Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
The ransomware industry has evolved into a sophisticated supply chain that often defies western governments and leaves unprotected businesses on the back foot, a UK assessment has found.
Ten years after the first large-scale ransomware attack, nicknamed Cryptolocker, the industry has thrived on businesses’ weak online security. This has enabled criminals to sell each other vulnerabilities or software weaknesses, create franchises with lower-skilled beginners and set up marketplaces to trade access to compromised businesses.
The assessment from the National Cyber Security Centre, which is part of GCHQ, and the National Crime Agency, comes as it has become increasingly clear that prosecutors in Russia, Belarus and a handful of other countries that were part of the former Soviet Union have little inclination to crack down on this lucrative crime. Ransomware operators have also been detected in south-east Asia, India and west Africa.
“Traditional criminal justice outcomes are hard to achieve against actors based in uncooperative jurisdictions,” James Babbage, a director of general threats at the NCA, said in the report.
Instead, the US, UK and other allies have had to rely on technical means to dismantle some of the most prolific criminals, including a recent operation to take down the Qakbot network, which infected millions of computers with its malware, and sanctions against the creators of another one called Trickbot.
“Over the years, ransomware has proven itself as a tried-and-true method for extorting money from victims,” said Chester Wisniewski, a field chief technology officer at Sophos. “Now, ransomware is an everyday part of the criminal threats we face.”
Businesses could have deflected the many threats by improving their “cyber hygiene”, the assessment said on Monday. Often companies fail to have multi-factor authentication, an easily implemented industry standard, while others have weak passwords or do not update all their network’s computers.
“Implementing such measures would interrupt the majority of ransomware attacks,” the report published on Monday said.
In some cases, US authorities have been able to seize cryptocurrency wallets, where the criminals receive their payments in exchange for the password that will decrypt information on their victim’s computers.
In recent months, the hacker group CL0P has hit dozens of western companies that rely on MOVEit software from US-based Progress Software. The software was designed to keep confidential data secure and was used by businesses and institutions such as the BBC, British Airways, Boots and several US state government driving licence databases.
Now, on its dark web site, CL0P openly negotiates with its victims and shames those who refuse to pay by posting hundreds of gigabytes of payroll information, industrial designs and internal emails and documents. Most payments are made secretly and in cryptocurrency, which is almost impossible to trace.
Estimates vary but the industry has expanded into a multibillion-dollar business. One gang, Conti, made more than $180mn in 2021, the UK government has estimated, a sum that included at least £10mn from UK businesses.
The May 2021 attack on the Colonial Pipeline in the US, which disrupted oil prices and lasted weeks, was the most public example of the impact of ransomware on a business, but dozens are attacked daily, nearly all based in the west.
Detection by authorities has improved but cybercriminals are still ahead of governments and businesses in efficiency and speed, the UK-based cyber security company Sophos found. The latest figures indicated that criminals take less than a day to steal data while it takes authorities on average five days to detect their malign presence on a network, compared with eight in 2022.
“What we’ve increasingly seen over the past three years is an increasing mechanisation and professionalisation among the criminals,” said Sophos’s Wisniewski. “Not only are ransomware criminals striking the final blow in only five days, they’re going for the jugular,” he added.