The Transnational Cybercrime Extortion Landscape and the Pandemic: changes in ransomware offender tactics, attack scalability and the organisation of offending

David S. Wall, Centre for Criminal Justice Studies, University of Leeds, UK (d.s.wall@leeds.ac.uk)

Abstract—. The sudden disruption of work, recreation and leisure practices caused by the COVID-19 lockdown caught many organisations and their employees unaware, especially during the move towards working from home. This led adaptive cybercriminals to shift their own focus towards home workers as a way into organisational networks. The upshot was a massive acceleration in major cyberattacks upon organisations and a noticeable shift in offender tactics which scale up levels of fear in victims to encourage payment of the ransom. Such tactics include a shift towards naming and shaming victims, the theft of commercially sensitive data and attacks targeting organisations which provide services to other organisations. These developments have also led to changes in the organisation of offenders online. Such attacks negatively impact upon national and international economies as they try to recover from lockdown. Drawing upon an analysis of 4000+ cases of ransomware attacks collected for the EPSRC EMPHASIS & CRITICAL research projects, this article charts the evolution of ransomware as a modern cybercrime and changes in the organisation of cyber-criminals as well as highlighting some of the implications for transnational policing.

The first part of this article looks at how lockdown disrupted routine behaviours and changed cybercrime attack vectors. The second part explores the evolution of ransomware tactics to show how changes in cybercrime have accelerated because of lockdown. The third part shows how cybercrime actors are now supported by a ‘professional’ ecosystem incentivised by the high yield which facilitates modern cybercrime. Before concluding, the fourth part will briefly outline some of the new challenges that modern cybercrimes are posing for law makers and law enforcement, not least the need to focus different resources upon the various stages of the ransomware attack so that they can more effectively respond co-productively with cybersecurity stakeholders.

A preprint of the full article can be obtained from

Wall, D.S. (2021) ‘The Transnational Cybercrime Extortion Landscape and the Pandemic: changes in ransomware offender tactics, attack scalability and the organisation of offending’, European Law Enforcement Research Bulletin, 22, https://bulletin.cepol.europa.eu/index.php/bulletin/issue/archive (forthcoming).

A preprint version of the full article is available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3908159