top of page
    • Mar 18

Ransomware accelerates the move to cloud services? The British Library case


The British Museum Reading Room - works well even during a ransomware attack?
The British Museum Reading Room - works well even during a ransomware attack?

The British Library recently published an excellent analysis following the ransomware attack it suffered back in October 2023.


The Library is still recovering from the attack (as of March 2024), and it's going through a similar dynamics as other organizations hit by ransomware: calls for IT infrastructure modernization prompt a quick move to the cloud and SaaS applications.


Ransomware threat actors largely base their techniques on legacy infrastructure inherent weaknesses (Active Directory on-prem mostly), which prompts a quick move to the cloud and SaaS architectures following such cyberattacks: any resistance to the cloud seems to quickly dissipate once the organization faces destruction of its servers and local backups.


Ransomware, it seems, now plays a role of cloud enabler.


We've seen this course in many cases: companies reporting cyberattacks often say they plan a modernization of their infrastructure, which in practice means moving to PaaS and SaaS services such as Microsoft365.


Recently, we've covered how a regional government agency in the finance sector suddenly moved its public facing services (email and web) to the cloud following ransomware destruction of its on-prem infrastructure (see here - https://www.techinsights.pro/post/croatian-agency-discovers-managed-services-more-secure).


It seems a similar dynamics is now playing out at the British Library, which recently published an excellent analysis following the ransomware attack it suffered back in October 2023 (see here: https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf).


The Library is still recovering from the attack as of March 2024, and the major applications it relied on effectively cannot be brought back in their pre-attack form.


Here's some key takeaways from the British Library candid analysis:


  • The most likely attack vector leading to the ransomware deployment was a combination of phishing and remote desktop access (Terminal server) not protected by multifactor authentication (MFA).

  • The BL staff recognizes that MFA is key to mitigate risks but "for reasons of practicality, cost and impact" it essentially could not implement MFA in its Active Directory on-prem based domain. That echoes a common issue for many organizations: Active Directory networks are typically very hard and costly to adapt to a zero-trust architecture and protect with MFA.

  • BL also acknowledges its SaaS applications were protected by MFA, probably as soon as Microsoft started enforcing it by default (BL is a MS365 customer): "MFA was introduced across the Library in 2020 to increase protection of all remote activities relating to cloud applications".

  • As a result, the BL staff finds a silver lining and a key lesson learned: SaaS and cloud systems are typically much easier to protect with MFA, plus they are less known to ransomware attackers in terms of exploitation, which base their techniques on the still prevalent legacy on-prem technology. Therefore, "cloud-based systems, including finance and payroll, have functioned normally throughout the incident."

  • BL recognizes complexity is the enemy of security and legacy infrastructure plays a large part in the attack success. "The Library’s unusually diverse and complex technology estate, including many legacy systems, has roots in its origins as the merger of many different collections, organizational cultures and functions. We believe that the nature of this legacy infrastructure contributed to the severity of the impact of the attack".

  • As a result, BL is now planning to move to SaaS and cloud, reducing the on-prem footprint. Of course, they're a bit shy so they say: "We expect the balance between cloud-based and onsite technologies to shift substantially towards the former in the next 18 months".

  • By doing so, they plan to reduce complexity (remember, that was a key attack enabler): they "will reduce the impact of a future attack, reduce operating overheads by replacing legacy systems, embed security across the IT lifecycle and reduce risk in key areas such as data loss, disaster recovery and business continuity. Implementation will require significant changes to our applications, our culture and ways of working, and our policies and processes."


Read the full report here (https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf) and learn from the British Library so your organization reduces the chances of a successful ransomware attack.

bottom of page