This BBC podcast is supported by ads outside the UK. In honour of Military Appreciation Month, Verizon thought of a lot of different ways we could show our appreciation, like rolling out the red carpet, giving you your own personal marching band, or throwing a bumping shindig.

At Verizon, we're doing all that in the form of special military offers. That's why this month only, we're giving military and veteran families a $200 Verizon gift card and a phone on us with a select trade-in and a new line on select unlimited plans. Think of it as our way of flying a squadron of jets overhead while launching fireworks. Now that's what we call a celebration because we're proud to serve you. Visit your local Verizon store to learn more.

$200 Verizon gift card requires smartphone purchase $799.99 or more with new line on eligible plan. Gift card sent within eight weeks after receipt of claim. Phone offer requires $799.99 purchase with new smartphone line on unlimited ultimate or postpaid unlimited plus. Minimum plan $80 a month with auto pay plus taxes and fees for 36 months. Less $800 trade-in or promo credit applied over 36 months. 0% APR. Trade-in must be from Apple, Google or Samsung. Trade-in and additional terms apply. BBC Sounds. Music, radio, podcasts.

Can't get your low-cut socks from Marx? Almost empty shelves in your local co-op? Inconvenient for you, but potentially a disaster for the companies because the reason is that both have been victims of cyber attacks that have paralysed their computer systems.

The most profitable form of cyber attack at the moment is ransomware, where criminals infiltrate computer systems, shut them down and then demand a ransom to restore services, or even demand the money to stop them publishing data they've stolen. Four years ago, we made an episode about ransomware, but it's clear that the problem hasn't gone away. So what exactly is ransomware? Who's responsible? What can be done about it? And why hasn't it been done already?

Step into the briefing room and together we'll find out. First, how do these ransomware attacks work? Emily Taylor is CEO of Oxford Information Labs and co-founder of the Global Signal Exchange. Emily Taylor, can you explain to me and the listener how a ransomware attack works?

If you were in a company and you were subject to ransomware, probably the first thing that you would know is that nothing works. You can't get in. It's like being locked out of your house, locking your keys in the car. You can see where you want to be, but you can't be in there. You can't get into your computer system. You can't get into your computer system. And so...

Think about all of the different ways that we use systems, particularly in complex businesses. It's about your email, all your communications, all your business records, everything that's going on, and also the ability to find out and communicate with your people. All of that's gone. And so speaking to people who've done, you know, response to ransomware attacks, what they all remark on is,

how disorientated everybody is, how frightened they are actually because we all rely on these systems so much and being locked out because a criminal has got into your system, has scrambled the data in it and also locked you out of it. You're locked out, your computer system just won't work. How do you know...

that you've been the victim of a ransomware attack? Well, usually there's a demand. It's the extortion. It's like, we've locked you out of your system. We've got your data. You need to pay a ransom. A bit like taking your data hostage. It's like old-fashioned kidnapping. Do they stick that up on the screen? So if you're locked out, does something come up on screen and say, we've got your stuff? Often that's the way, or there will be some other contact.

But it is the sort of you go to where you expect to see a familiar and reassuring image of your stuff and instead you get a ransom notice. Let's say you've been a victim of attack and you do pay the ransom. What's the guarantee that they won't just do it again? If you pay the ransom, there's no guarantee that they won't do it again. There's no guarantee that they'll release your data again.

And it's a bit like, you know, there's often waves of different types of crime in the real world, like piracy, hijacking and so on. And actually paying the ransom feeds the business model. If people pay the ransom, then it's good business. There is no guarantee that you'll get your data back. Right. Now, how have the criminals got into the system in the first place?

Often the way in is quite straightforward and a technique that's often used in a lot of cybercrime, what is called social engineering or phishing, is somebody pretending to be a trusted party and getting the target to reveal either their personal information or their access to a system.

And another thing that has come up in the context of the recent spate of ransomware attacks affecting the UK is a thing called SIM swapping. SIM swapping. SIM swapping. So that is, you have the ability, we all have the ability to move our phone number from one device to another. And that's actually very useful. It can maintain our phone number across our Nokia bricks to our smartphones to the latest and greatest.

