Latest news with #LockBit
Techday NZ
a day ago
- Business
- Techday NZ
Emerging cyber threats for 2025 target healthcare & industry
New research from Secureframe has identified the five most significant emerging cyber threats for 2025, focusing on the risks posed to critical sectors including healthcare, infrastructure, and small and medium-sized businesses. The report by Secureframe analyses recent high-profile breaches along with global threat trends and highlights an environment increasingly shaped by AI-driven attacks, organised cybercrime groups, and the rapid exploitation of newly discovered vulnerabilities. Rising threats across sectors Findings within the report indicate ransomware attacks on industrial operators grew by 46% in the first quarter of 2025 alone. Healthcare breach costs have reached an average of USD $5.3 million per incident, marking a 25% increase above the next closest industry. AI-driven criminal tools are enabling the widespread use of advanced phishing schemes, deepfakes, and malware that adapts to targets in real-time. Supply chain vulnerabilities are also being targeted more frequently by cybercriminals, with third-party vendor breaches now a primary vector for large-scale attacks. One cited example was the collapse of the 158-year-old KNP Logistics due to a ransomware incident, underscoring the real-world impact on businesses of all sizes. Organised cybercrime syndicates The report lists organised criminal networks as the number one threat, noting that these groups are expanding their activities through tools such as automation and ransomware-as-a-service platforms. LockBit is highlighted as an active player despite international efforts to dismantle such organisations, while new groups, including Interlock, are emerging to mimic these operations. AI-powered attacks Attackers are leveraging generative AI to craft realistic phishing lures, create deepfakes, and generate malware that adapts in real-time. In one case, AI-generated content helped defraud over 500,000 investors in the JuicyFields scam. Such developments signify a shift in the sophistication of cyber threats, demanding equally advanced detection and response capabilities. Advanced persistent threats Nation-state actors are intensifying long-term, covert attacks primarily targeting energy providers and defence contractors. Groups such as APT33 and APT39 were particularly active across North America and Europe in 2025, with campaigns designed to evade traditional security measures for months at a time. Zero-day vulnerabilities The research outlines that previously unknown and unpatched weaknesses are being exploited at a record pace. An example in 2025 was a critical flaw in Microsoft SharePoint (CVE-2025-53770) which was actively targeted globally before vendors released a remedy. Software supply chain attacks Third-party software platforms are being leveraged as a point of entry for cyberattacks against broader enterprise ecosystems. Secureframe notes that attacks involving compromised SAP SuccessFactors providers resulted in breaches extending into sectors from healthcare to consumer goods. Industry-specific warnings The healthcare sector is seen as especially vulnerable. The report states: "With 92% of organizations reporting attacks in 2024, the sector must prioritize HIPAA-compliant training and secure offline backups." Critical infrastructure operators in the defence and energy fields are advised to implement the NIST 800-172 and CMMC 2.0 frameworks to respond to escalating threats from nation-state actors. Financial services continue to face risks associated with investment fraud and business email compromise, prompted by increasingly refined social engineering attacks. Mitigation strategies Secureframe's report includes a recommended 10-step cybersecurity playbook designed to align with NIST CSF 2.0 and ISO 27001 standards. Suggested actions consist of emergency patching, multi-factor authentication enforcement, privileged account monitoring, third-party vendor assessments, continuous threat detection, and regular employee phishing simulations and tabletop crisis exercises. Methodology The findings were generated through the examination of cybersecurity incidents across multiple industries, using case studies of attacks on healthcare organisations, infrastructure systems, and large corporations during 2024 and 2025.
Forbes
31-07-2025
- Business
- Forbes
Hackers Threaten To Publish 3.5 TB Of Stolen Data In 24 Hours
There are two cybersecurity threats that we seem unable to escape from of late: ransomware and data breaches. A recent analysis of more than 1,297 breaches revealed that data breaches increasingly drive ransomware attacks. Although there is the odd anomaly, such as the cybercriminals who threaten to permanently destroy data, the vast majority of ransomware attacks are now more focused on stealing data and using it to extort the victims than ever. "Ransomware tactics continue to evolve, with the growing shift toward extortion over encryption as a clear example," Deepen Desai, Cybersecurity executive vice president at Zscaler, told me just this week. If you want an example of this, look no further than the Safepay ransomware hackers who have given Ingram Micro until August 1 to pay a ransom or face the publication, the group says, of 3.5 TB of stolen data. Here's what you need to know. Safepay Hackers Threaten To Publish 3.5 TB Of Allegedly Stolen Ingram Micro Data Safepay is a group of ransomware hackers that first burst onto the cybercrime scene in 2024, successfully targeting at least 20 organizations. It has been reported that the group appears to 'share a lot of similarities with the LockBit ransomware family,' and, as such, could be a splinter group or rebranding of the notorious threat actors. What is much clearer, however, is that like most modern ransomware threats, Safepay favors double extortion involving not only encrypting systems but holding stolen data to ransom. On July 5, Ingram Micro, a global information technology services giant, confirmed that it had been a victim of a ransomware attack. Stating that it had 'recently identified ransomware on certain of its internal systems,' Ingram Micro said it had taken 'steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures.' What has been less clear, however, is what, if any, data was stolen during this attack. Updates from the company have said that it is continuing to investigate 'the scope of the incident and affected data,' but had not responded to my request for a further statement at the time of publication. The Safepay hackers claiming responsibility, however, have been more vocal. It has now been reported that the ransomware actors have a countdown clock running on their data leak site that gives August 1 as the deadline before 3.5 TB of alleged Ingram Micro stolen data will be published. "This is a tactic threat actors use to place more pressure on victims, hoping to encourage them into paying,' Peter King, principal consultant at Acumen Cyber said, adding that 'given the notice is still up on Safepay's leak site, this suggests Ingram Micro hasn't opted to pay.' "Organizations can protect against SafePay and similar types of ransomware attacks by placing strict access controls on their systems, strong authentication like multi-factor authentication,' Chris Hauk, a consumer privacy champion at Pixel Privacy, advised, 'monitoring for newly discovered vulnerabilities, and implementing secure VPN connections to provide remote access." This is a developing story, and I will update it as more information, from the hackers or Ingram Micro, is forthcoming.
Techday NZ
29-07-2025
- Business
- Techday NZ
Ransomware threats rise, attackers adopt quadruple extortion
A new cybersecurity report highlights the increasing complexity and destructiveness of ransomware attacks targeting businesses and organisations in 2025, with attackers employing advanced extortion tactics and expanding their methods. Akamai has released a qualitative research report entitled "Building resilience amid a volatile threat landscape," which provides an analysis of the operations of prolific ransomware groups such as BlackCat/ALPHV, LockBit, Clop, and RansomedVC. The report explores how these groups have adapted their strategies in response to technological advancements and recent regulatory developments in the UK and elsewhere. Quadruple extortion The report identifies the emergence of quadruple extortion as a growing trend among cybercriminals. Traditionally, ransomware attacks followed a double extortion model, where attackers encrypted a victim's data and threatened to leak it publicly if a ransom was not paid. The new quadruple extortion tactics combine encryption with distributed denial-of-service (DDoS) attacks, public harassment, and threats of regulatory exposure, increasing the pressure on targeted organisations. "Ransomware threats today aren't just about encryption anymore. Attackers are using stolen data, public exposure, and service outages to increase the pressure on victims. These methods are turning cyberattacks into full-blown business crises, and are forcing companies to rethink how they prepare and respond," said Steve Winterfeld, Advisory CISO at Akamai. The sophistication of ransomware groups has been enabled in part by affiliate models, which allow individuals with varying technical abilities to participate in large-scale campaigns. The research found that ideological motivations are also playing a greater role, with some groups driven by political or social causes in addition to financial gain. This complicates the attribution of attacks and presents new challenges for defenders. GenAI and social engineering Another major development highlighted by Akamai is the use of generative artificial intelligence (GenAI) and large language models (LLMs) to automate aspects of ransomware campaigns. The report notes that such technologies are making it easier for less technically skilled individuals to write ransomware code and enhance social engineering tactics. This has contributed to an increase in both the frequency and scale of attacks in the past year. Hacktivist and ransomware hybrid groups have become more prominent, often utilising ransomware-as-a-service (RaaS) platforms to extend their reach. Dragon RaaS, which emerged in 2024 from the Stormous group, is cited as an example of this trend, having shifted its focus from large corporations to smaller organisations perceived as having weaker security defences. Impact on nonprofits and education The report also addresses the issue of cryptominers, which while distinct from ransomware actors, often use similar tactics and target sectors believed to be vulnerable. Akamai researchers found that nearly half of the cryptomining attacks examined targeted nonprofit and educational organisations, likely due to resource limitations in these industries. In addition, the TrickBot malware family is identified as a major tool for ransomware deployment. Since 2016, TrickBot has been used by ransomware groups globally to extort more than USD $724 million in cryptocurrency from victims. The Akamai Guardicore Hunt Team recently linked this malware to suspicious activity on the systems of several customers. Regulatory landscape The report provides an analysis of current legal and regulatory efforts influencing how organisations respond to ransomware incidents. Akamai's Vice President and Chief Privacy Officer, James A. Casey, commented on the need for organisations to adopt comprehensive cybersecurity strategies in light of evolving threats and regulatory requirements. Casey notes that while existing cybersecurity laws apply to ransomware, specific regulations focus on discouraging ransom payments. He also highlights the importance of robust cybersecurity measures, incident reporting, and risk management, as well as strategies like Zero Trust and microsegmentation, to build resilience against evolving ransomware threats. Casey stresses the necessity for organizations to stay informed and adapt to emerging threats. The report presents several actionable recommendations for security teams looking to anticipate and counter attacker tactics in 2025. These include staying abreast of the latest threat actor techniques, investing in robust cybersecurity defences such as zero trust and microsegmentation, and ensuring timely incident reporting and risk management strategies are in place. The detailed findings aim to provide organisations with the information they need to strengthen their resilience against ransomware, as threat actors continue to diversify their motives and approaches in a rapidly changing environment.
