Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

The State of Cybercrime

2025-07-01

An Interview with the UK National Crime Agency

Cybercrime, particularly ransomware, is evolving fast—from encrypted extortion to AI-driven attacks. I spoke with William Lyne, head of cyber intelligence at the UK’s National Crime Agency (NCA), about what’s changing, what isn’t, and how we can all stay ahead.

Hi William, thanks for joining me. What’s your role, first of all?

My substantive role is head of cyber intelligence at the NCA, working as part of the National Cyber Crime Unit (NCCU). Within the NCCU, the focus is on cyber-dependent crime—offenses you can only commit using a computer.

The NCCU is a mixture of investigators, intelligence officers, data scientists, and people with other technical capabilities. We’re predominantly a counterthreat organization. We deliver operations to disrupt the cybercrime threat impacting our communities.

What does cybercrime look like these days? Where is it coming from?

We come at it from the perspective of the online cybercrime ecosystem, or “underground,” as some call it. That’s where you have threat actors coming together with online capabilities. Some are leveraging capabilities to deliver ransomware operations. With others, you can see a crossover into fraud and other types of online offending.

People like to think about cybercrime groups like the mafia, but that’s probably atypical. It’s more likely they work as a loose affiliation of people. Max Smeets recently said that most cybercrime groups resemble badly run, chaotic tech startups. I agree, to an extent—there’s a spectrum. Some will be more organized, and some traditional, longer-standing crime groups do have a slightly more vertically integrated structure. But they all tend to be quite steady and are slow adopters of new and emerging technologies. They’ll only really change what they’re doing if an opportunity comes along to make more money or if the current business model they’re employing—or technique they’re using—becomes less profitable than it did in the past.

Our strategy is to go after that ecosystem, after the things that support and enable cybercrime business models—particularly ransomware and cross-threat enablers.

Back in 2023, for example, we were involved in the disruption of Genesis Market. That was a significant marketplace where threat actors were buying access to victims for use in ransomware operations, as well as fraud and the rest. We were proactive in going after the threat. Reactively chasing victims and victimization can be quite difficult.

What’s changing in the ecosystem?

Many of the vectors that cybercriminals use to attempt to victimize people are the same things they’ve done for many, many years. Email phishing and spamming are still common.

But we see two interconnected trends. First, you no longer need to be really technically proficient. In the past, we’ve associated cyber-dependent crime with Russian-speaking groups, but that’s no longer the case.

Second, when I started out 15 years ago, the tools and capabilities you could buy were relatively limited. Things like DDoS—relatively low-level, easy-to-mitigate tools—were available for sale. But now, you can gain access, freely or relatively cheaply, to sophisticated cyber tools and capabilities that can cause significant damage. You no longer need a reputation or history of operating within certain marketplaces or forums. So, that barrier is lowered as well, which proliferates cyber tools and capabilities within that ecosystem.

That’s the difference. Overall, you no longer need significant amounts of money or credibility to build a cybercrime operation like you did in the past.

Is ransomware still the biggest game in town?

Ransomware is our priority. It’s the most significant cybercrime and cybersecurity threat to the UK. It’s one of the threats that the public and organizations are most likely to encounter.

There’s a misconception that ransomware is “big game hunting”—that cybercriminal groups are deliberately targeting large organizations in attacks. But in reality, they triage. They buy bulk access from brokers or marketplaces, then do cursory research to identify ones to prioritize.

Just because you don’t see yourself as an enticing target doesn’t protect you from the threat. Recent Coveware statistics show that the most common ransomware victim is a small- to medium-sized enterprise, not a big multinational company.

If you have a significant online footprint—and almost every business is IT-dependent in one way or another—you are a potential victim. This isn’t something you can assume will pass you by.

Ransomware has evolved and diversified in terms of how threat actors extort funds from victims. We had traditional ransomware, which was just encryption. Then we had double extortion—encryption plus data exfiltration. Now, in many cases, victims have good backups, so it’s encryptionless, or data exfiltration and extortion only.

You can deploy exfiltration quicker—encryption can be hard to obtain and tricky to configure. People pay because they don’t want to appear on the data leak site. If exfiltration doesn’t work, you just move on to the next victim.

We’ve seen ransomware payment rates decrease, which is positive—obviously, there’s still victim harm and impact, but it could mean that attackers are taking less time to try to extort a victim; they might just move on to the next.

Cadence becomes the lever to generate more money. The level of vulnerability exists in a relatively unsaturated market—threat actors don’t suffer a shortage of access to victims. That fosters collaboration as opposed to competition, and it also fuels that steady state.

