A white paper from the NCSC and the NCA.
Ransomware has been the biggest development in cyber crime since we published the NCSC’s 2017 report on online criminal activity. Ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A cyber criminal will then demand a ransom in exchange for decryption. The computer itself may become locked, or the data on it might be encrypted, stolen or deleted. The attackers may also threaten to leak the data they steal.
May 2021 saw a ransomware attack on the Health Service Executive of Ireland6, causing issues such as lack of access to appointment data, in some cases leading to surgeons attempting to find patients for surgery when they had already been operated on. In the same month, the Colonial Pipeline in Texas7 was also held to ransom causing major disruption to gas supplies across the east coast of the US. In the UK, ransomware attacks affected the critical care services provided by local councils, and multiple organisations in the education sector8 were also affected.
As the ransomware threat has evolved9, victims now have the worry of their sensitive data being exposed to the world, and with it face the risks of reputational damage. There will also be additional considerations of the impact of enforcement by a data protection authority (such as the Information Commissioner’s Office in the UK) for not sufficiently protecting customer data.
More recently, some groups conduct data theft and extortion only, without deploying ransomware.
Accordingly, cyber criminals will now use whichever approach they believe most likely to yield payment,
deploying ransomware attacks to disrupt logistics companies that need the data to function, but favouring extortion-only attacks against healthcare services (where patient privacy is paramount).
Some criminal groups purport to follow a ‘moral code’ and avoid attacks against critical national
infrastructure (CNI) and healthcare services. However, the reality of complex modern supply chains means
criminals cannot know if their attack will impact such services.
The evolution of ransomware
While ransomware existed prior to 2017, it primarily focussed on encrypting single devices. In 2013, the GameOverZeus OCG had already put together the necessary success criteria for ransomware with CryptoLocker. It fused strong public key encryption with cryptocurrency payments, making it a viable business when other monetisation methods failed.
Damaging a large organisation’s network (instead of a small organisation’s or single user’s) has become
known as ‘big game hunting’. These targets often involve higher payment demands and so a larger return on investment. The removal of access to critical business systems and/or data is used to demand payment in exchange for the recovery keys. Under these pressures, it’s tempting for organisations to think that paying the ransom will ‘make the incident go away’, but as Eleanor Fairford, Deputy Director of Incident Management at the NCSC explained in a recent blog post, paying the ransom quickly doesn’t always help10.
Since 2018, businesses have been getting better at preparing for and responding to these attacks. At the
same time, criminals have been refining their business model to maximise payouts. Combining data theft
with extortion in big game hunting attacks increases the pressure on victims to pay, who will often be
presented with short deadlines (a tactic often used in legitimate sales campaigns).
The WannaCry and NotPetya attacks combined encryption with the ability to self-propagate, leading
to damages across a wide range of organisations. These attacks were both disruptive attacks posing
as ransomware, in neither case was it possible to pay in exchange for decryption keys. However they
highlighted the dramatic increase in impact when targeting critical infrastructure and large businesses.
In 2018, the NCSC and the NCA observed this shift in criminal behaviour to conduct attacks against larger
organisations, driven in part by the huge growth in the availability and legitimate trade of cryptocurrency.
Cryptocurrency has made it easier, cheaper and faster to obtain payment and purchase criminal services
than was previously possible with traditional currencies. The use of cryptocurrency also makes it harder
to attribute individuals and control illicit payments, although this is in the process of changing to match
The cyber crime ecosystem
EvilCorp, which comprise highly organised criminals operating much like legitimate businesses with offices, salaries, holiday and sick pay, and other benefits. There’s also a number of smaller, less-organised criminal groups and criminal microservices traded on illicit forums and marketplaces, all supporting each other.
While cyber crime exists in most countries around the world, the major threat to the UK emanates from the Russian-speaking community that have benefited from the larger OCGs helping shape the forums where these services are traded. Like other criminal services, ransomware has been adapting to this marketplace to become more accessible and scalable through groups selling ransomware as a service (RaaS). The resulting increase in criminals adopting ransomware and extortion tactics means that smaller criminal groups, working together, can make a large impact.
Sanctions, indictments and rewards levied on the likes of EvilCorp11 (and the group behind Conti11) has seen them draw on the wider ecosystem to distance themselves from the larger OCG branding. Figure 1 is an estimate of the number of UK victims from the top 10 ransomware variants over the last 3 years. It shows that over time, some of the previously dominant groups (such as Conti and Egregor) have disappeared while more brands of ‘as a service’ data leak sites (such as ALPHV, Lockbit and Hive) have become available. The numbers here can only be taken as an indication of the true volume, as any victims that paid the ransom will not appear on the leak sites (and some ransomware variants do not adopt data leak tactics).
Download & read the complete book below 👇👇👇