for Serious and Organised Crime
Russian-language criminals operating ransomware as a service continue to be responsible for most high profile cyber crime attacks against the UK
The cyber crime threat to the UK continues to evolve. The deployment of ransomware remains the greatest cyber serious and organised crime threat to the UK and its use threatens Critical National Infrastructure and poses a risk to national security. Ransomware attacks can have a significant impact on victims due to financial, data and service losses, which can lead to business closure, inaccessible public services and compromised customer data.
Russian-language criminals operating ransomware as a service continue to be responsible for most high profile cyber crime attacks against the UK. Some of these high profile Russian-language groups are known to have links with the Russian state. However, it is highly likely that in most instances these links extend only to tolerance of their activities.
These organised crime groups are becoming more capable and, in some instances, have claimed to introduce stricter controls over the activities of affiliates to improve the effectiveness of their operations. For example, some groups have taken steps to limit their exposure to law enforcement by trying to avoid targeting Critical National Infrastructure and healthcare institutions providing lifesaving medical treatment. There is no guarantee these groups will prove willing or able to enforce their own rules. The attacks against European energy companies in 2022 demonstrate that cyber criminals are still willing and capable of attacking high profile targets.
High-end cyber crime groups continue to improve their business models, almost certainly to make it easier and quicker to extract funds from victims. Extorting victims by threatening to sell or publish stolen data is an established part of the ransomware criminal business model. Newer developments to further pressurise a victim into paying a ransom include making stolen data searchable online or threatening a distributed denial of service attack to publicly disrupt a victim’s services.
Ransomware groups highly likely adapted their methods immediately after the Russian invasion of Ukraine to overcome operational disruptions, such as loss of access to Ukrainian affiliates and their skills, and difficulties in laundering criminal profits. Ransom payments were disrupted as victims were discouraged from paying criminal groups linked to the Russian state. As a result, groups used different ransomware strains, rebranded, and added new methods to pressurise victims into paying.
The wider cyber crime landscape is supported by online marketplaces selling compromised data and tools that enable cyber crime. Cyber tools, including ransomware, are increasingly available to a wide range of cyber criminals, alongside service providers who can provide access to online systems. This marketplace also enables criminals from other threat areas, and enables cyber criminals with only basic capabilities to cause serious harm to UK businesses and individuals.
Cyber criminals will almost certainly continue to exploit current events in their criminal campaigns. For example, using the cost of living issues as a lure in phishing campaigns or by targeting ransomware at sectors perceived as being under pressure. This perceived pressure can be used to compel victims to pay ransoms to restore operations quickly. 
Beyond ransomware, the cyber crime threat continues to be high. UK organisations and the public face significant threats from less sophisticated cyber crime, such as distributed denial of service. Malicious emails, aimed at stealing information or encouraging victims to download malware, continue to feature regularly. The compromise of social media and personal email accounts is also a growing trend.
What You Can Do
Protect yourself by securing your accounts, data and devices:
- Protect your accounts by using a strong and different password for your email using three random words and by turning on 2-step verification. Follow Cyber Aware advice.
- Protect your information when using social media.
- Select online providers and retailers which offer good protection for you and your data/information.
Recognise and break suspicious contacts:
- Stop and check official contact routes practices and payment details. If you have any doubts about a message, don’t use the number or address in the message, but use the details from their official website to contact the organisation directly.
Report the incident:
- If you’ve received a suspicious email, forward it to report@phishing.gov.uk
- Report suspicious text messages to 7726.
- If you have fallen victim to fraud, report it to Action Fraud in England, Wales or Northern Ireland. For Scotland report to Police Scotland by calling 101.
National Cyber Security Centre guidance on Ransomware
Law enforcement does not encourage, endorse nor condone the payment of ransom demands. If you do pay the ransom:
- there is no guarantee that you will get access to your data or computer;
- your computer will still be infected;
- you will be paying criminal groups;
- you are more likely to be targeted in future.
More information is available on the NCSC website.
Case Study
A cyber attack on Advanced, a company providing services to health care, including some linked to the NHS 111 service, caused disruption to the NHS throughout August 2022.
Affected services included patient referrals, ambulance dispatch, out-of-hours appointment bookings, mental health services and emergency prescriptions.
This example also demonstrates how a cyber attack on a third party provider can have serious consequences beyond the immediate victim and impact customers that rely on its services.
Cyber Incident Reports