So a cybercriminal can exploit that by getting a phone company to move the target's phone number to a SIM that the criminal is in control of. And in that case, they can get all of those access codes that we get when you want to change your password, what we call the two-factor. You intercept it as the criminal. The target doesn't know anything about it except that their phone weirdly stops working.

And then you can reset the passwords to a number of sensitive systems. And it's thought that that can be a way in. Totally terrifying. Is ransomware the main type of cyber attack we're seeing at the moment? There are many types of cyber attack happening at the moment. The global cost of cyber crime as a whole is estimated to be about $10 or $11 trillion, which in context, if it was a global economy, it would be one of the best economies in the world.

So, ransomware is part of that and actually a lucrative area. But there's also scams and fraud, romance scams, investment scams that affect individuals rather than companies and can end up with individuals losing tens, sometimes even hundreds of thousands of pounds. Do you think that companies like M&S and other retail companies, companies like this, are felt to be more likely to pay up

other institutions which you might target? That could well be, you know, retail, there's a lot of cash, there's a lot of transactions, the impact of being out. You know, Marks and Spencer's

three or four weeks on from the initial outage, is still not able to process online orders. That's devastating for a business. And so you do want, as a cybercriminal, your target should be willing to pay, otherwise it's not going to work. I think we can infer from the fact that the outage has been so prolonged for Marks & Spencers that they haven't paid, and that's an incredibly principled stand, but it's, I'm sure, hurting their business. Emily Tover.

But who are these cyber criminals? How do they operate? And how have things changed? I'm joined by Geoff White, investigative journalist and author and co-host of the BBC's podcast series, The Lazarus Heist. Geoff, can you take us back to the beginning of ransomware? When did it all start?

One of the first known outbreaks of what we'd now call ransomware actually happened back in the 1980s, 1989. There was an academic who set out to extort people via their computers. You've got to realise this is largely pre-internet, pre-email, certainly pre-Facebook and Google.

This was the era of floppy disks. So he sent out hundreds of floppy disks around the world to researchers. They were all working on the AIDS crisis at the time. And so the floppy disk said, this is important information about the AIDS virus. They would put the disk into their computers. It would scramble the contents of their computers. And then a message would come up saying, well, you've installed my software. You now have to pay me. Here's an address where you can send your cheque.

People did actually send some cheques and obviously some of the people who sent them were police officers, law enforcement around the world, who managed to trace back the money and eventually got back to this guy called Joseph Popp, who turns out to have been behind the whole campaign. Broadly speaking, what's accounted for its explosion?

There's really two things that have accounted for the explosion of ransomware. Firstly is the digitisation of society. Most of what we do, a lot of our interactions are now online. And this explosion of computing power and computing use has given a larger, what they call in the trade, attack surface, i.e. more people, more computers for the hackers to attack. But the other thing is, if you think back to that episode in the 1980s, the big problem with doing these extortion things is payment.

In the classic Hollywood films, it's always the bit that gets the criminals, you know, leave the money in a suitcase at the bus stop. And when the criminals turn up to pick up their ransom, the police pounce on them. The big change for that was cryptocurrency.

The vast majority of these ransomware payments are done in Bitcoin. And if you use it correctly, it is possible to use Bitcoin anonymously to get anonymous payments from your victim. And you can just skip off with the money. Since Bitcoin happened in 2009, we've seen this ransomware scene explode. How do the companies know how to get hold of Bitcoin?

It's a very good question. In fact, the ransomware gangs will give advice to victims to say, if you haven't heard of Bitcoin, here's what it is and here's how you can get some. In fact, one of the ransomware gangs I communicated with advised companies, stockpile Bitcoin now, get it now, because when we hit you, you'll need it handy so you can pay us.

So we spoke about this four years ago on this programme. How have things changed since then? The first change has been that these ransomware gangs, they're very busy. They're busy writing this ransomware. They're busy developing their code. But that's just step one. Step two is you've got to somehow infect a victim. You've got to get the ransomware onto your victim systems. Well, that's a whole other job in itself. It's not easy. You've got to scope out your target, find a weakness, a way in.