Techday NZ
24-07-2025
- Business
- Techday NZ
Q2 2025 ransomware trends analysis: Boom and bust
"Tumultuous times" would be an accurate summary of Q2 2025 where ransomware threat actors are concerned. Rapid7's internal and publicly-available data analysis reveals a dynamic environment where major players come and go, newer groups work their way up the heavy-hitters ladder, and threat actors jostle for top dog status. Plus, there's law enforcement action thrown in there for good measure. In this article we highlight the key changes we saw represented in the data: shifting alliances, the disappearing act of a dominant force, and how this vanishing trick has led to a major redistribution of ransomware operations. At a glance Q2 2025 features many of the threat actors Rapid7 observed in Q1, with the top four leak site post groups quite a ways out in front of the rest. Qilin leads the pack by some distance, with SafePay and Akira in second place, and Play in third position. Lynx and INC Ransom lead the charge in the lower half of the chart, with DragonForce making its first appearance of the year alongside top 10 newcomers such as double extortionists NightSpire. In Q1 2025, there were 76 active ransomware groups. Out of those, 17 groups became inactive in Q2 2025, meaning they had no recorded leak posts in April, May, or June. These include (but are not limited to): 8base, BianLian, BlackBasta, Cactus, RansomExx, DarkVault, Zerolockersec, and CrazyHunter Team. There were 65 ransomware groups actively attacking in Q2 2025. While this represents a 14.47% decrease from the previous quarter, our data for the first half of 2025 shows an overall count of 96 unique groups - a 41.18% increase over the 68 we saw in 1H 2024. New ransomware groups active since the start of Q2 include (but are not limited to): KaWa4096, Warlock, Devman, Nova, and Dire Wolf, with 11 net new groups in Q2 2025 in total. Notably, power player RansomHub - the most prolific operator we observed in 2024, and leading our Q1 2025 top 10 - ceased operations completely at the beginning of April, with the group's infrastructure dropping offline. Affiliates primarily moved to other Ransomware-as-a-Service (RaaS) offerings, such as DragonForce and LockBit. Given that RansomHub affiliates are known for exploiting vulnerabilities to gain initial access, followed by double extortion, this could mean a significant ripple of ransomware distributors moving elsewhere. Popular targets in Q2: Services, healthcare, technology, legal, and finance were the most targeted industries in Q2 2025. The frontrunner this quarter is services, with 44.4% of posts containing these victims' data. In a distant second place is healthcare (10.6%), followed by technology in third (10.0%). Top regional targets include the United States (66.0%), the UK in second place with just 6.7%, and Canada (6.6%), Germany (4.2%), and Italy (3.2%) taking the other three top spots. Notable trends Q2 has seen plenty of infighting between prominent and up-and-coming threat actors, claims of rivals uniting, and major players hit by arrests. It makes sense, then, that affiliates would be in a state of flux, moving from one RaaS group to another, or even holding off altogether until the dust settles. With so many rebrands and launches of newer, more nimble ransomware groups to choose from, expect to see more affiliates striking out in bold new directions. Infighting sits uneasily next to cooperation in Q2, with some groups trying to facilitate bigger and better infrastructure, leak sites, and features offered to potential affiliates. DragonForce is a prime example, using its ransomware alongside other threat actors taking care of the initial access side of things. As we'll highlight later, DragonForce may have a shaky alliance with what remains of RansomHub - or perhaps it's something else altogether. In Q1, we took extra care to highlight that our top 10 included two sets of data; groups posting net-new leaks - that is, completely original and never-before-seen leak posts - and those posting reused or repurposed leaks. Well-known threat actors such as FunkSec and LockBit were found to be making use of old leak data, or mixing old data and faked attacks. Adopting new identities and reusing stale data for a quick promotional boost is also something to be wary of when covering ransomware groups and supposed leaks. For Q2, we've removed threat actors posting old or fake data from the top 10 completely. Q3 will no doubt require the same care and attention when looking to present the most accurate description of ransomware group activity possible. Ones to watch For Q2, our ones to watch are a mix of new and established names. Threat actor arrests, hostile inter-group takeovers, innovative affiliate services, and potentially dangerous ransomware outbreaks in healthcare organisations define a frantic few months. First observed in 2022, Scattered Spider is a threat actor that often combines nation-state-level tradecraft with aggressive social engineering. It continues to take the spotlight in high-profile