NCSC: Why Cyber Extortion Attacks No Longer Require Ransomware

Ransomware becoming less of a factor as threat actors extort businesses with payment options that are less than regulatory fines.

44CON 2023 – London – Cyber attackers are becoming less reliant on ransomware to get victims to pay — instead using social engineering skills to extort money, according to a top official from the UKs National Cybersecurity Centre (NCSC).
Speaking at 44CON in London, NCSCs operations director Paul Chichester said ransomware remains a major concern for the agency and for businesses as the number of ransomware incidents continue to increase. But a lot of attackers often do not use the encryption malware anymore: They just steal data, put it on a leak site, and solicit for a payment in exchange for taking it down.
Weve seen criminals move from only encrypting data, to double extortion — encrypting it and threatening to leak it, to now, on some occasions, simply threatening to leak the data. It feels like they are keen to be as efficient as possible, or perhaps making it less painful for the victim, because generally people still pay to avoid their data being leaked, he said.
Double extortion
is where the attacker
steals data and demands a payment from an organization to have it returned, and also often deploys ransomware to encrypt networks and desktops as well. However, attackers increasingly are
moving away from
using encryption malware, and toward pure data-theft extortion tactics.
Addressing a cyber extortion attack is more than just having backups to restore their systems and data. Organizations also should consider best practices on passwords and multifactor authentication, ensure efficient patch management, and provide security training for employees, experts say.
NCSCs Chichester said the UK has a
policy that recommends
organizations do not pay ransom because the payments fuel the criminal ecosystem. Even so, some companies do pay in order to reassure their customers that their data is safe, he noted.
Sharing a story about a company that was attacked, Chichester said the attacker set the ransom payment to be a lower amount than a GDPR fine, so that it would appear that the company was paying less with the ransom rate than a regulatory fine and therefore saving money.
Thats not true by the way: You still have to pay a GDPR fine for a data breach, but thats the way that actors are socially engineering a victim, he explained.
Chichester said he has empathy for companies that are hit, as he has seen incidents where everything is encrypted and the victim is locked down and they feel they have no choice but to pay the ransom.
Fines for GDPR violations have ranged from
£20 million,
or $24 million, to
$425 million
. The UK Information Commissioners Office in its
guidance on penalties
states that the maximum fine is £17.5 million, or four percent of the total annual worldwide turnover in the preceding financial year — whichever is higher.
Ransomware payments, meanwhile, have
been reported
as reaching up to eight figures, while the
average payment
by UK organizations in 2023 was $2.1 million.
Chichester praised collaboration with the UK industry sector, especially when organizations alert the NCSC to a ransomware attack. That way, the agency is able to study the malware and work with threat intelligence providers and research communities to help the victim — and sometimes act as a broker between the victim and the attacker.
Id much rather stop an incident than actually be responding to one, he says. But we respond to and work closely with all of those organizations [that are hit].

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
NCSC: Why Cyber Extortion Attacks No Longer Require Ransomware