Ransomware Enters the Post-Trust Ecosystem, According to NCA Cybersecurity Expert

The ransomware landscape has transitioned into what is termed a “post-trust ecosystem,” characterized by fragmented and increasingly distrustful cybercrime groups operating amidst heightened law enforcement scrutiny. This assertion comes from William Lyne of the UK’s National Crime Agency (NCA).

Consequently, organizations face an unpredictable and possibly more hazardous threat environment. Recent years have witnessed significant law enforcement actions disrupting some of the most notorious ransomware groups. As these operations conclude, a more fragmented cybercrime landscape emerges.

As the Head of Intelligence at the NCA’s National Cyber Crime Unit (NCCU), Lyne has played a pivotal role in notable actions, including the takedown of the Evil Corp ransomware syndicate in 2019 and Operation Destabilise, which disrupted a major illicit finance network. He is set to address ransomware trends and future expectations during the forthcoming Infosecurity Europe 2025 conference.

In his presentation titled “Ransomware 3.0: How Attackers Are Changing Their Thinking,” scheduled for June 3 at 16:40 BST, Lyne will be joined by other cybersecurity experts, including law enforcement officers and industry leaders.

For Lyne, 2024 marked a critical juncture in ransomware evolution. Multiple law enforcement disruptions occurred alongside significant developments within the cybercrime ecosystem. He highlighted the “exit scam” executed by the BlackCat/ALPHV group and Operation Cronos, a global crackdown against LockBit, both of which shaped the operational landscape of financially motivated cybercriminals.

These operations not only dismantled the infrastructure of ransomware groups but also significantly affected their reputations in the cybercrime community, exposing operational security lapses and revealing the identities of key administrators. Ransomware decryptors were also shared with victims, further undermining the attackers’ credibility.

The impact of these disruptions extends beyond mere infrastructure takedowns; they aim to diminish trust and confidence within the ransomware ecosystem. Innovative approaches used in these operations included commandeering the ransomware groups’ own leak sites to announce successful takedowns and engaging with attackers through social media.

Lyne explained that traditionally, actors within the ransomware ecosystem would leverage large as-a-service platforms to assemble the resources needed for their operations. This model thrived during the heyday of Ransomware-as-a-Service (RaaS). However, no dominant player comparable to LockBit exists today, leading to a fragmented environment. Many smaller, more agile groups now operate in a peer-to-peer manner rather than relying on established affiliate programs.

This evolution is attributed to several factors, including a notable decrease in ransomware payments due to extensive law enforcement actions. Reports indicated a shift in the operational tactics of ransomware affiliates, necessitating diversification in their approaches.

The entry barrier into cybercrime has lowered significantly, accelerated by open-source projects and AI tools, allowing individuals with minimal technical knowledge to execute cyber-attacks. This phenomenon has been described by security analysts as “Franken-ransomware.”

Moreover, newer ransomware actors now understand the risks associated with maintaining a high profile within major groups, which increases their exposure to law enforcement scrutiny and cybersecurity responses.

Another notable development in this fragmented landscape is the rise of ransomware cartels. Unlike previous models where individuals partnered with RaaS platforms, cartels enable affiliated groups to use ransomware tools while rebranding them independently, effectively commoditizing the ransomware service industry.

DragonForce is one such group that has publicly announced intentions to implement a ransomware cartel model, believed to have supplied tools for cyber-attacks on significant UK retailers.

The evolution of the ransomware ecosystem will be a focal point at the upcoming conference, where participants will explore the latest trends and developments within this critical domain of cybersecurity.