So what the ransomware gangs have done is created a sort of franchise model, what they call an affiliate model. So the ransomware gangs will write the virus...

But then they will say to people, look, if you want to take our virus and spread it, infect as many victims as you can, get as much ransom as you can. And when the victim pays up, we, the virus writers, will take 20%. You, the affiliate, will take 80%. That's led to the explosion of ransomware. You've got affiliates around the world, thousands and thousands potentially, spreading this stuff and infecting victims. One of the important things to understand about ransomware is you've got a core group of people involved

In the dozens, maybe the hundreds, who have been in this game, cybercrime, for a long, long time, developing these viruses for years. Mainly based, we believe, in the Russian Federation. But the affiliates who work for them could be based anywhere. And that's how you get outbreaks like the one we saw in the UK recently. There'll be an affiliate...

who knows a particular country, France or Germany or the UK, who says, well, I'll spread your ransomware. And because I'm living in this country and I know this country, I'll spread it to targets in the country I'm based in. That's often how it works. But for the next bit of it, the people actually who are doing the extorting, how organised are they? There's a sliding scale of this. Some of the affiliates, the people who spread this ransomware and actually target the victims, some of them will do that kind of negotiation themselves.

However, if the target's big enough and juicy enough, the ransomware gang will want to get involved. They'll say, look, you've just hit a massive company. It's a FTSE 100 company or a Fortune 500 company. This ransom's going to be worth millions. We're going to get 20% as the ransomware gang. So we want to be there overseeing that. So we make sure we get the ransom out of them.

The ransom negotiation is an incredibly fine-grained psychological conversation. You've got to really manage that well. And there's millions of dollars at stake. Okay. Very briefly, take me through one of those negotiations as you understand them to happen. Well, on the attacker side, you've either got the affiliate who's spread the ransomware, who's working on behalf of the ransomware gang, or you may well have the ransomware gang themselves in some of these bigger negotiations. On the victim side...

You've obviously got the company that's been attacked. Now, they might be handling the negotiation directly, but more often they will have an insurance company. The insurance company will slip in. They won't say they're the insurance company. They might say, oh, we work in IT for this company you've attacked.

There's an entire industry of ransomware negotiation. It could be the insurance company itself. More likely, the insurance company hires somebody in. Somebody who knows ransomware, who knows the gangs, who's negotiated with them before, and, critically, can drive the hardest discount. They can say, hey, look, last time we negotiated, buddy, you gave us a 30% discount. We're going to look for that the same this time. To what extent are these just simple, straightforward, non-state actors?

in other words, the usual criminal gangs and so on? And to what extent does it help to have some kind of toleration or involvement by state actors? What do we know about that? We know that the vast majority of these well-developed ransomware gangs are based in the Russian Federation.

We know that there are links between the Russian government and these cybercrime gangs. We have seen cybercriminals in Russia being utilised by the Russian state to carry out state-level attacks. So we know that that goes on. We also know that the cybercriminals sometimes like to paint themselves as patriotic individuals supporting Mother Russia. Now that could be political will or it could just be a smart move to try and avoid getting on the bad books of the government there.

It's not correct, I don't think, to say that ransomware gangs are working on behalf of the Russian state. The vast majority of these ransomware attacks are just about money. It's not politically motivated, regardless of what the ransomware gangs would tell you and what they told me. It's about money.

Every now and again, though, we know that the Russian government will ask them to do them a favour. There's a great book called Ransom War by a guy called Max Smits. He talks about the Russian government approaching the ransomware gangs with what they call pioneering exercises, which is the Russian government saying, hey, could you break into this target? We know that you've got access to it. We want access now.

Apparently the ransomware gangs dislike this because it means they don't make any money out of it. They're not making a ransom, they're doing it on behalf of the Russian government. But they feel they need to do it to sort of stay in with the Russian government. Now this sounds like a really dumb question, Geoff. But how rich can you actually get by doing this? The ransomware industry is a multi-billion dollar industry. If you measure it over the course of years, you know, I'm talking hundreds of millions that go into these campaigns. Just to give you an example, one ransomware company

gang one strain of their ransomware in three months made $325 million. And that's going back a few years.

Out of a single victim, they can make ransoms in the millions. I think tens of millions is the largest I heard reported. So it's big money, huge money. So what I mean is, without wanting to go all kind of Kardashian about it, are there people living in gigantic mansions and flying about on private planes as a result of being involved in this? Yes, the ransomware community every now and again put out sort of videos of themselves, social media videos,

Every now and again, you'll get glimpses into this lifestyle. There's a very famous video of one chap who's believed to be involved in the ransomware scene driving his Lamborghini around the centre of Moscow while the police sort of stand and watch because there's nothing they can do. I mean, they really are flaunting it. To be quite honest, if you've got a bit of Bitcoin to spare and you know how to access the dark web,

you yourself could become a ransomware distributor. I've been giving it active consideration for the last five minutes. Certainly big profits to be made from what we see, but don't do it. That is breaking the law. But the other thing that's happened in the ransomware scene is what they call double-dip ransomware. The answer to ransomware used to be quite simple. Back up your data. If you get hit by ransomware and they scramble all your data, fine, wipe your computer, get your backup out, reinstall it. That was the message. Back up and you'll be fine.

The ransomware industry evolved and adapted to that in a really clever way. Instead of just scrambling the data, they will steal the data. So when they go to the victim, they'll say, look, we scrambled your data, pay us a ransom. And if the victim turns around and says no, they'll say, ah, well, we've also stolen your data. And by the way, here's a website on the dark web where you can go and look and we've got a screen grab of what we've got from you. If you don't pay the ransom, we'll leak all of that data. And that could be people's personal email addresses, dates of birth, could even be something like their passwords. Very, very sensitive data.

Right now, there will be companies in the UK who have got ransomware attackers sitting inside their systems, surveilling everything, watching all the emails flying back and forth, potentially watching the Zoom calls and the Teams calls. I know that sounds like a frightening thing to say, but it is true because that's how the gangs work. Geoff White, who's just presented a BBC TV documentary called Scams and Scandals, which is available on iPlayer.

Before we carry on, just a quick reminder that you can subscribe to the Briefing Room podcast by visiting BBC Sows and you'll get access to the entire back catalogue, which includes the one which asks whether the UK can become an AI superpower and the very recent one which asks what is Israel's plan for Gaza.

Back now to ransomware, and I want to find out what's being done to stop it happening. I'm joined by Susan Landau, Professor of Cybersecurity and Policy at Tufts University in the US, and Professor Alan Woodward, a computer security expert at the University of Surrey. Susan Landau, how has the pattern changed in recent years of ransomware attacks? Who's being targeted and how?

So originally it was very high value targets in the sense of targets that had to be back up quickly, like critical infrastructure and healthcare.

And as governments have gone after the ransomware operators, the operators have decided to go to lower profile targets that still get the money. Alan, can we look at the question of what companies should do to protect themselves? Now, again, when we talked at this subject four years ago, people were talking a lot about companies' resilience.

Can you take us through what resilience consists of and what companies do? First is being able to defend yourself against the attack, stop the attackers penetrating your network, whether it be awareness about phishing emails, making sure your software is up to date or all the usual broken record type of things. But the other one, unfortunately, is that these attacks are the single largest form of attack. And unfortunately, some of them are going to get through.