incidents, even in the midst of arrests potentially tied to the collective. Experts in weaponising corporate environments and behaviours, careful attention is paid to the human side of corporate targets when sizing up a potential infiltration. This group is closely tied to social engineering techniques where initial access is concerned. Phishing, SIM swapping, and help desk social engineering are what Scattered Spider excels at, which can make early detection difficult. Large enterprises in industries such as gaming, telecommunications, and cloud computing are known to be attractive propositions to Scattered Spider. However, the group has also branched out into retail, finance, and the aviation sector. It's been speculated that they are the group behind the June 30 cyber attack impacting 5.7 million Qantas airlines customers. Scattered Spider often partners with RaaS group DragonForce, with the former handling initial access and the latter providing the ransomware; together, they can be a devastating tag team of intrusion and extortion, and one which can lead to confusion between said groups in specific attacks. We can't currently suggest how much impact recent arrests related to several retailer compromises may have on the threat actor. Suspicion of Computer Misuse Act offences, blackmail, money laundering, and participating in organised crime are not easy charges to shrug off. The "sink or swim" moment for Scattered Spider may already have passed by the time Q3 comes around. A new entry to our top 10 groups list, DragonForce (also known as "The DragonForce Ransomware Cartel") first came to light with a 2023 attack on the Ohio Lottery, impacting roughly 500,000 individuals with claims of stolen employee and customer data. More recently, a UK retailer, itself a victim of a major attack in April of this year, attributed the compromise to DragonForce. According to the company's chair, the attack, which is expected to impact this year's profits by around $400m, felt like it was intended to "destroy the business." DragonForce is media-savvy and has its own AI generated calling card, occasionally sent directly to BBC journalists to announce what may be new breaches. To add to the drama surrounding this threat actor, shortly after RansomHub's leak site went offline in late March, it was defaced with a prominent "R.I.P. 3/3/25" mess age. In April, DragonForce published a "new projects" portal on their own leak site linking back to that message - and explicitly invited RansomHub to join their newly branded "Ransomware Cartel." Analysts widely interpret this as a hostile takeover; DragonForce also publicly declared on the RAMP dark‑web forum that RansomHub had "decided to move to our infrastructure." The result is a tangled and dramatic subplot that seems to reflect DragonForce's strategic push to absorb affiliates and expand its footprint. A messy, convoluted tale with no clear narrative, but perhaps that's exactly what an up-and-coming threat actor with a view to expansion wants. In our Q1 2025 ransomware blog, Qilin came fourth in our top 10 list once non-net-new leak posts were excluded. We did say this threat actor was one to watch, and sure enough, Qilin is top of the list once similar non-net new exclusions are applied. Qilin, working its way through healthcare, financial, and manufacturing businesses since 2022, has had a dramatic few months since we last referenced its activities. Once more we return to the now-defunct RansomHub, because though absent, the shadow of its presence looms large; even with the increase in leak posts from Qilin in Q2, it would likely have remained in second place behind RansomHub's prolific output. With the behemoth out of the way, this is now Qilin's time to shine. In June, it was revealed that Qilin added a "call a lawyer" feature to its affiliate panel. Said lawyer is supposed to be able to assist with ransom negotiations, stolen data assessment, and potential breaking of laws by victims post-compromise. Doubt has been cast with regard to how useful this service would actually be, and an argument could be made that it does sound like something largely designed to attract more affiliates. New, flashy services and features help to put a RaaS offering a cut above the rest, which is surely something Qilin operators have considered when adding this new service. By the same token, sometimes publicity and making headlines can have the opposite effect where attracting affiliates is concerned. It was recently confirmed that a large-scale ransomware attack on one of the NHS's suppliers in 2024 was a contributory factor - among several others - to the death of a patient. In total, 170 patients suffered "low harm" impact as a result of the Qilin-attributed attack on Synnovis. With Qilin responsible for other attacks in the healthcare industry, it remains to be seen if the threat actor's "we don't care" attitude proves a little too rich for would-be affiliates. As with Q1, RaaS and double extortion are overwhelmingly favoured by the majority of threat actors in our top 10. The volume of leak