As 2023 starts to draw to a close, it is an appropriate time to take stock of the Cyber landscape as it is and more specifically, threat actors that have been prevalent over the past year. With lower barriers to entry and an expansive risk environment, the cost of cyber-crime has reached £6.6 billion, surpassing more traditional types of illegal economies.1 Ransomware-as-a-Service has morphed into Crime-as-a-Service, which has commoditised access to and proliferation of malicious tools including sophisticated attack methodologies which are driving criminals to innovate tactics and collaborate like a commercial enterprise. The industry has become a complex supply chain of subject matter experts in social engineering, credential theft, malware development and money laundering. All this has been backed by the highly persistent and well-funded criminal underworld.
The attack surface available to threat actors has been ever expanding with reliance of technology. Data has become a currency and technology advancement has driven the development of new threat types. The complexity of the eCrime ecosystem and its business model has accelerated the degree of impact on victims and increased the likelihood of compromise. Many of the recent cyber-attacks have been either directly or indirectly attributed to syndicates from specific geographies, such as countries within post-soviet nations.
Based on the 2023 NCA’S National Strategic Assessment, threat actors from Russian-speaking countries have been predominantly responsible for Ransomware-as-a-Service campaigns in the UK. MOVEit2, one of the largest cyber-attacks this year, was led by a ransomware group from this region, which brought to light the growing affiliate network supporting downstream activities for some of the world’s most prolific cyber-crime organisations.
Threat Environment
With the proliferation of ransomware and eCrime services, it has become easier for criminal enterprises and nation states to farm off parts of the cyber kill chain to the vast criminal supply chain ecosystem that has emerged. Following the invasion of Ukraine, ransomware groups adapted their methodologies as a large market for affiliate resource operated out of this region. In addition, the global response to the war made it more difficult for cyber criminals to launder money as a result of the increasingly stringent financial sanctions. These challenges forced these organisations to adapt new methodologies, develop more complex wats of driving extortion payments and restructure their governance to allow for more resilient business operations. By building platforms that function as a service, ransomware groups have opened the door for criminals with less technical expertise to engage with the market as more processes are becoming automated across the cyber kill chain. The drive to diversify Tactics, Techniques and Procedures (TTPs) has unlocked a new frontier of human operated ransomware.
With the commercial goal of maximising payout, big game hunting is driving cyber criminals to target large organisations with substantial financial resources. The approach that these groups take will depend on the type of industry and associated risk profile, which will yield the highest return on investment. For example, an attack against a healthcare organisation may be driven by an extortion only outcome due to the criticality and sensitivity of patient data. Conversely, an attack on a manufacturing company may be driven by both an extortion and disruption outcome. Some of the most sophisticated threat actors are even adjusting ransomware demands based on intelligence they have gathered about the victim’s insurance coverage.
The use of cryptocurrency has played a critical role in the proliferation of cybercrime due to the difficulty around attribution, as currencies such as Bitcoin provide a level of privacy that traditional financial transactions do not offer. These types of transactions are attractive to cyber criminals as they can support in the facilitation of illicit activities such as ransomware payments, money laundering and purchase of services on the darknet. However, law enforcement and intelligence agencies are employing various strategies to combat the evolving strategies of cyber criminals, such as Bitcoin analysis, digital forensics and information sharing across jurisdictions.
Impact to investigations
The dynamic nature of cyber criminals requires constant adaptation and collaboration from the critical organisations tackling this global threat. Historically, government bodies have taken a more siloed approach to cyber-crime, examining specific strains of ransomware. As the commercial ecosystem for ransomware has expanded, agencies are moving towards a method that increase understanding around threat actor behaviour and motivations rather than on specific tooling for deployment. For the NCA and the NCSC, there is now an emphasis on global collaboration, real-time monitoring, and sanctions. Just as ransomware groups collaborate with specialists and external service providers, law enforcement and intelligence institutions are also joining forces to improve as well as enhance their operational capabilities globally.
In January 2023, an investigation facilitated by the NCA, FBI and BPOL led to the successful shutdown of a commonly used ransomware called HIVE. It has previously been responsible for over $100 million in extortion payments. Another recent collaboration involved government bodies from 17 different countries, which ultimately drove to the demise of Genesis Market, one of the world’s largest criminal marketplaces used to buy and sell user credentials, IP addresses and other sensitive data.
As most of these ransomware groups prioritise objectives based on financial gain, one of the other disciplinary tactics that law enforcement and intelligence agencies have recently adopted are sanctions regimes. With support from partners in the US, the UK announced its first cyber sanctions against seven ransomware criminals from Russia earlier this year. These sanctions involve restriction on entities as well as individuals with the aim of deterring malicious behaviour and criminalising extortion payments. The process of sanctioning these types of criminal organisations requires detailed analysis and thorough investigation as attribution is often particularly difficult.
However, there is also scepticism around the effectiveness of cyber sanctions in limiting the frequency of attacks facilitated by criminal organisations residing in countries like Russia. Some argue that this type of deterrence may even prompt further acts of aggression against the region imposing the sanctions. While some institutions and agreements have been developed such as the Joint Cybercrime Action Taskforce, there are still very few formal collaboration methodologies for international communities to work together on addressing. It could also be said that the rise of cyber sanctions could be an indicator of the lack of global policy around ransomware and eCrime. The impact of sanctions on the proliferation of these types of crimes is multifaceted and a successful course of action must involve a comprehensive approach that combines international cooperation, legal measures, and advancement in investigation tooling. Driving the way forward, the NCA and the NCSC have been adopting this complex strategy by adjusting investigation policies to focus on the broader landscape of high-profile threat actors.
Conclusion
From opportunistic to human operated ransomware, the objectives of cyber criminals have changed from a focus on quick win monetisation, mass disruption and causing reputational embarrassment, through complex enterprise attacks. There is a vast ecosystem of threat actors contributing to the various activities along the cyber kill chain from initial access and compromise, to developing and deploying malicious software. Global cooperation, legal measures, digital forensics as well as threat intelligence will be pivotal in staying ahead of these sophisticated criminal organisations and the integration of technologies such as artificial intelligence will be critical in mitigating cyber risk. As law enforcement and intelligence bodies start to amend their existing investigation strategies, these adaptable methodologies will contribute to proactive prevention and deterrence, which will in turn safeguard society and maintain the integrity of digital environments.
Sachin Bhatt, Technical Director of CyXcel. He previously served as an incident management lead in CERT-UK and the UK’s National Cyber Security Centre complemented by over a decade long career in government.
Sasha Henry, Senior Management Consultant at CyXcel, has worked as a consultant across a diverse set of professional services firms including insurance, information technology, internal audit and legal.
1 Cybersecurity Trends & Statistics For 2023: What You Need To Know (forbes.com)
2 MOVEit vulnerability and data extortion incident – NCSC.GOV.UK
