Share
After experiencing a significant cyber incident, many businesses understandably question what can be done to take action against those who carried out the attack.
Following the discovery of a cyber incident, the immediate focus is usually on containing and recovering from an incident, investigating, and co-operating with the authorities where required. Once the dust has settled, a victim’s attention often turns to the identity of the perpetrators and what action can be taken to bring them to account.
In this article, we lay out the ransomware landscape, discuss attribution and why it matters, and what can be done to bring cyber criminals to account.
The ransomware landscape
“Threat groups” are groups of individuals who organise and carry out cyber attacks. Many groups have sophisticated structures that mirror those of genuine businesses, with payments for “affiliates” or partners, and different “branches” within the organisation that carry out the different stages of an attack.
The landscape for ransomware in particular has changed in recent years. Previously, it was dominated by a small number of active and organised groups, with consistent motives and modes of operation. Within the last 12 to 24 months, the landscape has shifted, with law enforcement infiltrating some larger groups and others falling to “exit scams” where the key operators abscond without paying their affiliates.
As a result, many threat groups have splintered, new groups have formed and there has been an increase in solo actors or “lone wolves”. This makes it increasingly difficult to anticipate how a group will act during an attack, and can also make attribution more challenging.
What is attribution?
When we talk about attribution in a general sense, we mean positively identifying the perpetrators. This typically involves assessing information such as ransom notes, IP addresses, geolocation and tools used by the threat groups in order to identify who they are.
In an international law context, attribution means formally identifying a Nation-state as the perpetrator of a particular cyber act or event.
In both senses, attribution can be incredibly challenging, as many groups operate on a “ransomware-as-a-service” (RAAS) model, which means they effectively loan their malware to individuals or groups. That means that identifying the malware that has been used does not necessarily tell you everything about the perpetrator.
Why does it matter?
Identifying the perpetrator of an attack can help to inform the response to an incident. For example, knowing which group is responsible can tell us whether they typically steal data, if they are commercially driven or state sponsored, if they operate a “leak site” or how they might act in a negotiation scenario (including the likelihood of being able to negotiate a reduced ransom payment). It can also help the IT team narrow down how the threat group may have compromised the environment in order to ensure effective containment steps can be taken. Often, a threat group will focus on particular vulnerabilities or methods of entry to a network.
In recent times, we have seen law enforcement use this type of intelligence proactively to warn companies that they may be at risk of falling victim to an attack. We have dealt with a number of cases where organisations have identified that their environments had been compromised but have been able to take action before any disruptive encryption process could be triggered.
Attribution can also be critical if an organisation finds that it needs to make a ransom payment in order to recover their systems. Before making a payment, a thorough check must be carried out to ensure that it would not breach any sanctions regimes. This involves cross referencing key indicators of compromise, including the identity of the group and any crypto wallet addresses provided, against various sanctions lists. Failure to do so could lead to civil and/or criminal penalties.
Does that mean we can bring those responsible to justice?
There are several pieces of legislation that make cybercrime illegal (the Computer Misuse Act 1990 for example), but taking direct action against the groups that carry out ransomware attacks is usually difficult. Threat groups use various tactics and techniques to obfuscate their activities and hide their actual locations. Threat actors use proxy servers, services that anonymise activity (e.g. Tor browsers) or virtual private servers, which do not reveal location information to the web.
Notwithstanding those challenges, a thorough investigation and attribution can provide law enforcement with valuable intelligence about how particular groups operate. Over the past year, we have seen a number of successful law enforcement operations to infiltrate and dismantle large ransomware operators. One of the most notable recent successes was the demise of Lockbit in early 2024, at the time one of the most prolific ransomware groups. Whilst the group have attempted to restructure and continue their operations, they have so far failed to reach their previous heights.
Attribution also potentially opens the door to tracking and recovery. Threat groups generally seek payment of ransoms via crypto currencies, using anonymised crypto wallets. Once the initial payment is made, it is fragmented and passed through “mixers” to conceal its source. There are now a number of organisations that specialise in digital asset tracing, which allows these payments to be accurately tracked. Understanding where ransom payments ultimately end up is another valuable tool for law enforcement to understand the structure of ransomware groups, as well as potentially attempting to recover funds.
What can businesses do to help combat cybercrime?
If a business experiences a ransomware incident, the attack should immediately be reported to Action Fraud, at https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime, or by calling 0300 123 2040 Monday to Friday between 8am and 8pm.
The National Crime Agency (NCA) said that reports from impacted businesses were integral in helping them take action against LockBit, and that in general, the earlier a crime is reported, “the faster the NCA and partners are able to assess new methodologies and limit the damage [threat groups] can do to others.” Ultimately, the take down led to the closure of 14,000 rogue accounts, the freezing of 200 cryptocurrency accounts, and 34 servers used to facilitate Lockbit’s operations.
If a ransom payment is necessary, organisations should also consider the merits of digital asset tracing. In the event that law enforcement is able to seize assets, this can be a valuable tool in obtaining a recovery.
In short, whilst not strictly mandatory, this attribution process and engagement with law enforcement can have a huge impact on the overall trajectory of the cyber landscape, potentially preventing other organisations from falling victim.
Insurance and reinsurance
Education
United Kingdom
Argentina
Australia
Bermuda
Chile
Colombia
Denmark
France
Hong Kong
Ireland
Israel
Mexico
New Zealand
Singapore
Spain
Sultanate of Oman
United Arab Emirates
United States