Supplementary evidence submitted by the National Crime Agency
I would like to respond to the Committee’s request for more information in relation to previous evidence given by NCA to the ransomware inquiry. This evidence is complimentary to oral evidence provided both on 19th June and in writing on 28th July this year by myself and Director General Graeme Biggar.
I understand the Committee would like confirmation of whether the three main trends outlined in our evidence remain current as we approach the end of 2023 and submit the following in response.
Number of Reported Attacks
In our oral evidence we stated the number of attacks had not changed very significantly in scale of the past three years. Following Russia’s invasion of Ukraine, we saw a slight decrease but this appeared to have returned to levels seen in 2021. Since then, however, we and our partners have seen a steady increase of ransomware incidents; although it remains to be seen if this trend will continue in 2023. Based on reporting from publicly available sources, our assessment is it is likely that overall ransomware incidents for 2023 will return to the levels seen in 2021. Similarly, it is likely that the number of incidents impacting UK victims will also increase in 2023, again reaching the levels seen in 2021. The reasons for these increases are difficult to identify at present as the number of incidents will often fluctuate without a specific cause, however two large scale exploitation of software vulnerabilities in the first half of 2023, namely GoAnywhere and MOVEit, are likely to have led to increased reports of ransomware incidents. The MOVEit exploit initially impacted up 130 organisations and the extraction of the personal information of around sixteen million individuals globally, reflecting the scale of impact a specific breach can have on the overall number of incidents.
Reduced Targeting of Critical National Infrastructure
We stated there was a trend of predominantly Russian speaking and Russia-based ransomware groups moving away from targeting Critical National Infrastructure (CNI) in favour of attacking other sectors, including small and medium-sized enterprises. We assessed this was because they are less likely to have the weight of law enforcement and the intelligence community descend on them in response. Several months on, this trend remains broadly consistent as ransomware attacks against UK CNI continue in 2023, though it is difficult to confirm if these attacks are targeted or due to the opportunistic nature of the threat. While the majority of the ransomware attacks are not targeted against specific victims, the increasing ease with which criminals are able to undertake attacks and the increased attacks reported in 2023 is likely to have increased the overall risk to CNI. Similarly, supply chain attacks, as demonstrated by the GoAnywhere and MOVEit incidents, show the increase risk to CNI as unintended or secondary targets of an attack through the relationship they have with the service provider who has been impacted.
Reduced Threshold for Entry into Ransomware
In our oral evidence we stated there was an evolving trend of the use of ‘Ransomware as a Service’ (RaaS) whereby ransomware services are hired out using a series of tools for hire which has subsequently lowered the bar for entry into ransomware. RaaS continues to be a key and frequently used tool employed by ransomware actors and we are now seeing competition between RaaS groups as more groups opt to employ this method of attack. While other methodologies are employed, RaaS will likely continue as the method of choice as it enables less skilled actors to purchase ready to deploy packages in an accessible format. These packages, usually advertised through dark web marketplaces and forums, can be highly sophisticated providing access to very capable malware alongside support services to aid affiliates in launching attacks and managing victim engagement post incident.
Rob Jones, DG Operations
Graeme Biggar. Director General
16 October 2023
2 of 2