So probably the other thing about resilience is having a plan for what to do in the case that they do get it. And one of the things that we've found of late, the targets have changed slightly. Some of them are not that prepared. So be it going back to pen and paper or being able to just pull the plug.

and still operate. People are finding that they don't necessarily have a plan. Or worse, they have a plan a bit like a fire drill, and the first time they use it is when there's a real fire. Are you saying that a very large company should mimic a ransomware attack, taking out its computers essentially, and actually play out what happens then? There's several parts to incident response plans, the first being who's got the authority to do what. I mean, in the UK, over the last few weeks, we've seen two quite different groups

responses to what appears to be the same group attacking them, Marks and Spencer's and the co-op. And what happened in the case of the co-op, somebody made a decision very early on in the attack to pull the plug and stop the thing spreading. So they were back up and running rather quicker than M&S have managed to be. So some of it is about who calls who and who has what authority to do what. Having been someone that's run large IT estates, you do find fairly quickly that

If you stop the IT and it stops the business, the CEO will be on the phone fairly quickly. Now, Susan Landau, I imagine that the insurers have quite a big role in this too. We've already heard that they sometimes get involved in negotiations. I imagine that they want to get involved in the business of whether the plans are sufficient. Absolutely. So one of the changes has been that they are already demanding things of the companies they insure. So they want, for example, to segregate backups from the production work

so that if there is a ransomware attack, the backups are actually backed up and not encrypted and unusable. They also want to know when the last day was of recovery testing. So the kind of thing that Alan was just describing, they want to know that companies are actually doing recovery testing and they don't say, oh, no, it looks like we have a ransomware attack. What is it we're supposed to do? No, they know it the way they're supposed to know it. How do US insurers demand that? Do they say, unless you do this, we won't insure you?

That's right. OK, Alan, does the same thing happen in the UK with UK insurance companies? Oh, yes, very much so. Although the insurers are quite often international. What they effectively say is you have to show that you have taken, quote, reasonable steps to protect yourself. Otherwise, we're not going to pay up.

Now, Susan, of course, this is not a private business between companies, criminals and insurance companies. This is also about law enforcement. What's happening in the US about this? Is anything changing? Yes. So the first big thing, of course, is the sanctions that were issued against Russia in the wake of Russia's attack on Ukraine.

And because a large number of the ransomware cyber criminals came from Russia, that has had an impact on ransomware. The sanctions mean you can't pay Russia. And that means that the U.S. Office of Foreign Asset Control will get involved if it becomes aware that ransomware payments are going to Russia.

The requirement in the U.S. is that if you are paying somewhere where the money does, in fact, go up back to a sanctioned country, if you don't inform the U.S. government, you will have civil penalties. You're subject to civil penalties even without that, but much less likely to be enforced.

And the civil penalties can be high. They can be as high as $20 million. So it's not illegal for you to pay a ransom to somebody where it doesn't end up in a sanctioned country? That's correct. The fact is that U.S. law enforcement and U.S. national security have gotten far more involved in ransomware than they were a few years ago. And they've been going after the larger criminals. There have been arrests.

A number of people have been extradited to the United States and indicted. Some have been imprisoned. It means that the criminals are going less after the high-profile companies, the high-profile organizations, because those are the ones that get the attention of U.S. law enforcement and sometimes U.S. national security. Alan, we heard earlier that a lot of these payments have been made in Bitcoin. Yes.

And I would have thought that would make that kind of intersection that Susan was talking about in the case of sanctioning Russia more difficult. They have been paid in Bitcoin because it's the, I suppose it's the de facto cryptocurrency and it's very difficult to track. But it isn't truly anonymous. It's pseudonymous, as they call it. And there are actually tools. The law enforcement agencies have tools where they can track the good old follow the money policing tactic data.

They can say who's paid and who hasn't. And it's one of the things that's happening in the UK is a lot of consultation the government is doing at the moment about what they might legislate for. And as well as not paying or certainly not paying if you're identified as critical national infrastructure.

then one of the other ones is you've got a duty to inform. Susan, there are two new elements there, and we'll take them in turn. One of them is whether there should be a national policy that no one should pay a ransom. Can you take us through how that argument has developed? Well, one of the reasons is that, in fact, the ransomware operators often don't help you

decrypt the data that they've encrypted. Sometimes they're actually not capable of it. They're not necessarily very apt in the technical matters. Ransomware has become what we say ransomware as a service. They're buying the capabilities. But even if they do have the ability to decrypt, they're not necessarily doing it. But the other reason is, of course, that law enforcement wants to make sure that crime doesn't pay

And so they urge not to pay. Is there any suggestion in the US, and Adam will look at the UK in a moment, is there any suggestion in the US that actually it should be a criminal penalty attached to that or a penalty attached to the penalty? I'm not aware of one.

