Targeting individual ransomware strains is confusing and even unhelpful in tackling this threat vector, according to a joint report from UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA).
Threat actors are too quick to reassemble and rebrand after being taken down for a focus on tackling on specific ransomware strains to be affective, the agencies suggested.
The Whitepaper, which examined how the tactics of organized criminal groups (OCGs) have evolved since 2017, said that the deployment of ransomware attacks relies on a complex supply chain, supported by a variety of services and encompassing a range of different cyber-criminals who conduct or facilitate the malicious activity.
Instead of homing in on individual ransomware strains, the NCSC and NCA advocated a more holistic approach that targets the threat actors further upstream, in addition to playing ‘whack-a-mole’ with the ransomware groups.
NCA Director General of Threats, James Babbage, stated: “The proliferation of capable cybercrime tools and services, and subsequent lowering of the barrier of entry, means that ransomware, especially ransomware-as-a-service, will continue to be a significant threat to UK individuals, businesses and organizations.
“The NCA is focused on combating this threat by targeting the highest harm cyber actors and undermining the cyber-criminal ecosystem that enables their offending.”
The report added that “traditional criminal justice outcomes” are difficult to achieve against cyber threat actors “based in uncooperative regions.”
Therefore, governments and law enforcement must engage in wider range of disruptive approaches, including collaborating internationally to pursue criminals when opportunities arise and using cyber sanctions to hit the business models of individual threat actors.
Ransomware Group Evolution
The NCSC and NCA said that ransomware remains the most “acute” cyber threat to most UK organizations, with gangs continuously adapting their tactics to maximize profits.
The Whitepaper observed that prior to 2017, ransomware primarily focussed on encrypting single devices in large organizations. However, as businesses got better at preparing for and responding to these attacks, ransomware gangs have refined their models.
A major development has been the shift to the ransomware-as-a-service model, enabling criminals with limited technical skills to launch attacks by using pre-developed ransomware tools. This marketplace has been facilitated by the growing availability and legitimate trade of cryptocurrency.
The NCSC and NCA also emphasized how OCGs are operating much like legitimate businesses, with offices, salaries, holiday and sick pay, and other benefits. These groups have traditionally carried out the most serious cyber-attacks.
The agencies said the major threat to the UK emanates from the Russian-speaking cyber-criminal community, which have benefited from the larger OCGs helping shape the forums where these services are traded.
The majority of cyber-criminals act opportunistically, either through buying accesses that they deem likely profitable, or by scanning for a vulnerability in a product likely used in enterprise networks. This is opposed to targeting a particular organization or business sector, as there is usually far less return on investment for criminals to specifically target a single entity.
As a result, the vast majority of ransomware incidents are a result of large-scale access gathering that is filtered later to identify those most likely to be suitable for ransomware.