In this Help Net Security interview, William Lyne, Deputy Director of UK’s National Crime Agency, discusses the cybercrime ecosystem and the threats it enables. He explains how cybercrime is becoming more accessible and fragmented. Lyne also talks about key trends, recent disruptions, and collaboration between law enforcement and the private sector.
What are the most concerning trends you’re seeing in cybercriminal behaviour today?
Cybercrime is a constantly evolving threat, which is supported and enabled by a cybercrime ecosystem of technical capabilities and threat actors. This ecosystem generally results in two high level, connected trends – it lowers the barrier of entry into cybercrime and proliferates cybercrime capabilities. I see ransomware as a symptom or product of the cybercrime ecosystem.
More tactically, in 2024 there were a number of significant disruptions, such as the BlackCat-ALPHV exit scam and the NCA-led disruption of the LockBit ransomware-as-a-service group. These may have initiated or accelerated a move into a post-trust era, where there is less trust between threat actors than ever before. This has led to a fragmentation, resulting in more groups made up of smaller numbers of threat actors, with none gaining the dominant market share that groups such as LockBit had in the past. Groups are more likely to be lower profile, and potentially target lower profile and smaller organisations than in the past.
Recently we have seen significant reporting on attacks allegedly conducted by groups known by various different names such as SCATTERED SPIDER. I cannot comment on specific, ongoing investigations, but generally we see groups like these as comprised of individuals, often young men, in English-speaking countries who often have particular social engineering skills – exploiting people within organisations as opposed to using technical means to gain access to victim systems. For me, this goes to show the importance of people, alongside the technical aspects of building resilience against cyber threats, and how accessible cybercrime has become. It is no longer confined to small numbers of Russian-speaking threat actors who have a long history and reputation within the cybercrime ecosystem.
Can you describe how intelligence sharing works in practice between governments and the private sector in tackling online criminal networks?
Collaboration and intelligence sharing is at the heart of our approach to tackling the threat within the NCA, and we enjoy relationships with partners across the public and private sector both nationally and internationally. We’re united and motivated, in many ways, by a common mission.
Some of these are formalised law enforcement relationships that we have had for a long time – for example, I was the NCA’s embed to the FBI in Washington DC for a number of years. But, it is not just limited to the US – the NCA is lucky to enjoy brilliant relationships with the ‘five eyes’ countries and partners across Europe and beyond in the fight against cybercrime.
In terms of sharing itself, some is focused on helping us understand the threat more fully, whilst other relationships are more about working together to deliver a response to the threat. In lots of the NCA’s recent cybercrime disruptions, you may have noted that we’ve named some private sector partners we’ve worked with.
How effective are existing legal frameworks in enabling law enforcement to act against transnational cybercrime?
There are a range of tools at our disposal within the NCA that allow us to act against the cybercrime threat, and we work collaboratively with our national and international partners to disrupt the threat that we know is causing harm in our communities.
What strategies have proven most effective in deterring nation-state-backed or state-tolerated cybercriminals?
In the NCA, we are predominantly focused on financially motivated cybercrime, with ransomware as a main area of focus given how significant the threat it poses to the UK. We recognise that some cybercrime groups have connections to the Russian State (for example, see the activity we led against the EVILCORP group in 2019 and 2024), but assess that these type of deep-rooted relationships are likely to be the exception as opposed to the norm.
When targeting the cybercrime threat, we have been focused on associating cost and risk to the threat actors who seek to cause harm to us and our allies, and we achieve this in a number of different ways. The NCA-led disruption of LockBit in 2024 (Operation CRONOS) was successful in undermining trust between members of the group, as well as any trust that victims might have had in LockBit keeping their word. We did this by infiltrating LockBit’s systems, publishing information about the group on their own leak site, and demonstrating that stolen victim data was never deleted for those who paid ransoms.
Other tactics can involve targeting the key elements of the cybercrime ecosystem that support and enable the ransomware business model. Again in 2024, the NCA led Op DESTABILISE, which successfully disrupted Russian-speaking illicit finance networks that we know were utilised by a number of different ransomware groups, alongside a range of other threat actors.
What can private sector organizations do to better support government efforts in cybercrime prevention and response?
We recognise that, for online threats in particular, working in collaboration with the private sector is vital. We want to know about attacks, to enhance our understanding of the threat and improve the victim experience, and allow us to better target it in the future. I’d certainly encourage organisations to build relationships with law enforcement, and would signpost everyone to the excellent resources on the NCSC website about how steps we can all take to build resilience against cyber and other online threats.
