Ransomware and the Cyber Crime Ecosystem

Ransomware has been the biggest development in cyber crime. Ransomware’s defining feature is that it encrypts data on victims’ systems until a payment is made. Since IT systems are now ubiquitous, ransomware attacks can be truly devastating for victims and their customers, which is why it remains the most acute cyber threat for UK businesses and organisations.

A new white paper published by the NCSC and the National Crime Agency examines how the tactics of organised criminal groups (OGCs) have evolved as ransomware and extortion attacks have grown in popularity. It’s particularly aimed at security professionals and resilience sector leads who need to be aware of changes in cyber criminal activity to better protect their systems and inform security policy.

Since 2018, businesses have been getting better at preparing for and responding to ransomware attacks. At the same time, OCGs have been adapting their business models to maximise payouts. For example, ransomware victims in addition to being locked out of their systems now have the additional worry of their sensitive data being leaked online, and with it face the risks of reputational damage. They could also face large fines under laws such as UK GDPR and the Data Protection Act 2018.

As well as the actual ransomware malware (such as Lockbit or ALPHV), there are a number of enabling services, platforms, distributors and affiliates that are key to conducting a ransomware attack. It’s this wider criminal ecosystem that is the main focus of the paper. The white paper is the latest addition to a series of NCSC publications that address the continued threat from ransomware. Crucially, implementing NCSC guidance will interrupt the majority of attacks, which is why we encourage system owners and technical staff to visit the NCSC’s pages on ransomare, which includes guidance on how organisations can defend themselves from ransomware attacks.

The deployment of ransomware relies on a complex supply chain, so focussing on specific ransomware strains can be confusing at best, and unhelpful at worst. We hope that the publication of this white paper shines a light on the motivations of the threat actors further upstream, who are ultimately driving the monetisation of ‘ransomware as a service’, and other extortion attacks.