UK Crime and Cybersecurity Agencies Urge ‘Holistic’ View of Ransomware Ecosystem
Stopping the ransomware epidemic is less about tackling individual crypto-locking malware variants and more about combating the entire ecosystem of bad actors underpinning digital extortion, the British government said Monday.
Behind any infection from name-brand ransomware such as LockBit or BlackCat lies a loose network of affiliates, initial access brokers and other actors, warned the U.K National Crime Agency and National Cyber Security Center in a white paper.
“While on the surface, an attack can be attributed to a piece of ransomware, the reality is more nuanced, with a number of cybercriminal actors involved throughout the process,” the agencies said.
“Tackling individual ransomware variants – something which the NCSC and NCA are frequently challenged on – is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed.”
Although law enforcement agencies might be successful in identifying groups, without a “holistic view” of the ransomware ecosystem, law enforcement is reduced to playing whack-a-mole with ransomware groups, the white paper asserts.
“Typically it’s the affiliate that obtains and uses the access, not the ransomware-as-a-service group,” the agencies said. “This is an important distinction in the eyes of the law and is actually two different offences under the Computer Misuse Act, 1990.”
This means that writing and selling ransomware is considered a lesser crime under British hacking law. An initial access broker, despite typically not obtaining revenue directly from ransomware attacks, could face a much more severe punishment.
British officials have called for lawmakers to revise the hacking law, saying that its limitations of jurisdiction to U.K. persons or someone using U.K. infrastructure make it difficult to prosecute hackers acting from overseas, such as ransomware groups (see: UK National Crime Agency Head Calls for Hacking Law Updates).
Despite these challenges, a “follow the money” approach that tracks down crooks’ cryptocurrency wallets has proved increasingly effective for law enforcement agencies in the U.K. and elsewhere in identifying and dismantling ransomware infrastructure, the report says.
These actions have resulted in U.K. and U.S agencies sanctioning 11 TrickBot operators and, months earlier, sanctioning seven other TrickBot operators.