CyberSight 360: How do we tackle the ransomware problem?

The answer might just be "us".

From “humble” beginnings, ransomware has evolved rapidly in tactics, scale and organisational structure. It is now a billion-dollar enterprise and predicted to cost US$265 billion annually by 2031.

But how did ransomware evolve to the sophisticated system we see today? And more importantly, how can we fundamentally address the ransomware problem so that disrupting ransomware groups has a lasting impact?

The answer might just lie in our own ability to safeguard our networks by preventing initial access by threat actors.

Addressing the ransomware problem

In the last few years, two key responses have been implemented globally to address ransomware:

• More offensive measures involving international collaboration; and
• Legislative measures, with countries introducing mandatory ransomware payment reporting obligations and continuing to float the idea of banning ransom payments.

Disruption of ransomware groups

Ransomware groups have always adapted their tactics to respond to law enforcement activity, government regulation and enhanced user awareness.

In the past year, however, we have seen various multinational coordinated operations against cyber criminals, with a particular focus on disrupting and dismantling criminal infrastructures responsible for cyber crimes worldwide. Many of these operations were the first of their kind, including a pivot in focus towards ransomware-as-a-service models, which reflects the trend of ransomware groups relying on affiliates to carry out cyber attacks.

Operation Cronos: disruption of LockBit

The most noteworthy law enforcement actions in the last year involved the disruption of LockBit and ALPHV, which have been behind some of the most harmful ransomware attacks in the past.

LockBit has been described as "the world's most harmful ransomware", operating as a RaaS provider that provides the platform, infrastructure and tools for other threat actors or affiliates to carry out ransomware attacks. According to Zscaler's Ransomware Report, LockBit accounted for 22.1% of ransomware attacks in 2023 to 2024.

In 2024, LockBit was the subject of an international investigation led by Europol, Operation Cronos, involving law enforcement agencies from 10 countries. Despite this, LockBit has proven more defiant and resilient. Within days, LockBit was attempting to make a comeback by restoring its servers with new domains ─ highlighting the difficulty of permanently ending ransomware infrastructure and operation.

However, this does not mean that the takedown was ineffective. Operation Cronos provided the National Crime Agency (NCA) and the FBI with valuable insight into LockBit's network and affiliates, revealing that 194 affiliates had used LockBit's services until February 2024. Such intelligence is critical in the continued fight against ransomware operators. Nevertheless, these measures are unlikely to permanently stem the growth of ransomware.

Filling the void: the rise of other ransomware groups

While Operation Cronos sent a clear message to the cyber criminals that even the biggest cyber crime perpetrators can be unmasked and dismantled, the gap left by LockBit (being only one of a number of ransomware groups) has already been filled by other players. Ransomware groups such as RansomHub, Play, and Cl0p have all noticeably incorporated elements of LockBit’s playbook into their own, including a widely observed decrease in dwell times.

Notably, RansomHub (operating as a RaaS) was first observed following the FBI's takedown of ALPHV/BlackCat in December 2023, and capitalised on the disruption to LockBit's activities in February 2024. By the third quarter of 2024, RansomHub had become one of the most prominent ransomware groups, which can be attributed to its aggressive recruitment on underground forums, which led to its absorption of ex-ALPHV and ex-LockBit affiliates.

This shift of power from ransomware operators to affiliates demonstrates how these ransomware groups can pivot and rebound despite significant pressure from law enforcement and major disruptions to their operations. According to Zscaler's 2024 Ransomware Report, ransomware attacks unsurprisingly remain a persistent threat. Australia experienced a 5.8% increase in ransomware attacks from 2023 to 2024, and currently ranks seventh among the nations targeted by ransomware, which accounts for approximately 2% of global attacks.

This begs the question of whether dissolution of ransomware groups is an effective enforcement method and whether a different approach should be considered.

Operation Endgame

On 30 May 2024 the FBI announced Operation Endgame, "a multinational coordinated cyber operation by the United States, Denmark, France, Germany, the Netherlands, and the United Kingdom, with assistance from Europol and Eurojust, to dismantle criminal infrastructure responsible for hundreds of millions of dollars in damages worldwide". This operation focuses on disrupting "dropper" criminal services by arresting high-value targets, taking down infrastructure and freezing illegal proceeds, resulting in the takedown of dropper malware infrastructure that facilitated attacks with ransomware and other malicious software, including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee.

As ransomware remains an ongoing threat, collaboration between international law enforcement agencies will continue, with agencies building on their learnings from previous efforts to continue disrupting and taking down ransomware groups. From observing Operation Endgame, it appears law enforcement is also targeting malware-as-a-service models. The long-term effectiveness of these enforcement methods, however, remain to be seen.

Legislative measures: mandatory ransomware payment reporting and banning ransom payments

Whilst Australia is yet to ban ransomware payments, this has been considered by the Australian Government and a number of other countries.

Australia's Cyber Security Legislative Package 2024 introduced and passed into law a mandatory reporting obligation requiring entities that meet a specified threshold (annual turnover over AU$3 million, and most responsible entities of critical infrastructure, but excluding State and Commonwealth government entities) to report to the Department of Home Affairs if they make a ransomware or cyber extortion payment of money, or an in-kind benefit, in connection with a cyber security incident. The reporting requirement extends only to instances where the ransomware payment is made (not including instances where only a demand is made and no payment is made), and was introduced specifically to enhance the Australian Government's understanding of ransomware threat and how much is being extorted from Australian businesses through ransomware attacks, so as to enhance law enforcement measures. A failure to comply with this reporting obligation, however, can result in penalties being imposed on the ransomware victim entity.

The UK Government also recently held a public consultation process (from 14 January to 8 April 2025) on three proposals in relation to ransomware:

• Proposal 1: Targeted ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure, that are regulated, or that have competent authorities.
• Proposal 2: Ransomware payment prevention regime which would require any victim of ransomware (organisations and/or individuals not covered by the proposed ban set out in Proposal 1), to engage with authorities and report their intention to make a ransomware payment before paying any money to the criminals responsible.
• Proposal 3: Ransomware incident reporting regime that could include a threshold-based mandatory reporting requirement for suspected victims of ransomware.

The UK Government is considering a targeted ban on ransomware payments for the public sector and critical infrastructure owners and operators only, which may not apply to individuals and some in the private sector (non-critical infrastructure). It has said: “We [the UK Government] believe that one of the most effective ways of preventing ransomware attacks is to ensure that the criminal gangs looking to target our essential agencies and infrastructure know they will make no money from doing so.”

We have previously written on the issue of criminalising cyber extortion payments and remain of the view that a decision to criminalise or ban the payment of ransoms should not be taken lightly. The current assumption that banning ransom payments will disincentivise cyber crime, striking at the heart of the criminal enterprises, severely undermines the resilience and innovation of cyber criminals. Time and again, when a victim doesn’t pay, cyber criminals simply move on to the next big or easy target ─ proceeding from victim to victim until a payment is procured, while evolving their tactics to be more sophisticated and the disruption more devastating, thereby increasing the pressure for payment.

The public sector and critical infrastructure owners and operators manage the essential services of a country. Of all sectors, we anticipate that these would require the option of making a ransom or cyber extortion payment in the unfortunate event that a cyber attack gives rise to devastating consequences that justify payment, such as physical injury or loss, or even death.

For this reason, legislative measures may unintentionally punish victims of ransomware and cyber extortion.

What is the fundamental solution to the ransomware problem?

The principal way to fundamentally tackle the ransomware problem and ensure lasting disruption to ransomware groups is to address the enablers of initial access – us.

We cannot prevent ransomware attacks. There will always be opportunistic cyber criminals developing malware and employing it for their financial gain. But the ransomware requires initial access to cause damage, which is often the result of human error or human failure to fix technical vulnerabilities. By blocking initial access through multiple layers ─ locking the door and keeping it sealed across several layers, with effective tools such that even if one layer is breached the other layers remain in place to prevent initial access ─ we can keep the malware out of our systems and prevent it from gaining a foothold to enable cyber extortion.

Fortunately, this is within our control with the help of the following measures:

Education, training, and more training.

Social engineering and phishing attacks are a common method by which ransomware groups gain entry to our systems and networks. Ransomware attacks will continue to evolve and increasingly employ generative AI to exploit human error, for example through voice-based phishing using AI voice cloning. Enhancing education and training to minimise or eliminate human error and prevent initial access will therefore be key. This means addressing the psychological element of these attacks ─ for example, teaching users to be wary of unfamiliar emails; encouraging users to check that emails are legitimate, and if unsure, reporting them to IT to be scanned for malicious software; not saving passwords on a web browser; and not using a personal computer for work purposes. Exercising caution with the electronic communication we receive may create delays due to the extra checks and verifications required, but if these measures can reduce, minimise or eliminate initial access for malware to be executed, it will be well worth the effort.

Uplifting cyber resilience by investing in the right tools.

As well as addressing the human factor, preventing initial access will require investing in the right technology tools. Organisations will need to strengthen vendor risk management, continuously update and patch firmware, enforce endpoint detection and response, enforce MFA effectively at all entry points, and continuously monitor their systems to safeguard interconnected networks and ensure operational resilience. They will also need to monitor the threat landscape and be aware of new ransomware groups and their known tactics, which will require investment in cyber threat intelligence and threat hunting. It's not a set and forget; it’s a set and continue to learn and upgrade. Of course, not every organisation is able to afford these measures, particularly small businesses ─ which is where the role of government will be integral. If governments are serious about taking action against ransomware, more cyber legislation is not necessarily going to resolve the issue; rather, investing in helping every organisation, particularly the more vulnerable or small businesses, to uplift their cyber resilience and prevent initial access by threat actors will be far more effective. Investment might come in the form of grants, or technical assistance to organisations at a discounted rate. Incentivising small businesses to invest in cyber security measures by providing tax relief or tax incentives is another solution worth exploring.

By closing off initial access to our networks at the point of entry by cyber threat actors, we have the potential to shift the balance of power away from ransomware gangs ─ thereby eliminating the question of whether a cyber ransom can or should be paid.

This article appears in the 2025 edition of CyberSight 360: A legal perspective on cyber security and insurance