The UK has taken one of the most decisive steps yet in the global fight against ransomware. Following a summer of attacks that disrupted healthcare, retail, and legal services, the government has confirmed that a targeted ban on ransom payments and a universal reporting requirement will become law.

What the Policy Includes

• Ban on ransom payments: Public sector organisations and operators of Critical National Infrastructure (CNI) will be prohibited from paying ransoms. The NHS alone has faced over 1,300 attempted ransomware intrusions in the past 12 months, according to government data.
   
• Mandatory reporting: All UK organisations will need to report ransomware incidents to a new central body. This addresses a long-standing visibility gap only around 20–25% of ransomware attacks are currently reported, according to Europol.

Why This Matters Now

The policy follows a summer in which:
- Marks & Spencer had online retail operations disrupted for months.
- NHS Scotland had patient appointment data temporarily inaccessible.
- The Legal Aid Agency confirmed the theft of over 250,000 case records.

These cases highlight the dual impact of ransomware: direct operational downtime and longer-term trust erosion.

Part of a Global Trend

The UK’s measures align with global efforts under the Counter Ransomware Initiative (CRI), a coalition of 48 countries. The CRI’s 2024 report estimated ransomware caused over $30 billion in global economic losses annually. Unlike the US, which currently discourages but does not ban ransom payments, the UK is moving toward outright prohibition for its most vital services.

What Organisations Must Do

With ransom payment off the table, resilience becomes the only option. The National Cyber Security Centre (NCSC) recommends:
- Multi-Factor Authentication (MFA), which blocks 99.9% of credential-based attacks.
- Offline, immutable backups, tested regularly.
- Security awareness training, especially against phishing (still the entry point in over 60% of ransomware incidents).
- Incident response exercises aligned with NCSC guidance.

The ransomware economy thrives on secrecy and silence. The UK’s new measures end both.

Sometimes supposedly small things make a huge difference. This can also be true in cyber security configurations. In recent weeks, multiple partners described very similar cyber attacks their customers faced, and in some cases, the criminals were unfortunately even successful in compromising customer networks. Specifically speaking, cyber criminals first exfiltrated and then encrypted data with Akira ransomware. Akira ransomware is already out in the wild since march 2023 and many companies fell victim (Cisa has published a very detailled description and also many helpful recommendations in this advisory: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a )

Let me share a real example of a WatchGuard customer with Firebox, AuthPoint and EPDR in place that was hit by this type of attack. From a technology perspective, this seems to be the combination of solutions that makes it really tough for cyber criminals. Nevertheless, they became a victim, data was stolen, and Akira ransomware was used to encrypt data.

So what did happen?

Criminals gained access to their network using stolen or brute-forced credentials for a single user to log in via VPN. Wait a second…don’t they use WatchGuard AuthPoint? They do, but unfortunately, a legacy configuration on their Firebox was in place that allowed logins with the local Firebox-DB users as well. Even though AuthPoint was configured and used since a while already, the option to use Firebox-DB users was still enabled in Firebox configuration. Attackers used stolen or compromised credentials and logged in using Firebox-DB, bypassing MFA that would have protected the WatchGuard AuthPoint users. 

As soon as the criminals had VPN access, they started scanning the network and initiated brute-force attempts, trying to remotely log in to servers and clients discovered in the scans. After about 4 days, they were successful and logged in on 2 different server systems reachable from the VPN.  On these servers, they could steal credentials for a few AD Domain accounts (some even with administrative privileges) and use these accounts to carry on living off the land attacks. Tools like Advanced Port Scanner and netstat were used to scan the network for possible additional target servers and clients. By using these legitimate tools to learn more about the network they tried to hide their activities to remain undetected. 

Most of the endpoints were well protected by WatchGuard EPDR. Even though the attackers could access and log in on some of them they could not install or run ransomware and steal data immediately. Unfortunately one of the systems the criminals compromised was not protected by WatchGuard EPDR so that they could easily use this server to start harmful actions.

•  They collected files remotely from other systems via Windows network file sharing over SMB.
• They compressed the files with the legitimate tool WinRAR
• They uploaded the archives to fastupload.io, a free and legitimate file-sharing service that can be used without account creation.
• They ran the ransomware akira.exe on the unprotected system and encrypt files remotely via windows file sharing. As one of the stolen accounts in first phase of the attack was an administrator this was an easy task. 

The customer discovered the attack when the encryption was already finished and the ransom payment demanded. So it was already too late to stop the attack. Fortunately the customer had a clean and consistent backup of all critical files and data. So they decided to start with a clean implementation and to restore backups. For sure they validated by forensic analysis and deeper investigation that the backup is actually clean. 

What lessons can we learn from this example? 

Even a single parameter in a perimeter firewall solution that is not configured idealy can open an attack vector for cyber criminals. In the specific example the option Firebox-DB was not disabled even though AuthPoint was configured and used already. This allowed attackers to bypass MFA with stolen or compromised credentials. I highly recommend to enable MFA (e.g. with WatchGuard AuthPoint) wherever possible and to double check that no legacy options to log in (especially remotely) without MFA are still enabled. 

As brute-forcing was supposedly used in the attack of my example as well, I also recommend enabling features for brute-force prevention as well. Such features can stop brute-force attempts and disable a user account before the password is known or even block the source ip of an attacker. A good overview about WatchGuard’s features for this and configuration tipps and tricks is documented here: https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US

Another lesson learned is that strong Endpoint Security solutions like WatchGuard EPDR should be in place on all clients and servers to avoid blind spots that could lead to compromise and lateral movement. Akira.exe was blocked and quarantined on EPDR protected systems during the attack in the example, but a single unprotected server could be used to remotely steal and encrypt data from other systems. Akira has even compromised IoT cameras with network access to critical systems to launch their ransomware before.

