Organised Cybercrime: The Rise of Ransomware as a National Security Threat

Over the last 10 years, cybercrime has entered the realm of national security. This shift has been driven by one type of cybercrime in particular – ransomware.

Emerging from the Russian cyber-criminal ecosystem in the early 2010s, ransomware today is a highly disruptive form of cybercrime that encompasses a range of tactics and techniques designed to extort ransoms from individuals, businesses and even governments. Although cyber fraud likely affects more individual UK citizens on a personal level and generates greater economic losses, ransomware is a particularly acute threat to the UK because of its ability to cause harm to nationally important services – ranging from the ability of local councils to provide social care or ensure your bins are collected to the provision of essential healthcare services. Put simply, ransomware can (and does) ruin people’s lives.

Ransomware has proven to be highly lucrative for many of the criminals that participate, with UK victims paying an average ransom payment of £1.6 million in 2023 according to one survey. Large profit margins have enabled ransomware operators to reinvest revenues, expand their capabilities, and largely stay ahead of cyber defenders and law enforcement. Although the National Crime Agency (NCA) and its international counterparts have had some tactical successes against the ransomware ecosystem, absent a major shift in the cost–benefit calculus of ransomware operators, the next 10 years of cybercrime will likely continue to be dominated by this pernicious form of offending.

The Evolution of Ransomware: From ‘Spray and Pray’ to Organised Cybercrime

Although ransomware has existed in some form since the 1990s, it was largely non-viable as a profitable cybercrime until the emergence of cryptocurrency in the late 2010s, which enabled cybercriminals to monetise ransomware while maintaining a degree of anonymity. In 2013, ransomware was characterised by the so-called ‘spray and pray’ model, which targeted a large number of individual users. These operations had low yields with uniformly priced ransoms for all victims.

However, from 2016 onwards, ransomware began to evolve into the form that is dominant today. Ransomware operators moved away from the ‘spray and pray’ model and started to focus on organisations rather than individuals, using tactics to deploy ransomware to thousands of computers within a single organisation to increase their leverage and therefore demand higher ransoms.

In 2019, two important tactical modifications emerged that helped ransomware operators extort higher payments at greater scale. First, they became more purposeful in their victim selection. Some developed so-called ‘big game hunting’ ransomware operations, which involves prioritising larger and therefore more lucrative victims; others focused on targeting critical services and organisations that rely on constant delivery of operations, such as healthcare providers.

Second, the criminals behind the Maze ransomware operation started to steal as well as encrypt victims’ data. Other ransomware threat actors swiftly followed suit and over the last few years coercion tactics have continued to evolve, with dedicated data leak sites, leaks to journalists and harassment of employees and clients all employed as parts of efforts to make victims pay. A new cyber extortion collective made up mostly of English-speaking young men has even threatened physical violence against its victims. Our own research on ransomware harms, which is based on interviews with UK victims of ransomware, found examples of harassment of school children, healthcare patients and other vulnerable groups following ransomware incidents.

Today, the ransomware ecosystem resembles something more like a professionalised industry than a ragtag network mostly active on dark web forums and marketplaces. This is not just because of the revenues generated by ransomware (which are believed to run into hundreds of millions of dollars for the most successful gangs), but also because of the growing levels of professionalisation that have developed within the ecosystem. The ransomware-as-a-service business model has enabled the specialisation of roles within ransomware operations, allowing ransomware developers to recruit affiliates who conduct operations for a cut of the profits. Ransomware is also supported by the broader cybercrime-as-a-service ecosystem, particularly services and marketplaces that specialise in obtaining and selling access to victim networks (known as initial access brokers) or monetising and laundering the proceeds of ransomware. The service-driven cyber-criminal economy enables ransomware threat actors to streamline their operations.

In some cases, ransomware threat actors have developed structures more like legitimate businesses than traditional organised crime groups. The group behind the now defunct Conti ransomware operation, for instance, at one point employed between 65 and 100 salaried staff, with defined roles, HR staff and employment policies. The profitability of ransomware can make this extremely attractive, pulling more would-be cyber-criminals into the ecosystem. Ransomware therefore represents a form of organised crime that is in keeping with modern digital economies.

Assessing the impact of ransomware on the UK specifically is challenging. Since 2019, 2,607 ransomware incidents have been reported to the Information Commissioner’s Office (ICO). However, the ICO does not collect data or produce intelligence on the threat or financial impact of ransomware. Reporting to Action Fraud is believed to be considerably lower – the NCA assesses that less than 10% of ransomware incidents are reported to law enforcement. However, prominent attacks against UK businesses and critical national infrastructure providers emphasise the threat of ransomware to UK’s economy, national security and society. In 2023 alone, ransomware has disrupted the Royal Mail, one of the largest providers of outsourced services for the UK government, schools and an NHS Trust. A ransomware attack was also blamed for the permanent closure of one of the UK’s largest privately-owned logistics providers, KNP Logistics Groups.

A Daunting 21st-Century Challenge

The emergence of contemporary organised cybercrime as a national security dilemma presents a serious challenge for the UK’s law enforcement community.