posts over Q2 is high, with both never-before-seen leaks and rehashed data adding to the total. Additionally, some groups are making use of stealer logs and Initial Access Broker (IAB) forums which provide credentials for the first point of entry into a compromised network. The risk-reward line in the sand is perhaps making some groups become a little greedy in the rush to snap up new and potentially floating affiliates. Relaxing entry requirements for affiliate schemes, as DragonForce and Cicada3301 have done, may well lower the barrier to entry for wannabes. Considering how quickly rival groups will go to war with one another over actual or perceived slights, it seems risky to simply hope that new affiliates will play by the rules - or not get themselves caught and expose the inner workings of an operation. In the worst case scenario, a new affiliate not subject to stringent checks could turn out to be a security researcher, law enforcement, or even someone from a rival threat actor. As we said: risk-reward. Recommendations In our Q1 2025 post, we highlighted "Five things you can do now" to secure your organisation against the ever-present threat of ransomware-centric compromise. Effective multi-factor authentication (MFA) deployment, continuous patch management, and attack surface investigation are all great ways to set about tackling the ransomware scourge. But what can you do when your attacker is a specific threat actor, such as Scattered Spider? Lock down the help desk: An important part of Scattered Spider's intrusion techniques are help desk scams. Employee data scraped from LinkedIn profiles, combined with a lack of security precautions from the employer often hands Scattered Spider a first rung on the compromise ladder. Train help desk staff to recognise common social engineering techniques, especially around quick "emergency" resets, and enforce strict verification for password and MFA resets. High-privilege accounts may require multi-factor or even multi-person approvals, especially for out-of-band or urgent sounding reset requests. Place limits on how many support staffers can reset admin-level accounts, and ensure all such actions are logged with management. Deploy and secure your MFA: Phishing-resistant MFA is crucial for users, especially administrators. For example, the latter in particular should not be using easily compromised SMS messaging for authentication codes, as this is a form of authentication notorious for being hijacked with fake help desk calls. App-based OTP with number matching, or FIDO2 security keys, would be better options here. As Scattered Spider is known to deploy MFA fatigue techniques, countering this with the limiting of push attempts or number matching should be viewed as an important, if not essential, tool for warding off Scattered Spider attacks. No matter which form your MFA takes, quick detection of newly added devices or unusual IP activity can help a security team to prevent further pivots from the attacker. Revisit your identity hygiene and least privilege: With compromised credentials being such an important part of Scattered Spider's tactics, it makes sense to keep business-critical accounts from everyday activities. High-privilege tasks should be performed by unique accounts, with just-in-time elevation applied to said accounts so that even a compromise cannot lead to immediate escalation without an approval request. Tighten cloud security and monitoring: Scattered Spider's deep understanding of cloud environments using Amazon Web Services (AWS) Systems Manager Session Manager, EC2 Serial Console, and Identity and Access Management (IAM) role enumeration to pivot and persist within cloud infrastructure spells trouble for organisations with insecure cloud environments. Ensure cloud management pathways are locked down, and restrict the use of Systems Manager Session Manager and the EC2 Serial Console to authorised admin users only in AWS. Enable alerts if these features are used by new users or unusual IP addresses. Monitor cloud audit logs for AWS (CloudTrail), Microsoft Entra ID, for any sign of intrusion - this may take the form of IAM role enumeration calls, or unexpected IAM new user creation. Behaviour analytics can help to pinpoint when a low-privilege user suddenly begins performing admin-level actions. Ensure that a compromised Okta/SSO user cannot by itself administer the entire cloud environment by making use of the principle of least privilege. Enact a backup and response plan: Offline and encrypted backups of critical data, alongside regular testing of restoration plans, will ensure there is no eleventh hour panic should the worst happen. As Scattered Spider wastes no time from initial compromise to full domain/admin takeover, an incident response plan is crucial to quickly and safely lock down a Scattered Spider attack. Rapid invalidation of active sessions and tokens, forced enterprise-wide password resets, and locking down help desk password resets will work wonders here, as will the deployment of your incident response teams. Take it to