Basic cybersecurity hygiene measures such as multi-factor authentication could have prevented a costly ransomware attack against the Edinburgh Fringe, a senior executive for the charity behind the annual festival has said.

Lyndsey Jackson, deputy chief executive of the Edinburgh Festival Fringe Society, said that the organisation could have potentially withstood a crippling attack which knocked out its internal systems, if it had two-stage authentication measures protecting its Office 365 administration software.

Fortunately, the organisation’s public-facing ticket sales platform was not affected by the ransomware incident on January 18 last year, which left the organisation’s internal HR, finance and much of its media and marketing archive dating back 20 years inaccessible.

A ransomware note purporting to be from the Russia-linked Conti gang came via email and demanded the organisation pay $15,000 to regain access to their network. The Society refused to pay, however, leading to a costly recovery which amounted to £65,000, around half of which was eventually covered by its insurer, Chubb.

Jackson told an audience at Cyber Security 2023 in Glasgow on Monday: “We made it really easy for them….and I don’t know why we were so resistant to it [multi-factor authentication]. Even just those really basic hygiene factors that we missed, they would probably have prevented what happened to us, I think.”

She described the cyberattack as a “huge blow” to the organisation, which led to them having to recover over a period of many months. Initially they were supported by the likes of the Cyber and Fraud Centre – Scotland, and the National Cyber Security Centre, and are now being helped in the rebuild by managed service provider, CisCom.

She said: “That’s just going to really take away all that manual intervention. Alongside that we’ve got a series of sort of monitoring and vigilance and detection systems…but ultimately it doesn’t rely on somebody looking at a server and saying, ‘Oh, there’s a blinking red light. What should I do about that?’ It relies on somebody, somewhere else having an automated system that tells us.”

Jackson said she is also working internally with staff on training and awareness around IT systems, and to avoid opening phishing emails, which was the attack vector on the organisation.

“There is a lot left still to be done,” she added. “We don’t have an in-house cyber team and expertise. We are a tiny charity making this enormous festival happen but we’ve certainly learnt a lot from what happened to us.”

The conference heard earlier in the day from the deputy assistant director of the FBI’s Cyber Division in the US, David J Scott. He presented new figures which showed in 2022 the bureau received 870 complaints that indicated organisations “belonging to a critical infrastructure sector were victims of a ransomware attack”. 

Mr Scott, who also acts as director of the National Cyber Investigative Joint Task Force, said to keep in mind that there are “many more” non-critical infrastructure related attacks, and that only approximately 20 per cent of victims report cyberattacks to the government, highlighting the huge issue of underreporting of cybercrime.

Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least one member that fell victim to a ransomware attack last year. Of those, the top three targeted sectors were healthcare and public health facilities – including hospitals – with 210 complaints. Second was critical manufacturing with 157 reported ransomware incidents and government facilities, including schools, with 115.

He revealed that the three top ransomware variants reported to the IC3 that victimised a member of a critical infrastructure sector were Lockbit, BlackCat, and Hive, the latter of which was recently targeted in a successful FBI-led operation with global partners.

Mr Scott said: “If there’s one thing I take from these statistics, it’s the callousness of these nefarious cyber actors. Take a look at the hardest hit critical infrastructure sector on this chart… the healthcare sector.

“That shows me these criminals are willing to do us harm – you and me and our families – to get what they want.”

Mr Scott gave other examples where law enforcement has been able to interdict the operations of cybercriminals. In August of 2021, the FBI identified an imminent Iranian cyberattack on the Boston Children’s Hospital, a 395-bed facility for sick children. The agency immediately notified the hospital and deployed personnel on-site, including its Cyber Action Team (CAT).

In July last year, Ireland’s Garda National Cyber Crime Bureau identified time-sensitive early indicators of intrusion activity against a hospital in the United States, in the State of Nebraska, which appeared to be precursor activity for ransomware.  

The Garda relayed the information an FBI Legal Attaché in the UK, who in turn notified CyWatch, the agency’s 24-hour watch centre in Virginia before contacting the Omaha Field Office. The hospital had not been aware of the intrusion but was able to confirm the attackers gained access to one of their servers.  

Mr Scott added that the information was able to help the hospital mitigate the intrusion to prevent any data exfiltration, ransomware deployment, or impact on medical services for patients.  

He said: “All of that occurred in an hour to two hours total. That teamwork by our partners in Ireland potentially saved lives.”

Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), also spoke at the conference at Strathclyde University’s Technology & Innovation Centre. She shared her concern about underreporting and its consequences.

“If you flag something early, it’s not just for your sake but everybody else’s sake. The thing to understand with reporting is these are incidents [are] that often if we spot early what is going on we can spot the early stages of something that might become much bigger.” She said it was analogous to letting in a burglar who then will go off and do the same with all the properties on your street.

“It’s a good citizen issue, I think,” she said.

She added she thinks there’s a risk that underreporting may get worse before it gets better and it was better to have a conversation in the open about it, rather than necessarily use a “heavy burden regulatory approach”. Sectors like defence are a particular concern, she said, where it is “really important the supply chain is flagging stuff up” because of the possibility of state-sanctioned cyber activity for espionage purposes.

“Those actors are most interested in not being spotted, because they want your data: they don’t necessarily want to lock up your systems,” she said during a panel discussion.

However she said: “We still see ransomware as the biggest threat to the UK, primarily because it has the potential to do the most economic harm.”

She said the NCSC takes a “holistic approach” and doesn’t separate cybercrime into state and non-state actors, with “constant vigilance up and down the chain looking for where the threats are coming from”.

In terms of the public sector, she said if organisations spanning healthcare, education and local government in Scotland were able to plan seriously for what they would do in the event of a ransomware attack, it would make them much more effective at defending themselves against a much wider range of threats, “and frankly annoyingly difficult for people to get at”.

She said: “What’s your worst day, if a ransomware attacker managed to take down most of your key systems, or steal a large quantity of your personal data in a way that you need to treat that as a major emergency. Plan for that and that will help to build your resilience against a much wider range of threats.”