What’s making it more complicated? Software supply chain security is clearly very important, and we’re now seeing a wave of business supply chain risk.

Businesses no longer operate as islands; they’re interdependent. They interact with other businesses, other industries, and other sectors. And we’re seeing a collision of the cybercrime ecosystem with the business ecosystem.

Organizations are exposed to significant supply chain vulnerabilities. As we live in an increasingly technologically enabled, interconnected world, it feels like that attack surface—or opportunity for criminals—gets bigger all the time.

Shall we talk about AI? AI gives you two things. First, it further reduces the threshold of effort when you use AI to code an attack. And second, you can scale much faster.

AI increases efficiency across different steps within cybercrime. It can enhance your phishing messages. It can help automate the command and control of your victims. It can help in many ways with AI-generated coding or improving code.

We’re seeing that now. It hasn’t turned the cybercrime business model on its head, but it’s interesting to think about how that might happen. We could see the adoption of AI in ransomware operations. Ransomware-as-a-service offerings could start to include commoditized AI capabilities at some point.

That would unlock new capabilities that threat actors will look to exploit. We need to get our crystal ball out a little to think of what those may be.

Are ransomware attacks targeting old infrastructure and databases, or is it all about new stuff and new interfaces?

That’s a good question. We do see a big range. Some ransomware groups are purchasing zero-day exploits and using them. But I’d say most ransomware groups are going after victims with unpatched, vulnerable internet-facing infrastructure.

Strategically, resilience is really important. That’s a major theme in the National Cyber Strategy—we need to improve our resilience to mitigate against a range of online threats, of which cybercrime and ransomware are just one part. Employing MFA is an example of how the public and organizations can seek to protect themselves.

So, patching, training, and MFA? What else would you say to help organizations?

I’m not a cybersecurity expert per se, but those are not bad places to start. We often point to the guidance available in the UK, such as the NCSC guidance on how victims can protect themselves. Cyber Essentials is a fantastic initiative. Doing the basics well will protect you from a significant amount of the threat.

I understand that properly protecting yourself is hard. If you’re part of a big organization, it’s complex to implement. If you’re a small- to medium-sized enterprise, it’s just hard in general, with budgets and maybe limited expertise on the team.

But ransomware remains largely opportunistic. These groups often utilize relatively low-sophistication tools and techniques to gain initial access to victims. They’re exploiting vulnerable internet-facing infrastructure, for example—password reuse, credential replay, whatever it might be.

I was on a panel at InfoSecurity, and fellow panellist Jen Ellis had some great advice: it’s better to think of resilience as a journey. “Start with one thing that is manageable and realistic,” she said. “Then, decide on the next. It’s OK—practical even—to take it a piece at a time. We don’t expect kids to run before they’ve learnt to crawl.”

Are we just going to be in a coping strategy situation for the next 20 years? Or are there any lights you can see at the end of any tunnels?

We’re a counterthreat organization. I think we’ve demonstrated, with some successes over the recent years, that we can be really impactful—like the disruption of LockBit, operations against EvilCorp, or the takedown of access marketplaces.

You need to do all these things collaboratively. There’s some great activity going on right now, led by European partners, called Operation Endgame—they’re going after info-stealers, marketplaces, all sorts. It’s a brilliant activity.

Operationally, I was reading an article saying that law enforcement is having a strategic impact against the ransomware threat. We have really joined up our public and private sector partners, both nationally and internationally.

At the NCA, we’re lucky to have brilliant relationships, and that joined-up, shared interest and shared strategy is bearing some significant fruit. So yes, I think we are making progress.

The UK government has developed policy proposals as part of the Counter Ransomware Initiative. There’s a diversity of thought and opinion in the community around those, but I’d encourage people to have a look. It’s brilliant that the UK is taking the lead.

Counterthreat operations and operational success are also great communications hooks for delivering protection and resilience messaging to the public. For example, through the LockBit activity, we were able to demonstrate that when people paid to have stolen data deleted, it was never actually deleted. Just demonstrating to victims “you can’t trust these threat actors” is useful.

The work you’re doing is worth publicizing—communicating the successes is as important as telling people what will go wrong.

For us, it’s about conveying those things. Do the basics really well; that’s fundamental. There are steps you can take; you are not helpless as a potential victim in this space.

At the same time, it’s not just up to individuals—it’s for all of us in the community. We all want the same: to counter the threat and protect potential victims. So we all have a role to play, in many respects.

Let’s go with that—lovely to speak to you, Will.

Thank you!