the table: Tabletop exercises, which make full use of Scattered Spider's playbook of known tactics, techniques, and procedures (TTPs), should be a part of any scenario intended to determine how much of a Scattered Spider storm your organisation thinks it can weather. Focus on key Scattered Spider techniques, such as a dedicated help desk attack exercise. For example: maybe the attacker has already gained an employee's phone number from LinkedIn, and is attempting a SIM swap social engineering attempt on the help desk technician. Perhaps the attacker has instead compromised the login of the help desk worker via a phishing website, and is looking to create hidden privileged accounts. In this scenario, how would you know the rogue account had been created? What data would you look for to indicate unusual activity, and where would it live? We mentioned multi-person approvals for new account creation up above; what happens if there's no approval required? Conclusion The rise of groups such as DragonForce, as well as Qilin's newfound dominance in the face of RansomHub's absence, signals a period of what may be prolonged powerscale rebalancing and affiliate enticement among threat actors. Add to this the uncertain lay of the land with regard to supposed ransomware alliances, and we have a perfect storm of groups working together - yet remaining at odds - while businesses attempt to parse shifting threat actor patterns. The sheer chaos of this environment means that it's never been more important for organisations to make use of threat intelligence and explore what makes these groups tick. Their willingness to exploit new strains of ransomware and affiliate activity, while also leveraging social engineering, is clear to see. A defence-in-depth approach that covers both detection and response and social engineering training to address the human element is crucial. Maybe it's finally time to dust off that tabletop.
The Guardian
22-07-2025
- Business
- The Guardian
UK government to ban public bodies from paying ransoms to hackers
The UK government is planning to ban public bodies from paying ransoms to computer hackers, and private companies will be required to inform authorities if they plan to cave into cash demands. The stance, announced on Tuesday by the Home Office security minister, Dan Jarvis, is intended to send a message to international cybercriminals 'that the UK is united in the fight against ransomware'. It follows crippling ransomware attacks on the British Library in 2023 and NHS hospitals in London last summer. The government said almost three-quarters of responses to a consultation backed the proposal and that 'public sector bodies and operators of critical national infrastructure, including the NHS, local councils and schools, would be banned from paying ransom demands to criminals'. Industry estimates suggest ransomware criminals received more than $1bn (£741m) from their victims globally in 2023. But Alan Woodward, a leading computer security expert at the Surrey Centre for Cyber Security, said UK public authorities are not known to pay ransoms. He said the latest measures appeared aimed at signalling the refusal to pay more clearly to hackers around the world, which include regular offender networks like LockBit and Evil Corp. 'Some of the criminals may not know this and so communicating this could be valuable in that hackers will read that there is no point in attacking,' Woodward said. 'I am not sure it will change anything in practice, but it puts everyone on notice so there can be no confusion.' Businesses not covered by the ban on public sector ransoms would be required to notify the government of any intent to meet hackers' demands for cash. The Home Office said: 'The government could then provide those businesses with advice and support, including notifying them if any such payment would risk breaking the law by sending money to sanctioned cybercriminal groups, many of whom are based in Russia.' Jarvis said he wanted to 'smash the cybercriminal business model'. 'By working in partnership with industry to advance these measures, we are sending a clear signal that the UK is united in the fight against ransomware,' he said. The consultation documents said: 'This type of crime only works if the potential victims are willing to pay the ransom that the gangs demand. Academic research suggests that criminals operating in this area will assess the level of ransom they can set, and the profit they will expect to make, against the probability that the victim will pay.' Jonathon Ellison, director of national resilience at the National Cyber Security Centre, said ransomware 'remains a serious and evolving threat, and organisations must not become complacent'. 'These new measures help undermine the criminal ecosystem that is causing harm across our economy,' he said. 'All businesses should strengthen their defences using proven frameworks such as Cyber Essentials and our free Early Warning service, and be prepared to respond to incidents, recover quickly, and maintain continuity if the worst happens.'