This dilemma is exacerbated by a toxic combination of geopolitics and the double-edged sword presented by technological advancement. The concentration of ransomware operators in ‘permissive’ jurisdictions with whom UK relations are relatively poor – most notably Russia – means that law enforcement’s capacity to arrest or interfere with many threat actors is limited. While a Russian cyber-criminal stated in an interview that their biggest concern was the prospect of Russian Federal Security Service (FSB) and Western law enforcement collaboration, this seems unlikely to materialise at the time of writing. As recently emphasised by NCA Director-General Graeme Biggar at RUSI, serious and organised crime has become more global and sophisticated, straddling the ‘real’ and ‘virtual’ worlds. Ransomware is – unfortunately – a perfect illustration of this phenomenon.

The UK’s approach to the ransomware dilemma can be described, in part, as characterised by pragmatism. This is not to be confused with defeatism. Where possible, the National Crime Agency has collaborated with international partners on arrests of ransomware operators and affiliates outside of Russia. The UK’s Office of Financial Sanctions Implementation has also recently joined forces with the US’s Office of Foreign Assets Control to sanction known ransomware operators, representing both a form of ‘naming and shaming’ and an effort to limit specific cyber-criminals’ ability to monetise ransomware.

Aligning with a pragmatic approach to ‘resiliency’ that underpins the National Cyber Security Strategy, the UK’s public sector cyber response ecosystem has increasingly focused on reducing the ransomware threat and supporting victims. This ecosystem includes the National Cyber Security Centre (NCSC), the NCA, Regional Organised Crime Units and local police. Victim support is triaged through the Incident Response Framework, with technical incident support tightly rationed and restricted to organisations with the greatest national security and economic impact. A number of victims may receive support in the form of incident response coordination and advice from NCSC and/or NCA liaisons.

Nonetheless, the reality for many ransomware victims is that government support is likely to be very limited, with the accessible response ecosystem largely privatised. A ransomware victim organisation may, variously, draw upon the support of firms offering incident response, ransom negotiation, external counsel and public-relations management. Organisations either pay for these services themselves or draw on cyber insurance policies. However, the recent development that some sectors – including operators of critical national infrastructure – may be uninsurable by virtue of their sector should be cause for alarm.

The application of triaging and general reliance on private sector incident response services is a pragmatic approach amid current economic realities; it would be impossible for the current public-sector response ecosystem to scale sufficiently to serve as a ‘blue light’ cyber response service. However, the quality of incident response matters. The NCSC’s assured cyber incident response schemes are a positive step toward promoting best practices to encourage optimum outcomes for victims of ransomware and other cyber incidents.

What Should We Do Next?

We write this with a degree of weariness. As active researchers in this space, we have talked, researched and written about ransomware for countless hours. Ransomware’s prominence as a cybercrime and national security threat means that this issue has consistently been at the forefront of our recent work. The UK government has also been actively talking about the issue, for instance, with the conducting of an internal 'ransomware sprint’, the attendance of high-level meetings (and signing of agreements) with like-minded international partners, and the issuance of calls for evidence by Parliamentary Committees.

However, given the absence of easy solutions, it is time to talk more actively about ransomware and organised cybercrime with the public at large. In a liberal democratic society, a serious societal-level threat merits mature and considered conversations in a range of accessible forums. Ransomware arguably first emerged into the UK-wide conscience in 2017, with the WannaCry ransomware attack’s impact on some NHS Trusts serving as a pronounced indication of ransomware’s capacity to disrupt core societal services. After extolling that everyone had a responsibility for cyber security, Jeremy Hunt and Theresa May were given a reprieve with Marcus Hutchin’s kill-switch. But arguably the first significant opportunity for a proper and sustained national conversation was bypassed. Likewise, pronounced disruptions at local levels – for instance, Hackney, Redcar and Cleveland, and Gloucester City councils – have not ushered in focused conversations at a national level.

Such conversations could include more candid detail about the government’s place and role in the fight against this threat, in both preventative and reactive terms. Given financial and resource constraints, it is unlikely that the UK will significantly expand its technical response support for victims. But this should be conveyed to the public clearly and candidly. Recent RUSI research has highlighted a disconcerting degree of ambiguity and confusion among the public and ransomware victims about the role of government and law enforcement in this space.

There is also the question of how the UK should employ offensive cyber capabilities against the ransomware ecosystem. At the launch of the UK National Cyber Force (NCF) in 2020, the UK government identified organised cyber-criminals as a potential target for offensive cyber operations. In 2022, then GCHQ Director Jeremy Fleming suggested that the NCF was now actively targeting ransomware threat actors. Given that UK intelligences agencies have been able to disrupt the online activities of international terrorist organisations – and publicly disclose elements of this interference – there is a case for more public debate about the purpose and effectiveness of these operations. However, as the US experience with using offensive cyber operations against ransomware has highlighted, such operations may have a limited effect while the business model remains intact, and should be seen as complementary rather than a replacement for a strategy that focuses on fundamentally changing the cost-benefit calculus of the perpetrators.

The future trajectory of ransomware is not clear. Arguably, this form of organised cybercrime has not yet reached saturation point. While some ransomware operators have dispersed following law enforcement activity, others have emerged. Operators continue to diversify their strategies to put maximum pressure on victim organisations and adapt to improved cyber security practices among their targets (for instance, viable backups).

In this context, further growth and evolution of this threat should be anticipated. While it is not possible to speculate precisely on how ransomware will evolve, the UK and like-minded partners should anticipate turbulence, continue to raise their cyber resilience, and focus on ways to make life much more difficult for the criminals that perpetuate it.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.