these mount with every passing day.

Simultaneously, everyone concerned will be researching whether the hacking gang is sanctioned — because paying ransoms to someone you have reason to believe is on the sanctions list is a criminal offence. Some ransomware attacks are conducted to raise money for North Korea, while others are done by hackers based in states covered by broad financial sanctions.

Finally there is the business of actually making the payment, which companies typically want to keep off their books. There are of course specialists who help manage this part of the transaction too.

The fee to a specialist such as Coveware — which typically charges in the low tens of thousands of pounds for each incident — is in part for this kind of information.

Victims are increasingly refusing to pay up, according to Jelen at Coveware. A few years ago a sizeable majority of victims paid ransoms. Today that’s dropped to just 23 per cent of the cases Coveware deals with.

“We’ve never seen the number be this low before,” he says. “The overall reason is that companies are getting better at understanding this is something they have to prepare for.” The public nightmares of organisations such as the British Library worry executives in other companies enough that they actually take the prospect of a hack seriously, and make sure they have better plans and countermeasures in place.

There is also increasing awareness that paying a ransom doesn’t make the problem disappear — in almost every case, only some of the data is recovered. Having off-site back-ups that can’t be remotely erased, better compartmentalisation of systems and improved auditing make a company much more resistant to this kind of attack — but work only if it’s had the foresight to do it in advance.

Hamish Krebs of CyberCX offers a blunt reason for why ransoms aren’t paid in extortion cases — where hackers steal customer data and threaten to release it publicly. Basically, he says, most of us are so used to hearing that our data has been hacked that we don’t really care any more. If our phone provider or pet insurer sends us an email to say our details have been exposed, are we really going to go to the effort to switch? “There’s almost a fatigue of just, ‘Oh, another data breach.’ Like, who cares?” Krebs says, noting that most of the organisations we deal with don’t actually know anything very interesting.

One exception, Krebs says, is companies that deal mostly with other businesses, especially when privacy is a significant part of their offer. “In our experience, law firms, healthcare and the like pay ransoms much more often because they care a lot about the reputational hit,” he says. “I’ve sat with chief financial officers who have literally done the maths and said, ‘OK, the ransom is worth $500,000 but that contract is worth a million dollars a year for us. So of course we’re going to pay the ransom.’ ”

One quirk of hacking attacks is that the damage they do is vastly larger than the financial reward to the hackers. If someone robs a bank for £100,000, then the bank loses that much and the robbers gain the same amount. If a cyberattack takes down the systems of a large company it might cost hundreds of millions, but the hackers could get less than 1 per cent of that.

Given the global nature of the crime, there’s only so much UK authorities can do. In February last year the National Crime Agency (NCA) led an operation that disrupted LockBit, said to be the world’s largest ransomware group, which sold its services to criminal affiliates. Among its victims was Royal Mail, which was hit with a ransomware attack in January 2023, scuppering international deliveries. The NCA, working with the FBI and Europol, broke into LockBit’s systems and stole its data. A message appeared on the group’s homepage on the dark web, saying it was “now under control of law enforcement”.

No arrests were made, however. Those behind LockBit were believed to be based in Russia and out of reach. In any case, new groups quickly spring up in place of those that are brought down. Serious cybercrime is increasingly just another cost of doing business in the 21st century.

That, at least, is good for business for people such as Tim Rawlins and the NCC Group — even if it spoils his plans to go kayaking at the weekend because he’s received yet another last-minute phone call. He is always on tenterhooks on a Friday night in case the phone rings.

“Very, very rarely, if I’ve got through to about seven o’clock, then it’s negroni time,” he says. “If they call me after seven, I might have had a glass.”