Back to overview

Commercial Question

The evolution of tactics in ransomware and extortion attacks

updated on 17 October 2023


How have the tactics of organised criminal groups evolved over the years? 


In the ever-evolving landscape of cybercrime, ransomware and extortion, attacks have surged in popularity. These malicious campaigns, which were once considered fringe threats, have now become a global concern. As they’ve gained notoriety, threat actors have adapted their tactics, continually refining their methods to maximise profits and exploit vulnerabilities. The National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) have produced a white paper, which examines the motivations and groups that are driving the monetisation of ransomware and other extortion attacks.

The evolution of ransomware

Ransomware attacks have come a long way since their inception. Traditionally, these attacks involved the encryption of individual devices with attackers demanding a ransom for the release of decryption keys. However, the landscape shifted dramatically with the emergence of 'big game hunting'. In this new approach, cybercriminals target larger organisations, often those with the potential for more substantial payouts.

These high-profile targets are chosen strategically, aiming to cripple critical business systems and data. Such attacks can lead to significant disruptions and financial losses. In response, many victims are faced with a difficult decision: pay the ransom to restore operations or attempt to recover without the attacker's assistance. Unfortunately, quick payments don’t always guarantee a swift resolution and, even if the ransom is paid, there's no guarantee that the attacker will honour their end of the bargain.

RaaS and the role of affiliates

The emergence of Ransomware as a Service (RaaS) has redefined the ransomware landscape, reshaping the modus operandi of organised crime groups. This model operates on the principle of criminal entrepreneurship, mirroring legitimate business practices more closely than one might expect. Under the RaaS umbrella, cybercriminals have embraced a division of labour, complete with specialised roles and responsibilities, akin to a legitimate business.

RaaS functions as a criminal service provider, offering aspiring cybercriminals, both large and small, access to a suite of illicit tools, services and guidance. It's akin to subscribing to a criminal ecosystem where affiliates, the frontline executors, collaborate with RaaS providers to carry out attacks.

Affiliates play a pivotal role in this ecosystem, acting as the foot soldiers in the cyber extortion battlefield. They’re typically the ones who obtain access to target systems and execute the attacks, not the RaaS group itself. While the core criminal group provides essential resources and infrastructure, it's the affiliates who leverage these assets to compromise systems and demand ransoms.

In some cases, the line between affiliates and the core group blur, with certain affiliates gaining more prominence and independence. These affiliates may graduate from executing attacks to orchestrating their campaigns, further fuelling the ransomware epidemic. However, it's important to note that the core RaaS group often retains significant control, providing guidance, managing communications and ensuring that the ransom payment process proceeds smoothly.

The financial aspects of RaaS are structured to incentivise affiliates to engage in cyber extortion actively. Affiliates receive a share of the ransom payments, which motivates them to carry out attacks with dedication and persistence. The RaaS group typically takes a smaller percentage of the ransom, reflecting the increasing role and importance of affiliates within the criminal ecosystem.

This model has enabled smaller threat actors to enter the realm of cyber extortion with relative ease, lowering the barriers to entry. It’s democratised ransomware operations, making them accessible to a wider range of individuals and groups. As a result, the threat landscape has expanded, with businesses of all sizes facing the risk of falling victim to these malicious campaigns.

Financial services and anonymity

Converting the cryptocurrency received as ransom into hard currency is a pivotal step for cybercriminals. To achieve this, they rely on various services that 'tumble' or mix cryptocurrency through multiple exchanges, making it challenging to trace the funds. While some cryptocurrency exchanges are legitimate, others have been complicit in assisting ransomware criminals in converting their ill-gotten gains into other currency.

Notably, cryptocurrency plays a central role in ransomware attacks, offering a degree of anonymity and security that traditional currencies can’t match. This aspect of the ransomware business model is critical for the criminal ecosystem. A lack of funds can quickly dismantle criminal enterprises, as seen in the case of the Conti ransomware group. The Conti ransomware group extorted $180 million from its victims in 2021. However, the group imploded in 2022 when it offered its full support to Vladimir Putin's invasion of Ukraine. Following this, analysis of leaked chat data revealed that the leader of the group left in early 2022, taking the majority of the money to pay wages, leading to a temporary disbandment due to a lack of funds.

The legal landscape and regulatory pressure

Ransomware and extortion attacks have also forced nations to re-evaluate their legal frameworks and regulatory approaches. Governments and law enforcement agencies are grappling with the challenge of bringing cybercriminals to justice, especially when they operate across borders. Moreover, the legal obligations of victims have come under scrutiny.

Data leak sites have become a tool for pressuring victims who may face severe fines under law, for example in the UK GDPR and the Data Protection Act 2018. However, paying to prevent data leaks doesn’t necessarily exempt victims from liability if data protection laws are violated. This complex legal landscape has added another layer of complexity to ransomware negotiations and responses.

Key takeaways:

  • Ransomware attacks have significantly increased since the previous 2017 report, with an estimated 745,000 computer misuse offences last year, and UK businesses remaining a valuable target for attacks.
  • Smaller threat actors have become an increased threat to businesses due to the increased ease of access to ransomware tools creating fewer barriers to entry.
  • One of the most significant risks has been the increased focus from criminals on maximising payouts by combining data theft with extortion in a bid to increase the pressure on victims to pay out or risk potential reputational damage.
  • Often the initial access is gained not due to sophisticated techniques, but instead as a result of poor cyber hygiene.


The evolution of tactics in ransomware and extortion attacks has mirrored the growing popularity of these cyber threats. What once started as simple encryption schemes have transformed into a complex criminal ecosystem driven by organised groups and affiliates. The rise of RaaS has democratised cybercrime, making it more accessible to a wider range of criminals. Cryptocurrency remains at the heart of the ransomware business model, providing anonymity and security.

The legal and regulatory landscape surrounding ransomware and extortion is evolving as governments seek to combat these threats. Victims must navigate a complex terrain, balancing the demands of cybercriminals with legal obligations. As these attacks continue to adapt and evolve, it's essential for organisations to prioritise cybersecurity measures, including robust backup strategies and employee training to protect against the ever-changing tactics of organised criminal groups in the digital age.

Nicci Da Costa is a trainee solicitor at RPC.