Ransomware and the cyber crime ecosystem

Published
9/28/2023

Ransomware has been the biggest development in cyber crime since we published the NCSC’s 2017 report on online criminal activity. Ransomware’s defining feature is that it encrypts data on victims’ systems until a payment is made. Since IT systems are now ubiquitous, ransomware attacks can be truly devastating for victims and their customers, which is why it remains the most acute cyber threat for UK businesses and organisations.

A new white paper, published by the NCSC and the National Crime Agency, examines how the tactics of organised criminal groups (OCGs) have evolved as ransomware and extortion attacks have grown in popularity. It’s particularly aimed at security professionals and resilience sector leads who need to be aware of changes in cyber criminal activity to better protect their systems and inform security policy.

Since 2018, businesses have been getting better at preparing for and responding to ransomware attacks. At the same time, OCGs have been adapting their business models to maximise payouts. For example, ransomware victims – in addition to being locked out of their systems – now have the additional worry of their sensitive data being leaked online, and with it face the risks of reputational damage. They could also face large fines under laws such as UK GDPR and the Data Protection Act 2018.

As well as the actual ransomware malware (such as Lockbit or ALPHV), there are a number of enabling services, platforms, distributors and affiliates that are key to conducting a ransomware attack. It’s this wider criminal ecosystem that is the main focus of the paper.

The white paper is the latest addition to a series of NCSC publications that address the continued threat from ransomware. Crucially, implementing NCSC guidance will interrupt the majority of attacks, which is why they encourage system owners and technical staff to visit the NCSC’s pages on ransomware, which includes guidance on how organisations can defend themselves from ransomware attacks.

Find out more here