Over the last 10 years, cybercrime has entered the realm of national security. This shift has been driven by one type of cybercrime in particular – ransomware.
Emerging from the Russian cyber-criminal ecosystem in the early 2010s, ransomware today is a highly disruptive form of cybercrime that encompasses a range of tactics and techniques designed to extort ransoms from individuals, businesses and even governments. Although cyber fraud likely affects more individual UK citizens on a personal level and generates greater economic losses, ransomware is a particularly acute threat to the UK because of its ability to cause harm to nationally important services – ranging from the ability of local councils to provide social care or ensure your bins are collected to the provision of essential healthcare services. Put simply, ransomware can (and does) ruin people’s lives.
Ransomware has proven to be highly lucrative for many of the criminals that participate, with UK victims paying an average ransom payment of £1.6 million in 2023 according to one survey. Large profit margins have enabled ransomware operators to reinvest revenues, expand their capabilities, and largely stay ahead of cyber defenders and law enforcement. Although the National Crime Agency (NCA) and its international counterparts have had some tactical successes against the ransomware ecosystem, absent a major shift in the cost–benefit calculus of ransomware operators, the next 10 years of cybercrime will likely continue to be dominated by this pernicious form of offending.
The Evolution of Ransomware: From ‘Spray and Pray’ to Organised Cybercrime
Although ransomware has existed in some form since the 1990s, it was largely non-viable as a profitable cybercrime until the emergence of cryptocurrency in the late 2010s, which enabled cybercriminals to monetise ransomware while maintaining a degree of anonymity. In 2013, ransomware was characterised by the so-called ‘spray and pray’ model, which targeted a large number of individual users. These operations had low yields with uniformly priced ransoms for all victims.
However, from 2016 onwards, ransomware began to evolve into the form that is dominant today. Ransomware operators moved away from the ‘spray and pray’ model and started to focus on organisations rather than individuals, using tactics to deploy ransomware to thousands of computers within a single organisation to increase their leverage and therefore demand higher ransoms.
In 2019, two important tactical modifications emerged that helped ransomware operators extort higher payments at greater scale. First, they became more purposeful in their victim selection. Some developed so-called ‘big game hunting’ ransomware operations, which involves prioritising larger and therefore more lucrative victims; others focused on targeting critical services and organisations that rely on constant delivery of operations, such as healthcare providers.
Second, the criminals behind the Maze ransomware operation started to steal as well as encrypt victims’ data. Other ransomware threat actors swiftly followed suit and over the last few years coercion tactics have continued to evolve, with dedicated data leak sites, leaks to journalists and harassment of employees and clients all employed as parts of efforts to make victims pay. A new cyber extortion collective made up mostly of English-speaking young men has even threatened physical violence against its victims. Our own research on ransomware harms, which is based on interviews with UK victims of ransomware, found examples of harassment of school children, healthcare patients and other vulnerable groups following ransomware incidents.
Today, the ransomware ecosystem resembles something more like a professionalised industry than a ragtag network mostly active on dark web forums and marketplaces. This is not just because of the revenues generated by ransomware (which are believed to run into hundreds of millions of dollars for the most successful gangs), but also because of the growing levels of professionalisation that have developed within the ecosystem. The ransomware-as-a-service business model has enabled the specialisation of roles within ransomware operations, allowing ransomware developers to recruit affiliates who conduct operations for a cut of the profits. Ransomware is also supported by the broader cybercrime-as-a-service ecosystem, particularly services and marketplaces that specialise in obtaining and selling access to victim networks (known as initial access brokers) or monetising and laundering the proceeds of ransomware. The service-driven cyber-criminal economy enables ransomware threat actors to streamline their operations.