Experts reveal latest insights into world of cyber criminals

• New report examines how cyber criminals have developed their business model to maximise profits
• GCHQ’s National Cyber Security Centre and the National Crime Agency signal rise in extortion attacks and shift towards ‘ransomware as a service’ model since 2017
• Joint report reveals how devastating ransomware attacks rely upon a complex ‘cyber crime ecosystem’

CYBER criminals are increasingly professionalising their ransomware and extortion attack operations in a bid to gain efficiencies and maximise profits, a new report has revealed today (Monday).

The report, Ransomware, extortion, and the cyber crime ecosystem, has been published by the National Cyber Security Centre (NCSC) – a part of GCHQ – in partnership with the National Crime Agency (NCA) and it outlines how the tactics of organised criminal groups (OCGs) have evolved since 2017.

It describes the shift towards the ‘ransomware as a service’ model, where criminals with less technical skill can launch attacks by using pre-developed ransomware tools. It also examines how OCGs – most of which pre-date the rise of ransomware – have developed their modus operandi, with operations supported by complex supply chains and professional infrastructure.

While smaller groups trade criminal services on illicit forums and marketplaces, the report also shines a light on how some OCGs operate much like legitimate businesses, with offices, salaries, sick and holiday pay and other benefits.

The route to conducting an attack is supported by a variety of services and includes a range of different cyber criminals who conduct or facilitate the malicious activity, helping to reduce the barrier to entry.

The report also notes that most attack victims are chosen opportunistically, rather than specifically targeted and criminals are increasingly then tailoring their methods of attack depending on what is most likely to yield payment.

For example, as the NCSC and NCA have seen recently, OGCs will use whichever approach they believe most likely to yield payment, deploying ransomware attacks to disrupt logistics companies that need access to systems, but favouring extortion-only attacks against healthcare services, where patient privacy is paramount.

The report emphasises that ransomware remains one of the most acute cyber threats facing the UK and that all UK organisations should take action to protect themselves from this pervasive threat.

NCSC CEO Lindy Cameron said:

“Organised crime groups have continued to evolve in recent years, with the growth of the ‘ransomware as a service’ model sadly leading to more attacks.

“Our joint report reveals the complexities of the cyber crime ecosystem, with its different platforms, affiliates, enabling services and distributers, which all contribute to the devastating outcomes of ransomware attacks on the UK’s organisations.

“While the NCSC is resolute in tackling this threat with our partners, all organisations must take action to protect themselves. I urge network defenders to read this report and to implement our ransomware guidance to boost their cyber resilience.

NCA Director General of Threats, James Babbage said:

“The proliferation of capable cyber crime tools and services, and subsequent lowering of the barrier of entry, means that ransomware, especially ransomware-as-a-service, will continue to be a significant threat to UK individuals, businesses and organisations.

“The NCA is focused on combating this threat by targeting the highest harm cyber actors and undermining the cybercriminal ecosystem that enables their offending.

“However, as this report makes clear, a whole of system response is required to be effective; prevention, protection, and collaboration with international and private sector partners are key.”

Security Minister Tom Tugendhat said:

“The UK is a top target for cybercriminals. Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions.

“Sadly, we’ve seen an increase in attacks. This report is a timely reminder of the threats we face, and the importance of ensuring we all do as much as we can to defend ourselves.

“I will ensure our world-class law enforcement and intelligence agencies continue to use their full capabilities to stay on top of emerging threats and protect our businesses and institutions.”

The Ransomware as a Service model sees a range of features typically offered to customers. These can include a web portal to customise ransomware, communication platforms for negotiation with victims and access to data leak sites to publish stolen data.

The report highlights that whilst business have been getting better at preparing for and responding to attacks since 2018, at the same time criminals have been refining their business model to maximise payouts.

However, most incidents are not due to sophisticated attack techniques; most cyber criminals’ success is usually the result of taking advantage of poor cyber hygiene, highlighting the importance of organisations ensuring they have strong defences.

The NCSC has published comprehensive guidance for organisations to reduce the likelihood of falling victim to a ransomware attack.

Organisations are strongly encouraged to sign up to the NCSC’s free Early Warning service, which notifies organisations of any potential suspicious activity within their networks, including indicators of ransomware.