NCSC Annual Review reveals ransomware business model driving attack success

Ransomware actors are increasingly adopting organised, business-like methods to target and exploit UK organisations.

locked data / bitcoins
Metamorworks / Nature / Getty Images

The UK National Cyber Security Centre (NCSC) today released its latest Annual Review detailing cyberthreat trends of the past 12 months and the work it has undertaken to help protect the UK. The review outlines a record 777 cyberattacks tackled by the NCSC in 2021, the damaging effect of professional, organised ransomware campaigns on UK organisations, and highlights the continued evolution of the ransomware-as-a-service (RaaS) business model. This is where off-the-shelf malware variants and online credentials are available to criminals for a one-off payment or a share of profits.

“We’ve been tackling a growing trend in criminal groups using ransomware to extort money on the internet. I see this now as the most immediate cybersecurity threat to the UK and to UK businesses – the public sector in particular,” said NCSC CEO Lindy Cameron, speaking to introduce the review.

Professional ransomware groups becoming more successful

NCSC cited increasing success rates for ransomware groups that are adopting business-like approaches. In doing so, they are securing significant ransom payments from large companies who cannot afford to lose their data to encryption or to suffer the down time while their services are offline. The NCSC observed attackers offering victims services such as 24/7 help centres that support them in paying ransoms quickly to get back online, aimed at making paying ransoms a simpler option for impacted businesses.

Ransomware groups are also investing more time in researching targets to identify weaknesses to make attacks more impactful and likely to succeed. “They will use spoofing and spear phishing to masquerade as employees to get access to the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or sensitive material that they can threaten to leak or sell to others. And they may even research to see if a potential victim’s insurance covers the payment of ransoms,” the review read.

Whilst this reconnaissance can be lengthy and requires considerable resource, it means that when attacks are ready to deploy, the impact on an unprepared business can be brutal, the NCSC said. “Files are encrypted. Servers go down. Digital phone lines no longer function. Everything comes to a halt and business is stopped in its tracks.” In terms of attack entry points, the NCSC highlighted increasing exploitation of vulnerabilities in virtual private networks (VPNs) and unpatched software.

Addressing sophisticated ransomware operations

Whilst ransomware actors are profiting from more business-like and organised approaches, UK organisations can use a growing number of services to protect themselves against ransomware or mitigate the impact of an attack. “As well as implementing practical cybersecurity measures and following advice, an important defence against ransomware is to understand the ever-evolving threat picture and working with others to share information and good practice,” the review read.

One example is the NCSC’s Cyber Security Information Sharing Partnership (CISP) service, which provides a secure forum where companies and government can collaborate on threat information. It also gives access to regular sensitive threat reports.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline