BBC Panorama
BBCOne password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work.
KNP – a Northamptonshire transport company – is just one of tens of thousands of UK businesses that have been hit by such attacks.
Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen.
In KNP’s case, it’s thought the hackers managed to gain entry to the computer system by guessing an employee’s password, after which they encrypted the company’s data and locked its internal systems.
KNP director Paul Abbott says he hasn’t told the employee that their compromised password most likely led to the destruction of the company.
“Would you want to know if it was you?” he asks.
“We need organisations to take steps to secure their systems, to secure their businesses,” says Richard Horne CEO of the National Cyber Security Centre (NCSC) – where Panorama has been given exclusive access to the team battling international ransomware gangs.
One small mistake
In 2023, KNP was running 500 lorries – most under the brand name Knights of Old.
The company said its IT complied with industry standards and it had taken out insurance against cyber-attack.
But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay.
“If you’re reading this it means the internal infrastructure of your company is fully or partially dead…Let’s keep all the tears and resentment to ourselves and try to build a constructive dialogue,” read the ransom note.
The hackers didn’t name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as £5m. KNP didn’t have that kind of money. In the end all the data was lost, and the company went under.
The National Cyber Security Centre (NCSC) says its goal is “to make the UK the safest place to live and work online”. It says it deals with a major attack every day.
The NCSC is part of GCHQ, one of the UK’s three main security services alongside MI5 and MI6.
The hackers are not doing anything new, says “Sam” (not his real name), who runs a NCSC team dealing with day-to-day attacks. They are just looking for a weak link, he tells Panorama.
“They’re just constantly finding organisations on a bad day and then taking advantage of them.”
Using intelligence sources, NCSC operatives try to spot attacks and eject hackers from computer systems before they can deploy ransom software.
“Jake” (not his real name) was night duty officer during a recent incident when hackers were stopped.
“You understand the scale of what’s going on and you want to reduce the harm,” he says. “It can be thrilling, especially if we’re successful.”
But the NCSC can only provide one layer of protection, and ransomware is a growing and lucrative crime.
“Part of the problem is there’s a lot of attackers,” says Sam. “There’s not that many of us.”
Statistics are hard to come by because companies don’t have to report attacks or if they have paid ransoms. However, there were an estimated 19,000 ransomware attacks on UK businesses last year, according to the government’s cyber-security survey.
Industry research suggests the typical UK ransom demand is about £4m and that about a third of companies simply pay up.
“We’ve seen a wave of criminal cyber-attacks over the last few years,” says Richard Horne, the NCSC’s CEO. He denies the criminals are winning, but says that companies need to improve their cyber-security.
If prevention doesn’t work, another team of officers at the National Crime Agency (NCA) has the job of catching the offenders.
Hacking is on the rise because it’s such a lucrative crime, says Suzanne Grimmer, who heads a team NCA.
Her unit carried out the initial assessment into the M&S hack.
Incidents have almost doubled to about 35-40 a week since she took over the unit two years ago, Ms Grimmer says.
“If it continues, I predict it’s going to be the worst year on record for ransomware attacks in the UK.”
Hacking is becoming easier and some of the tactics don’t even involve a computer, like ringing an IT helpdesk to gain access.
This has lowered the barrier for potential attacks says Ms Grimmer: “These criminals are becoming far more able to access tools and services that you don’t need a specific technical skill set for.”
The M&S hackers broke into the company’s system by means of blagging or tricking their way into the system. This caused disruption to shoppers when deliveries were delayed, some shelves were left bare, and customer data was also stolen.
James Babbage, Director General (Threats) at the NCA, says it is the characteristic of a younger generation of hackers, who now are “getting into cybercrime probably through gaming”.
“They’re recognising that their sort of skills can be used to con help desks and the like into getting them access into companies.”
Once inside, the hackers can use ransom software, bought on the dark web, to steal data and lock computer systems.
Ransomware is the most significant cyber-crime threat we face, says Mr Babbage.
“It’s a national security threat in its own right, both here and throughout the world.”
Others have come to the same conclusion.
In December 2023, Parliament’s Joint Committee on the National Security Strategy warned there was a high risk of a “catastrophic ransomware attack at any moment”.
Earlier this year, the National Audit Office produced a report that said the threat to the UK was severe and advancing quickly.
Companies need to “think about cyber-security in all the decisions they make,” says Richard Horne at the NCSC.
Mr Babbage says he would also discourage victims from paying ransoms.
“Every victim needs to make their own choice, but it is the paying of ransoms which fuels this crime,” he says.
The government has proposed banning public bodies from paying ransoms.
Private companies might have to report ransom attacks and get government permission to pay up.
Back in Northamptonshire, Paul Abbott of KNP now gives talks warning other businesses about the cyber threat.
He thinks companies should have to prove they have up-to-date IT protection – a sort of “cyber-MOT”.
“There needs to be rules that make you much more resilient to criminal activity,” he says.
However, many companies are just choosing not to report the crime but simply to pay the criminals, says Paul Cashmore, a cyber-specialist brought in by KNP’s insurers.
When faced with losing everything, companies give in to the gangs.
“This is organised crime,” he says. “I think there is very little progress against catching the perpetrators, but it’s devastating.”
Get our flagship newsletter with all the headlines you need to start the day. Sign up here.