Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific

NCSC: Why Cyber Extortion Attacks No Longer Require Ransomware

Ransomware becoming less of a factor as threat actors extort businesses with payment options that are less than regulatory fines.

3 Min Read
NCSC's Paul Chichester speaking on stage at 44CON in London
NCSC's Paul Chichester speaking on stage at 44CON in London.Source: Dan Raywood at 44CON

44CON 2023 – London – Cyber attackers are becoming less reliant on ransomware to get victims to pay — instead using social engineering skills to extort money, according to a top official from the UK's National Cybersecurity Centre (NCSC).

Speaking at 44CON in London, NCSC's operations director Paul Chichester said ransomware remains a major concern for the agency and for businesses as the number of ransomware incidents continue to increase. But a lot of attackers often do not use the encryption malware anymore: They just steal data, put it on a leak site, and solicit for a payment in exchange for taking it down.

"We've seen criminals move from only encrypting data, to double extortion — encrypting it and threatening to leak it, to now, on some occasions, simply threatening to leak the data. It feels like they are keen to be as efficient as possible, or perhaps making it less painful for the victim, because generally people still pay to avoid their data being leaked," he said.

Double extortion is where the attacker steals data and demands a payment from an organization to have it returned, and also often deploys ransomware to encrypt networks and desktops as well. However, attackers increasingly are moving away from using encryption malware, and toward pure data-theft extortion tactics.

Addressing a cyber extortion attack is more than just having backups to restore their systems and data. Organizations also should consider best practices on passwords and multifactor authentication, ensure efficient patch management, and provide security training for employees, experts say.

Who Is Paying Ransom?

NCSC's Chichester said the UK has a policy that recommends organizations do not pay ransom because the payments fuel the criminal ecosystem. Even so, some companies do pay in order to reassure their customers that their data is safe, he noted.

Sharing a story about a company that was attacked, Chichester said the attacker set the ransom payment to be a lower amount than a GDPR fine, so that it would appear that the company was paying less with the ransom rate than a regulatory fine and therefore saving money.

"That's not true by the way: You still have to pay a GDPR fine for a data breach, but that's the way that actors are socially engineering a victim," he explained.

Chichester said he has empathy for companies that are hit, as he has seen incidents where everything is encrypted and the victim is locked down and they feel they have no choice but to pay the ransom.

Fines for GDPR violations have ranged from £20 million, or $24 million, to $425 million. The UK Information Commissioner's Office in its guidance on penalties states that the maximum fine is £17.5 million, or four percent of the total annual worldwide turnover in the preceding financial year — whichever is higher.

Ransomware payments, meanwhile, have been reported as reaching up to eight figures, while the average payment by UK organizations in 2023 was $2.1 million.

Chichester praised collaboration with the UK industry sector, especially when organizations alert the NCSC to a ransomware attack. That way, the agency is able to study the malware and work with threat intelligence providers and research communities to help the victim — and sometimes act as a broker between the victim and the attacker.

"I'd much rather stop an incident than actually be responding to one," he says. "But we respond to and work closely with all of those organizations [that are hit]."

About the Author

Dan Raywood, Senior Editor, Dark Reading

With more than 20 years experience of B2B journalism, including 12 years covering cybersecurity, Dan Raywood brings a wealth of experience and information security knowledge to the table. He has covered everything from the rise of APTs, nation-state hackers, and hacktivists, to data breaches and the increase in government regulation to better protect citizens and hold businesses to account. Dan is based in the U.K., and when not working, he spends his time stopping his cats from walking over his keyboard and worrying about the (Tottenham) Spurs’ next match.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights