BBCIn the early hours an IT engineer raced into work through the dark, wintery streets of Redcar in north-east England.
The dash was prompted by a worrying alert about the council’s computer network, and he was soon hurriedly shutting down servers to try to halt the spread of a virus. It was too late.
Hackers had scrambled Redcar and Cleveland Council’s IT systems and would soon demand payment to restore it.
The cyber-attack in February 2020 caused chaos, disrupting everything from bin collections to social services and decisions about how to keep vulnerable children safe.
“I got a phone call to say: we’ve been hit,” recalls Mary Lanigan, then leader of the council. “The destruction of our systems was total.”
In recent weeks, cyber-criminals have targeted major retailers including M&S and the Co-Op, leading to empty shelves and breaches of customer data.
But the former head of the National Cyber Safety Centre (NCSC), Ciaran Martin, said his “biggest cyber-security worry” was the threat of simultaneous attacks on public services, like councils and hospitals, which had the potential to “wreck lives”.
The BBC has been investigating how the attack on Redcar and Cleveland unfolded, what it took to get things back to normal and the impact on local people.
In the days before Saturday 8 February 2020, an email with a seemingly innocuous attachment arrived in a council inbox. Hidden inside was a piece of malicious software that would lie dormant in the council’s network until it was activated remotely.
Within a few hours of that activation it had spread throughout the computer system, locking staff out and scrambling files.
By 11:00 GMT on Saturday, local residents began to notice the council website was offline.
“There wasn’t a lot we could do,” Mrs Lanigan said about efforts to stop the virus.
“You had to be practical, so it was actually getting more phones in there so that people could ring us.”
News was spreading, but Mrs Lanigan, who lost her position in the 2023 local elections, claims she received pressure from council officials and central government not to speak out.
The council declined to be interviewed about the attack but said there had been no pressure or instruction not to speak publicly, either at the time or since.
What Mrs Lanigan did not say in 2020, but admits now, was the council was dealing with a crisis.
“It was devastating,” she said. “Devastating for us, for the staff, for the public and for everybody else.”
They had lost the ability to share information with police and the NHS, while social services and elderly care services were knocked out, she said.
“Even somebody ringing up and saying ‘my bin hasn’t been emptied’ wasn’t dealt with.”
By the morning of Monday 10 February IT staff were desperately going from desk to desk, placing infected computers in a growing pile.
“When we saw how much damage had been caused we realised it would probably take weeks, maybe years to do,” said IT worker Ben Saunders.
At the same time, experts at the NCSC – part of GCHQ – were considering the council’s plea for help.
Mr Martin, who was the NCSC’s chief executive at the time, said it was “unusually serious”.
“If a council are telling you they are worried about their ability to run services for vulnerable children, you take that very seriously.”
It was feared social workers, tasked with keeping young people safe, would struggle to do their jobs without access to the online records they relied on to help inform difficult decisions.
In what Mr Martin called an “unusual” step, NCSC officers were deployed to Redcar.
On Tuesday 11 February – the second working day after the attack – hackers made their ransom demand.
The exact figure has never been made public, but Mr Martin said that, based on similar attacks, it was likely to have been in the “low single figure millions of US dollars”.
The current government is considering a ban on the public sector paying ransoms to hackers but, while it is the guidance, there was no formal ban in place in 2020.
Regardless, Mrs Lanigan was in no mind to cough up. “I’m a Yorkshire woman and the thing being about that is there was no way I was paying any ransom to anybody.”
The following day, Wednesday 12 February, the government held a Cobra meeting, designed to co-ordinate the response to major emergencies.
“That’s when you realised just how serious it was,” the former council leader said. “It wasn’t just some hacker sat in a bedroom having a play with computers.”
While the system was being rebuilt, the council turned the clocks back and returned to using paper and pen. Many functions ground to a halt or were dramatically slowed down.
Redcar husband and wife Paul and Clare were “very reliant on the council” at the time.
Clare needed support from care workers and specialist equipment to help with a debilitating condition called functional neurological disorder.
“You’d be waiting on the phone for hours,” Paul said. “When people were coming it was handwritten notes, so the systems weren’t getting updated. It was a real nightmare.”
The couple waited many months before they got the support they needed. In the meantime, Paul had quit his job to care for his wife.
All the while staff continued to work on getting the council back online and within a few weeks a temporary system for social services had been restored.
By May 2020 the council said it was still only back to 90%, with the system taking 10 months to be fully restored.
“Some of it was able to be recovered; a lot of it was needed to be built from scratch,” said Mr Saunders. “It was a very meticulous, very long process.”
Yet it took several years before evidence emerged suggesting who was behind the cyber-attack.
In February 2022, one of the world’s most prolific ransomware gangs, the Russia-based Conti Group, fell apart.
After Russia invaded its neighbour, pro-Ukrainian hackers leaked the group’s private messages and data, revealing details of some of the most dangerous cyber-criminals.
A year later, in February 2023, a group of Russian hackers were sanctioned by UK and US government over a string of attacks on businesses, schools and councils, including Redcar and Cleveland.
Getty ImagesEarlier that year, Mrs Lanigan gave evidence in Parliament about the attack. She said the response had cost £11.3m and they had received £3.68m compensation from the government.
As the authority was not insured for the attack, the difference had to be taken from its limited reserves.
A council spokesman said that while it had general insurance cover, it still did not have a specific policy which covered a cyber-attack.
They said a recent inspection by external auditors found that at the time the council had had proper arrangements and controls in place to reduce the likelihood of a cyber-security breach.
But it is far from the only council to face such an attack. According to the Information Commissioner’s Office, there were 202 ransomware attacks on local authorities in 2024.
The government said it was “taking action to protect local councils by providing funding to increase their cyber defences”.
But Mr Martin fears the attack on the council, and other public services, could have “shown hostile nation states how to disrupt our society”.
“Redcar and Cleveland was a crisis,” he said. “What about 10 Redcar and Clevelands at the same time? What about a hundred of them? That’s not inconceivable.”