It is also important to keep operating systems and applications up to date. Having a patch management solution in place is very important to do this in an efficient way.

Secure network segmentation, limiting access between systems and enabling security services to scan internal traffic, can also help to stop attacks or limit the scope of attacks. The Intrusion Prevention System of Firebox, for example, is capable of detecting and blocking network scanning, usage of vulnerabilities, and other harmful activities. I read an article about an Akira infection that used a compromised webcam as servers and clients could not be compromised (https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam ) - this underlines the importance of network segmentation, especially for IoT devices.

You should also consider limiting outbound communication by limiting ports and protocols as much as possible and by using Webblocker and other technologies. The site fastupload.io that was used to upload stolen data is categorized as “personal network storage and backup” by Webblocker service. Is it really required to allow such websites for all users and all devices? 

I also recommend to be serious about HTTPS Content Inspection to make sure malicious or unwanted content can be identified in encrypted Web traffic.

What else is important?

But it is not only about strong protective measures. It becomes more and more important nowadays to continuously monitor network and endpoint activities to uncover hidden threats and risks. Cyber criminals use sophisticated tools to prepare and launch their attacks making it more challenging to detect and stop them. Network Detection and Response solutions (e.g. WatchGuard ThreatSync+ NDR) can be of huge help to discover anomalies and react before it is too late. In the example shared network scanning activities and file extractions were identfied in the post-breach investigation – a NDR solution could have discovered this while the cyber criminals were still extending their attack and planning the next steps. With alerting and even reaction or remediation capabilities as part of the NDR solution or based on an integration into XDR solution attacks can often be stopped before exfiltration and encryption of data is happening. WatchGuard ThreatSync+ NDR forwards alarms to ThreatSync Core so that remediation can easily happen – e.g. by isolating a host or blocking network communication.

In many cases an investigation of all suspicious activities will be needed to reveal the full scope of a cyber attack. To make sure this happens immediately on first indication of an attack and in a proactive way Managed Detection and Response services should be considered as well. In the example described our team and other specialists where involved after the breach and encryption happened – too late to protect the customer. With MDR services trained cyber security experts get involved before it is too late and investigate and remmediate threats proactively. WatchGuard recently launched Total MDR as a service that covers WatchGuard Endpoint, Fireboxes, AuthPoint and also ThreatSync+ NDR to identify and stop harmful activities regardless of the attack vector – I am very confident that this service (in case protective measures did not catch the attack earlier) would have caught the attacker before any serious impact.

The combination of well configured protections for networks, endpoints and identities with 24/7 monitoring for anomalies and threats is the level of protection needed today to stay ahead. This is real Security for the real World!

Hey Google. What is Encrypted Client Hello? 

“Encrypted Client Hello (ECH) is a TLS protocol extension that encrypts the initial "Client Hello" message in the TLS handshake, concealing the domain name a user is trying to access from network observers, enhancing privacy and security.”

Google knows all about this because they have led the way on development of this update to the TLS 1.3 protocol. ECH has been enabled by default in Chrome browser since v177 in late 2023, and Google will go on to tell us that this extension to the standard is now supported by other Chromium based browser like Firefox and Microsoft Edge and on the server side by many of the cloud hosting providers like Cloudflare, Amazon CloudFront, and Azure. When the browser implements it and the web hosting provider supports ECH, intermediate transparent proxies are no longer going to see the web site name, which was included in the Server Name Indication (SNI). (Cloudflare has a nice technical description of SNI here. It is a necessary part of the protocol to ensure that devices can open secure connections even when multiple websites are hosted on one server.) This enhances privacy because censors and intermediaries like your internet service provider can no longer see information about websites that you are visiting which was previously seen in the SNI. 

If this enhances privacy and security, isn’t that a good thing for firewalls and security solutions? Yes, but …  one of the important use cases for modern security platforms is to enforce acceptable usage policies in work environments and schools. Organizations use firewalls to prevent people from browsing to adult content in the workplace. Schools setup their firewalls to stop children from seeing inappropriate material. Back when I was a product manager at WatchGuard for Firebox, one of the features that we were really pleased to implement in 2015  (Fireware OS v11.9.4) was SNI based content inspection for the HTTPS proxy. That meant that even if a firewall was not using TLS decryption, we could still do URL category filtering for any https encrypted websites (i.e. pretty much all of them). 

But technology advances, and In the rapidly changing tech landscape, you can’t rely on features that were impactful 10 years ago. Google in their gen AI response recognizes this has an impact and finishes with this coda:

“ECH can make it more difficult for content filtering solutions to identify and block websites based on domain names, which can be a challenge for legitimate safeguarding purposes in education.”

But there are solutions. There are options to switch the default flags in the browser. ECH will not work if encrypted DNS is blocked. But alternatively, we recommend that you fully implement TLS decryption (also sometimes called HTTPS content inspection) in your network solution to inspect all traffic since the majority of malware is hidden in encrypted traffic. In fact, in the latest quarterly WatchGuard Internet Security Report, 60% of malware arrived over an encrypted connection. Some SASE solutions (like WatchGuard FireCloud) make this even easier for remote users by including the necessary HTTPS certificate for TLS decryption in every install of the client on a desktop.