Alan, what about the UK? Is there any move here to legislate to stop victims from paying ransom? Absolutely. I mean, there's an active discussion going on at the moment, and it seems to fall into three parts. One is just blanket preventing people from paying. The argument being it removes the criminal's business model, therefore you won't get attacked. I suppose it holds up if you're talking about targeted attacks, but unfortunately a lot of the attacks are

The criminals go around and they're rattling lots of door handles until they find one that's unlocked and they get in that way. The other problem is that there are always exceptions. There are always going to be circumstances that you can't just have a blanket ban on it. You've got to allow for those extraordinary circumstances. So I think where they're coming down to is at the very least, they'll probably try and legislate that companies that are in critical national infrastructure, but maybe in general,

have this dual responsibility. They've got to tell the government and get the government involved, and they shouldn't pay as well. It's kind of quite different to the way the US is going. What is there about this to make me believe that the authorities will get on top of this and force these criminals to do something else? Well, one of the things that happens behind the scenes that most people aren't aware of, for example, people are encouraged if they're ever the victim of a cybercrime to report it to Action Fraud UK.

which is run by the various UK police forces. One of the reasons for reporting the crime is so valuable is it builds up an intelligence picture. In Europe, it has previously really been focused around Europol and indeed NCSE in this country, the National Crime Agency, and there are international task forces with the FBI. And what they do is they can start to pick out

where these bits of ransomware are actually being hosted and run from. It's one of those things that I suppose people tend to think of ransomware as a very ethereal thing. It's on your system. What can I do about it? But actually, it does need infrastructure to run because they collect the payments, etc. And they're not always in jurisdictions that are completely out of reach, like, say, Russia. Suddenly you find them in Germany. And so what the police are doing is they're starting to

home in on removing the ability of the criminals, their infrastructure. They're being located and raided and taken down. And that's actually proved extremely effective with a very famous one called Lockbit, which the criminals had raised hundreds of millions of dollars through. That was basically neutered by these international corporations finding out where they were, swooping in and shutting down their infrastructure. So, Susan, I shouldn't despair.

I think probably not despairing. And I think international cooperation, as Alan has said, is actually becoming quite valuable. The sanctions have made Russia a more difficult place to run ransomware from.

And there's now an organization of 68 nations, including the US, the EU, the UK, India, South Korea, Ukraine, not Russia, not China. China has not been participating in ransomware, at least not to any visible level. And I think that that will continue. These member states are cooperating with information sharing, most importantly with incident response. And incident response responding quickly is a really critical issue.

So the fact that there is this international cooperation is, as Alan says, a quite positive step. And that's all we have time for. My thanks to Susan Landau and Alan Woodward. And my conclusion, when has international cooperation ever been a bad thing? And alas, this is the last programme in the current series, but we'll be back again at the beginning of July. Goodbye.

You've been listening to The Briefing Room with me, David Aronovich. The producers were Kirsteen Knight and Caroline Bailey. The production coordinator was Katie Morrison. The sound engineers were James Beard and Neil Churchill. The editor is Richard Varden. Another edition of this podcast will be along again soon, but we do have a funny little series called Explainers where we just put together in a few minutes something you need to know about a particular subject. Listen out for those. From BBC Radio 4 and The History Podcast.

We're not so funny people in our family. I'm Joe Dunthorne. Funny people. And this is Half-Life.

She finished her job. She dropped dead. My father finished his job. He was dead within a week. I mean, that's all quite a weird kind of story, you know. And so we call it like the curse of this memoir. An eight-part podcast about how the past lives on inside us. I wonder how you feel after all of this. Even when we try to ignore it, all of the bombs will detonate sooner or later.

Listen to Half-Life on BBC Sounds.