Cybersecurity chief warns ‘ransomware as a service’ scam

The online security crowd don’t tend to downplay risk but a presentation by Lindy Cameron, chief of the UK national cybersecurity centre, was sobering nonetheless. The organisation has dealt with more than 2,000 significant incidents since 2016. In the last year it took down more than 700,000 online scams. That’s quite a lot of scammers and a great many scammed, you’d think, even if 80,000 people reported suspicious emails.

These are mind-numbing figures. They seem to suggest that cyberthreats are as prevalent these days as the shoplifter or the pickpocket. Indeed, one of Ms Cameron’s mantras is that cybercrime does not limit itself to big business and its customers. “We say that we worry about the security of hairdressers as much as we worry about the FTSE 100 businesses,” she told an online forum on Friday at the Institute of International and European Affairs in Dublin.

Ms Cameron warned of “ransomware as a service” where unsavoury types offer ransomware variants and commodity listings – such as lists of credentials – for a once-off payment or a share of profits. This off-the-shelf fraud appears to have no limits, paving the way for non-tech gangsters to get in on the greed. “Users buy from developers without the costs and risks of developing it themselves, and that enables actors less experienced in ransomware to acquire tools to conduct their own attacks.”

More sophisticated criminals spend time conducting in-depth reconnaissance on victims, she added. “They will identify your cybersecurity weaknesses that they can exploit. They will use spoofing and spearphishing to masquerade as internal employees to get access to all of the networks they need. They will look for the business-critical files to encrypt and hold hostage. They may identify embarrassing or business sensitive material that they can threaten to leak or sell to others. And they may even research your cyberinsurance policy to see if you are covered to pay ransoms.”