Ransomware is the most significant threat to the UK, and the most overwhelming issue that law enforcement deals with, and is “a national security issue.”

Speaking at 44CON in London, Will Lyne, head of cyber intelligence at the NCA said there is a variety of attackers faced - from hacktivists to lone wolves - and these operators tend to be tied to one location, and groups often work in closed operations. “We now see automatic and big game hunting from a targeting perspective, and it is really sophisticated and individuals are really quick to leverage vulnerabilities,” he said.

Lyne said that threats do change and “it’s no longer black or white” or in ‘stove pipe’ perspectives, and “everything sits in a grey space, and it is hard to see the difference between attackers getting into networks and cyber intrusion where ransomware can be launched.

“I like to think of it as a blended type of threat, and there is loads of overlaps,” he said. 

Cybercrime Ecosystem

Looking at how things have changed, Lyne said the cyber-criminal underground is like the Mos Eisley Cantina Bar, where “you can get anything and everything you may want, and there is an ecosystem “that supports and enables this business model.”

However there is a difference in the way money is moved when it comes to ransomware, as previously malware operators in the ecosystem needed money mules and the amount received by the operator was affected by how many people took a cut of the profits. Now a ransomware operator can expect to see 99.5 percent of the money, Lyne said. “It’s pretty cheap, and it’s pretty low risk.”

He said: “Ransomware is a symptom of this cybercrime ecosystem, which created the conditions for something like ransomware to come along: and ransomware does two things: It lowers the barrier of entry for getting into cybercrime, and this has proliferated high-end tools and capabilities.”

Ransomware Variants

Considering the response of the NCA, Lyne said it targets the ecosystem that supports and enables the ecosystem. He said it previously went after the ransomware variants, of which there were maybe eight at the start of this decade, but now there are 70-80 variants “and that is too many to track and we’ve not really had the impact that we wanted to.”

He said now it is about disruption, as the operators cannot be arrested, as well as demonstrating its impact. This requires being agile and collaborative, and Lyne admitted the NCA is set up to deal with traditional, serious organised crime, which are geographically specific threats.

Collaboration

When it comes to cyber though, Lyne said the audience “knows more than me” and he admitted  that the NCA has to collaborate closely with public and private sector partners “as we recognise that we cannot do this alone, and we recognise that there is amazing expertise and capability out there.”

He also said that delivering results in cybercrime investigations “looks really different to how you deliver investigations into a drug trafficking network, as law enforcement does not need extra expertise to do that.

He admitted that there has been “some success” and the NCA has improved and developed a good number of actions, including the disruption of Emotet in 2021, the Hive takedown in 2023, and where sanctions were issued in the investigation into Trickbot in 2023.

“We’re learning lots and lots in this space as a community as we go along, so our partnerships in this space are really strong,” he said. “To continue to keep up we’ve got to keep learning, and we really want to collaborate.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.