Will Lyne, head of cyber intelligence at the National Crime Agency, is speaking at this week’s Infosecurity Europe conference about cyber criminal trends. Ransomware, and other varieties of cyber attack on the public, are, he said, becoming commoditised beyond the traditional provenance of Russian-speaking expert coders.
Lyne has worked in law enforcement for over 15 years. From 2011 to 2013, he worked in Afghanistan delivering counter-narcotics investigations with local, military and international partners, before joining the National Cyber Crime Unit in 2013. He was assigned to the FBI’s Cyber Division in Washington from 2016 to 2020.
He has played a leading role on high-profile cases including disruptions of the EvilCorp cyber crime group, and Operation Destabilise, which disrupted a multi-billion global Russian illicit finance network.
Lyne is also currently working on a doctorate at the University of Cambridge Institute of Criminology, focusing on the ecosystem that generates ransomware.
In an interview in advance of Infosec, he said ransomware is the highest-priority cyber crime threat to the UK, and has gone from a “niche cyber crime issue in the late 2010s to being a national security problem.
“In 2021, we had really significant attacks like the ransomware attack on Colonial Pipeline,” said Lyne. “That really brought ransomware to the fore and made it more widely understood.”
At Infosec, he’s speaking on a panel called Ransomware 3.0: How attackers are changing their thinking, alongside Jeremy Banks, vice-chair of the NPCC Cybercrime Team at the National Police Chiefs Council; Magnus Jelen, lead director of incident response for the UK and EMEA at Coveware by Veeam; and Jen Ellis, founder of NextJenSecurity.
Ransomware ecosystem
What is meant by an “ecosystem” in the context of ransomware? Lyne said he thinks of ransomware as a product or symptom of a cyber crime ecosystem, which is best understood as a collection of individual threat actors and technical capabilities that are available on the internet, and that come together and interact to form steps of a cyber crime business model.
“The ecosystem enables cyber crime,” he said. “Ransomware is the most pernicious of cyber crime threats, and the most significant that we’re looking at at the moment. It is our priority cyber crime threat within the National Cyber Crime Unit. It is a national security issue in its own right, and I think that it will continue to be our highest priority for some time to come.”
The harm is to the public and is not only financial, but psychological, social and economic, he said. “It’s like drugs – the harm there is not just to the people taking them,” said Lyne.
He said the Scattered Spider cyber crime group that seems to be behind the recent spate of attacks on retailers, notably Marks & Spencer, is interesting as an instantiation of current trends. It is not a Russian-language group, but Anglophone, and most probably staffed by young males in their teens and 20s, with no real need for advanced computer coding skills. It’s teenage kicks.
“We are seeing lower barriers to entry [to cyber crime], with reduced costs of buying tools and the language skills needed to get in,” said Lyne. “Traditionally, you’d have to be a Russian-speaker with a reputation in the ecosystem, coding skills, and so on.”
Nor is this democratisation of cyber crime down to the rise of generative AI, he said. “While 10 years ago, you could buy some type of cyber capabilities and tools online, now you can get more powerful ones – it’s cheaper and easier,” said Lyne. “The tooling required is more accessible now, so it opens up the field to non-Russian cyber criminal groups. We are seeing the locus maturing and moving to everywhere else than Russia. Scattered Spider is one symptom of that.”
But even the traditional Russian cyber crime groups are not like hierarchical Sicilian Mafia operations. They are more like loosely managed tech startups than well-run, large IT companies, he said. “EvilCorp did have a well-understood hierarchy, but most do not,” added Lyne. “They operate with a ‘minimum viable product’ to make the money they want to.”
Nevertheless, the ransomware threat is evolving.
“We’ve had commodity ransomware, then you had human-operated ransomware, and double extortion came in where they’re stealing sensitive data from victims and then using that as extra leverage,” he said. “We’re increasingly seeing encryption-less extortion, where groups are just stealing data from victims and extorting them.
“We’re also seeing a shift of threat actors moving away from using the big centralised platforms, the big marketplaces where they used to go and obtain credentials for potential victims, whereas we’re seeing a lot of those interactions go to more peer-to-peer trading in the ecosystem,” added Lyne.
He finished the pre-conference interview with Computer Weekly with an appeal to information security professionals to consider joining the National Crime Agency.
“I love this job,” said Lyne. “Yes, we are facing up to bad dudes, but that provides motivation because of the harm they do to vulnerable members of the public. We can make a difference to communities up and down the country. It is a hard job, though. These groups are hard to deliver impactful operations against.
“We can’t do it in isolation,” he added. “With the drugs threat, we know a lot from where the drugs are grown to who the dealers on the street are. With cyber crime, there is vast knowledge in the private sector and academia. With the disruption of Lockbit and Evil Corp there was a kaleidoscope of national and international law enforcement partners to deliver that.
“We’re collaborating really well in the public sector, with our partners in policing or partners across government – better than we ever have been – both nationally and internationally,” said Lyne. “But we’re also partnering with the private sector better than we’ve ever been as well, and that is really important for us to be able to do what we do. It’s important work.”
#Infosecurity #NCA #cyber #intelligence #spells #trends