The cybercriminal ecosystem: evolution and extortion

The ecosystem in which cybercriminals operate is constantly changing, with cybercrime becoming ever-more sophisticated. Law Society partner Mitigo explores the risks.

Law firms rely on reputation, hold confidential and valuable client information, and handle financial transactions.

This combination makes you the ideal target for cybercriminals who, once inside a firm’s IT systems, will use different tactics to hold a firm to ransom.

The legal profession has seen a worrying number of cyber-attacks in recent years.

One firm was threatened with the publication of confidential documents obtained in a cyber-attack, which the hackers were holding to ransom in a bid to blackmail the firm out of $6 million.

Meanwhile, a listed firm suffered a devastating attack estimated to have cost the firm £5 million, with other far-reaching consequences.

An attack on a group of conveyancing firms, in which personal information was stolen, resulted in extensive disruption to parts of the conveyancing market.

A £98,000 fine by the ICO for one criminal defence firm is another reminder of the potential repercussions that firms can suffer as a result of a ransomware attack.

There are many other examples.

Cybercrime is a dynamic landscape, with the types of attacks and the nature of the operators or gangs involved becoming ever-more sophisticated.

Understanding the ecosystem in which cybercriminals operate is the first step in managing the risks involved.

The criminal ecosystem

Cybercrime is an organised and sophisticated business with structured personnel, run by professionals.

Ransomware gangs have team leaders, malware developers, data miners and more, working together on cases like a legitimate business.

Russia is a hotspot for cybergangs, but we’ve seen operations running from all corners of the globe.

The sophistication of cybercrime operations makes it extremely difficult for authorities to trace the perpetrators and originators of an attack.

One interesting study compared cocaine trafficking in the 1990s with modern day ransomware.

Profitability was similar, with both earning over 90% profit per unit. However, cocaine trafficking resulted in one arrest per two kilos, and one death per four kilos.

The chances of a ransomware arrest are almost non-existent: a trafficker is 625 times more likely to get arrested. And no ransomware attacker gets killed.

Ransomware gangs have names, and some analysts even produce league tables with an assessment of market shares.

In the second half of 2022, one assessment showed BlackCat in the lead with responsibility for around 15% of ransomware attacks globally.

Hive had the next largest share at 13.5% having ‘earned’ its place by attacking hospitals without question (some groups claim to shy away from certain sectors to operate more “ethically”).

Other groups such as Black Basta, Dark Angels, Phobos and Vice Society are said to hold between 3% and 6% of the market – the latter being responsible for attacks on UK schools.

Previous leaders such as REvil, Conti, LockBit and DarkSide are likely to have morphed into new structures.

Ransomware as a service

A notable development over the last few years has been the rise of ransomware as a service (RaaS); a business model not dissimilar to software as a service (SaaS).

RaaS changed the face of cybercrime. A cybercriminal no longer needs to be a ‘techie’ as they can purchase ready-to-go ransomware.

Ransomware operators develop ransomware that is sold to affiliates via websites on the dark web – marketing and packaging it for sale in a manner similar to businesses that trade legitimately.

Operators engage in marketing campaigns, publish user reviews and provide service guarantees, as well as after-sales support.

Unsatisfied with the service? Suppliers offer your money back.

Levels of sophistication range from subscription models to portals allowing tracking of the status of an infection.

This allows individuals in any country to get involved in the criminal activity.

Often, operators are lead generators: having gained access to a business, they pass on the opportunity to more sophisticated players to exploit in return for a cut in profits.

A recent report on ransomware trends by the UK, US and Australian cybersecurity authorities noted that the National Cyber Security Centre has even come across gangs who purport to offer a 24/7 help centre to victims to expedite ransom payments and restore encrypted data.

Double extortion

The consequences of ransomware can be devastating for its victims.

Once inside an organisation’s IT system, ransomware enables data, files and systems to be encrypted, with payments being demanded in exchange for the decryption key.

Business is brought to an abrupt halt. We find that backups are rarely configured in a way that will survive a ransomware attack.

The overwhelming majority of ransomware attacks now also involve data exfiltration.

The criminals first steal your confidential and sensitive data before encrypting it, adding another level of risk.

This type of attack – sometimes called the ‘double extortion’ technique – means that not only can a demand be made to decrypt data, but a release to the public of stolen data will be threatened unless a further ransom demand is met.

Gangs have websites and PR machines that support their threats to highlight successful attacks and publish stolen data.

In the past, ransomware gangs focused on bigger, national targets.

Now, many have become wary of the attention of law enforcement agencies (who save most resources for large infrastructure attacks) and have shifted focus to small and medium-sized organisations.

These can be particularly vulnerable to attack, because they often only rely on external IT support companies, and therefore do not have the right protections in place.

One estimate shows professional services suffered around 20% of ransomware attacks in 2022, making it the worst affected sector.

Cybercriminals know that firms have a duty to keep clients’ affairs confidential, are working to deadlines and that prolonged downtime can be disastrous.

As a consequence, law firms can be more likely to pay ransom demands (which can range from the tens of thousands to many millions of dollars.)

It is, however, worth bearing in mind the Information Commissioner’s Office (ICO) and National Cyber Security Centre stance.

In a joint letter issued in summer 2022 to the legal profession, the two bodies made it clear that payment of ransom will not protect stolen data or result in a lower penalty by the ICO if an investigation is made.

Furthermore, remember you’re dealing with criminals.

Payment offers no guarantee of decryption or return of stolen data or prevention of re-extortion a few weeks down the line.

An evolving threat requires professional defence

Cyberattacks shut down organisations and are now one of the most serious threats to any business. They should be at the top of your risk register.

Attackers and the techniques they use are sophisticated, ever evolving and defending against them is complex.

Small and medium-sized professional services firms are particularly vulnerable.

When you have professional criminals attacking your organisation, you need professionals defending you.

Find out more

The Law Society has partnered with Mitigo to offer technical and cybersecurity services with exclusive discounts for our members.

Find out more about Mitigo’s cybersecurity services

For more information, contact Mitigo on 020 8191 9205 or email

Maximise your Law Society membership with My LS