A 17-year-old from Walsall was apprehended last month on charges including blackmail and violations of the Computer Misuse Act. This incident shed light on Scattered Spider, a group of teenage hackers targeting large corporations.

“Ransomware gangs are getting more innovative in forcing victims to pay,” said Will Lyne, head of intelligence at the National Cyber Crime Unit of the National Crime Agency (NCA).

The NCA collaborates with the National Cyber Security Centre, the FBI, and Australian secret services to dismantle cybercriminals based in the former Soviet Union and Europe.

The repercussions of ransomware can be catastrophic for businesses that cannot afford to meet the attackers’ demands. “The impacts are more than financial. They are psychological and economic,” said Lyne.

Scattered Spider uses “social engineering” tactics like phishing to acquire data. One method, Sim swapping, involves using phishing to gather information such as a victim’s name and Sim card number, then impersonating the victim to transfer the Sim to another phone.

Controlling a Sim card allows hackers to bypass two-factor authentication used for account security.

“Social engineering helps in stealing data and committing fraud. Hackers send emails and SMS to deceive help-desk staff or users,” said Don Smith, threat head at cybersecurity firm Secureworks.

Businesses need active defence strategies to counteract these threats, according to Lyne. “Use updated software, strong passwords, and multi-factor authentication, and ensure employees are trained on spotting phishing,” he advised.

“Human error is a massive factor in online security. Negligence and lack of training can leave you just as vulnerable,” Lyne emphasized.

He also warned about remote work’s risks: “Remote access to company IT systems is exactly what hackers want. Security of IT communications is critical.”

Hackers use various extortion methods after breaching a computer.

Traditional extortion involves demanding ransom from an anonymous source after encrypting and incapacitating a company’s computer.

“Double extortion” involves stealing data and threatening to release it, explained Lyne. “Triple extortion includes contacting the victim’s customers and partners to inform them sensitive data was stolen. Quadruple extortion adds another attack like denial of service.”

Denial of service typically involves overwhelming a website with traffic, rendering it inaccessible.

Ransomware groups often post stolen data on leaks sites to maximize pressure on victims.

Scattered Spider stands out among ransomware groups, with most based in the former Soviet Union, enjoying protection from Russia in exchange for part of their earnings.

“Russia is very permissive for cybercriminals,” Lyne stated.

Dark web services like encryption, coding, and translation fuel a ransomware “ecosystem,” according to Lyne.

Infiltrating these markets helps secret services track key cybercriminals, and there have been successes. In February, the NCA and FBI dismantled LockBit, a Russian gang with 200 affiliates using its software.

LockBit falsely assured victims that their data would not be leaked after ransom payments. “People paying ransoms should question the benefits,” said James Babbage, NCA’s head of threats.

The decision to pay ransom is tough for corporate cybercrime victims. When Scattered Spider targeted MGM in September, demanding $30 million, CEO Bill Hornbuckle told The Sunday Times: “We refused to pay and never closed. We got through it.”