The UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) have published a whitepaper examining the ongoing evolution of the business models and underpinnings of the cyber criminal ransomware ecosystem, and highlighting that responding appropriately and effectively need neither be complex, nor expensive.
The joint NCSC NCA report, Ransomware, extortion, and the cyber crime ecosystem, delves into the growth of the often complex ransomware-as-a-service (RaaS) model over the past six years.
“Organised crime groups have continued to evolve in recent years, with the growth of the RaaS model sadly leading to more attacks. Our joint report reveals the complexities of the cyber crime ecosystem, with its different platforms, affiliates, enabling services and distributers, which all contribute to the devastating outcomes of ransomware attacks on the UK’s organisations,” said NCSC CEO Lindy Cameron.
“While the NCSC is resolute in tackling this threat with our partners, all organisations must take action to protect themselves. I urge network defenders to read this report and to implement our ransomware guidance to boost their cyber resilience,” she said.
Security minister Tom Tugendhat added: “The UK is a top target for cyber criminals. Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions.
Lindy Cameron, NCSC
“Sadly, we’ve seen an increase in attacks. This report is a timely reminder of the threats we face, and the importance of ensuring we all do as much as we can to defend ourselves. I will ensure our world-class law enforcement and intelligence agencies continue to use their full capabilities to stay on top of emerging threats and protect our businesses and institutions.”
The growth in the RaaS model has led to a situation where cyber criminal operators who lack the technical skills needed to develop their own ransomware lockers can now carry out effective attacks using off-the-shelf tools, while organised criminal groups (OCGs) run back-end operations supported by complex supply chains and professional infrastructure. This more organised and businesslike approach dates back several years.
These OCGs, many of which pre-date the current ransomware boom, run similarly to legitimate businesses, with offices, salaried positions, and even benefits like holiday entitlement and sick pay, all operating in the service of facilitating ransomware attacks.
Their affiliates or customers will typically have access to a web portal to customise the ransomware locker they are buying and obtain new builds with unique encryption keys. Some also include in-house communications platforms to conduct negotiations with victims, as well as access to leak sites.
The advantages affiliates gain from this approach are manifold. For example, beyond not having to expend time and effort writing their own ransomware, operating as an affiliate brings a certain degree of anonymity that makes it harder for the industry and law enforcement to track and attribute different attacks. They may also be protected from prosecution under certain regulations – for example, the writing and selling of ransomware is a different offence under Section 3A of the UK’s Computer Misuse Act (CMA) than the use of it in an attack, which can fall under Section 3 or Section 3ZA.
However, there are some disadvantages, too. As the NCSC NCA report notes, the growth in affiliate numbers is leading to a more competitive environment where they end up receiving a smaller percentage of the ransom after the OCG has taken its cut.
Indeed, some of the affiliates don’t appear to make much at all – when rare arrests of low-level affiliates are made, the accompanying photos tend to be of distinctly unglamorous, small and untidy apartments, a far cry from the lavish lifestyles, with their event weddings and bespoke Italian supercars, of the OCG controllers.
Opportunistic cash grab
The report also shares some new insight into victimology, revealing that many, if not most, victims are chosen on an opportunistic basis and are not specifically targeted.
Rather, ransomware operators prefer to access a victim’s systems and then tailor their attack based on what they consider the quickest and easiest route to a pay-out.
For example, as the NCSC has observed recently, gangs will deploy full ransomware encryption attacks against companies that value access to their systems, whereas those for which data privacy is paramount, such as health and social care organisations, they will prefer a straightforward extortion-only attack.
However, when ransomware incidents do occur, they are rarely ever the result of a “sophisticated cyber attack”, even though in their understandable panic, victims often like to claim their security teams were completely bamboozled.
In reality, the most successful ransomware attacks will always take advantage of poor cyber hygiene and a lack of attention paid to factors such as prompt and appropriate patching, poor password protection and a lack of multifactor authentication. The NCSC said that taking care of these three issues could interrupt the majority of incidents.