ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

The cybercriminal ecosystem: Evolution and extortion

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Lindsay Hill, CEO, Mitigo Cybersecurity

2 February 2023

Cybercrime is a dynamic landscape, with not only the types of attacks but the nature of the operators or gangs involved becoming ever-more sophisticated. Understanding the ecosystem in which cyber criminals operate is the first step in understanding and managing the risks involved.

Businesses working in professional services rely on their reputation and hold lots of confidential and valuable information belonging to their clients and the projects they work on. This combination makes them the ideal target for cybercriminals who once inside a firm’s IT systems will use a number of different tactics to hold a firm to ransom.

The professional services sector has seen a worrying number of cyberattacks in recent years. Law firm Ward Hadaway was threatened with the publication of confidential documents obtained in a cyberattack, which the hackers were holding to ransom in a bid to blackmail the firm out of $6 million. Meanwhile listed law firm Ince Group suffered a devastating attack which is estimated to have cost the firm £5 million, with other far-reaching consequences. The hackers of Kingfisher Insurance claimed to have stolen 1.4TB of data, and Architect firm Sheppard Robson was faced with a hefty ransom demand, more stolen data and a significant downtime period. Umbrella companies Brookson and Parasol were hit with a two-pronged attack, and it took weeks to restore systems whilst thousands of workers were left without wages. Housing purchases were unable to complete when Simplify Group suffered an attack during which personal information was stolen. There are many other examples.

Cybercrime is a dynamic landscape, with not only the types of attacks but the nature of the operators or gangs involved becoming ever-more sophisticated. Understanding the ecosystem in which cyber criminals operate is the first step in understanding and managing the risks involved.

The criminal ecosystem

Cybercrime is an organised and sophisticated business with structured personnel, run by professionals. Ransomware gangs have team leaders, malware developers, data miners, and more; individuals and teams working together on cases like a legitimate business. And all over the world too. Russia is a hotspot for cyber gangs, but we’ve seen operations running from all corners of the globe.

While cybercrime has a far greater geographical reach and speed of execution, it also has many similarities in organisational structure to more traditional criminal gangs. However, it also has one major advantage. Its sophistication makes it extremely difficult for authorities to trace the perpetrators and originators of any cyberattack.

One interesting study compared cocaine trafficking in the 1990s with modern day ransomware. Profitability was similar, with both earning over 90% profit per unit. However, cocaine trafficking resulted in 1 arrest per 2 kilos, and 1 death per 4 kilos. The chances of a ransomware arrest are almost non-existent, a trafficker being 625 times more likely to get arrested. And no ransomware attacker gets killed.

The ransomware gangs have names, and some analysts even produce league tables with an assessment of market shares. In the second half of 2022, one assessment showed BlackCat in the lead with responsibility for around 15% of the ransomware attacks globally. Hive had the next largest share at 13.5% having ‘earned’ their place by attacking hospitals without question (some groups claim to shy away from certain sectors to operate more “ethically”). Other names such as Black Basta, Dark Angels, Phobos and Vice Society are said to hold between 3% and 6% of the market, the latter being responsible for attacks on UK schools. Previous leaders such as REvil, Conti, LockBit and DarkSide are likely to have morphed into new structures.

One of the most notable developments over the last few years has been the rise of Ransomware as a Service (RaaS); a business model not dissimilar to Software as a Service (SaaS). RaaS changed the face of cybercrime. A cybercriminal no longer needs to be a “techie” as they can just purchase ready-to-go ransomware. It’s added a new layer to the cybercrime constitution.

Ransomware operators develop ransomware which is sold to affiliates via websites on the dark web, marketing and packaging it for sale in a manner similar to businesses that trade legitimately. They engage in marketing campaigns, publish user reviews, provide service guarantees as well as after sales support. Unsatisfied with the service? Suppliers offer your money back. Levels of sophistication range from subscription models to portals allowing tracking of the status of an infection.

This allows individuals in any country to get involved in the criminal activity. Often they operate as lead generators, having gained access to a business, they pass on the opportunity to more sophisticated players to exploit in return for a cut in profits.

A recent report on ransomware trends published jointly by the UK, US and Australian cybersecurity authorities noted that the National Cyber Security Centre has even come across gangs who purport to offer a 24/7 help centre to victims to expedite ransom payments and restore encrypted data.

Double extortion

The consequences of ransomware can be devastating for its victims, as once inside an organisation’s IT system it enables data, files and systems to be encrypted, with payments being demanded in exchange for the decryption key. Business is brought to an abrupt halt. We find that backups are rarely configured in a way which will survive a ransomware attack. The overwhelming majority of ransomware attacks now also involve data exfiltration. The criminals first steal your confidential and sensitive data before encrypting it, adding another level of risk. This particular type of attack, sometimes called the Double Extortion technique, means that not only can a demand be made to decrypt data, but a release to the public of stolen data will be threatened unless a further ransom demand is met. Gangs have websites and PR machines which support their threats to highlight their successful attacks and publish stolen data.

In the past, some ransomware gangs focused on bigger, national targets. Now, some of them have become wary of the attention of law enforcement agencies (who save most of their resources for large infrastructure attacks) and have shifted their focus to small and medium-sized organisations. They can be particularly vulnerable to attack, because they often only rely on their external IT support companies, and therefore do not have the right protections in place.

One estimate shows professional services suffered around 20% of ransomware attacks in 2022 making it the worst affected sector. Cybercriminals know that firms have a duty to keep their clients’ affairs confidential, are working to deadlines, and that prolonged downtime can be disastrous. As a consequence, they can be more likely to pay ransom demands (which can range from the tens of thousands to many millions of dollars.)

It is however worth bearing in mind the Information Commissioner’s Office (ICO) and National Cyber Security Centre stance on this. In a joint letter issued in summer 2022 to the legal profession, the two bodies made it clear that payment of ransom will not protect stolen data or result in a lower penalty by the ICO, if an investigation is made. Furthermore, remember you’re dealing with criminals – payment offers no guarantee of decryption or return of stolen data or prevention of re-extortion a few weeks down the line.

An evolving threat requires professional defence

Cyberattacks shut down organisations and are now one of the most serious threats to any business. They should be at the top of your risk register. Attackers and the techniques they use are sophisticated, ever evolving, and defending against them is complex. Small and medium-sized professional services firms are particularly vulnerable. When you have professional criminals attacking your organisation, you need professionals defending you.


About Mitigo:

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our Evolve members.

Find out more about Mitigo’s cybersecurity services.

For more information contact them on 0131 564 3131 or email icas@mitigogroup.com

Cyber and data security – 5 legal obligations you should not ignore

By Lindsay Hill, Chief Executive Officer at Mitigo Cybersecurity

1 August 2022

Would you like to know if you are resilient to a ransomware attack?

By David Fleming, Chief Technology Officer, Mitigo Cybersecurity

16 June 2022

2023-03-MarksElectrical 2023-03-MarksElectrical
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: