Ransomware in the underworld.

The UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA) have published a report looking at ransomware’s place in the cybercrime ecosystem, outlining the attack chain used by ransomware actors. 

Advice from NCSC and NCA: look at the big picture first.

The agencies believe a broad view of the ransomware landscape is necessary to address the problem more effectively: “While on the surface, an attack can be attributed to a piece of ransomware (such as Lockbit), the reality is more nuanced, with a number of cyber criminal actors involved throughout the process. Tackling individual ransomware variants – something which the NCSC and NCA are frequently challenged on – is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed. Taking a more holistic view by understanding the elements of the wider ecosystem allows us to better target the threat actors further upstream, in addition to playing ‘whack-a-mole’ with the ransomware groups.”

Look at the ecosystem, not the pests.

Thus the variants are less important than the attack surfaces they hit, and the responses the organizations mount.

James Babbage, Director General of Threats at the National Crime Agency, said, in his foreword to the report, “[A]n investigative response to an individual ransomware attack will rarely be productive in itself. Instead our disruption strategy, complementing efforts to build resilience, is based on understanding and undermining the increasingly sophisticated criminal ecosystem behind these threats especially focusing on common enablers and vulnerabilities. This is an integral part of the NCA’s broader shift of ‘focus upstream, overseas and online’, degrading the most harmful organised criminal groups (OGCs) by targeting those at the top of the chain, tackling the threat at source, and combating their use of technology.”