Charlie McMurdie, who once served as New Scotland Yard’s head of economic and cybercrime and was also a senior cybercrime advisor at PwC, offered a shadowy overview for 2021. She estimated that cybercrime will cost the global economy $6 trillion, and fake emails will continue at the current pace of 6.4 billion sent daily. Even more concerning, she said the median number of days attackers will lurk undetected on compromised networks will be 146 days. That’s almost five months inside the network before they’re detected and dealt with.


Understanding who the criminals are and what their motivation might be key in designing defenses to deal with the threat. Hackers come in a variety of criminal types. And within those categories, there are interesting characteristics. McMurdie recalled her work at New Scotland Yard to describe one odd trait. “If you arrest anybody nowadays for mugging or bank robbery, they do not want to talk and incriminate themselves. But, quite often with cybercriminals, they love to talk about what they have done, how they have done it, how they have managed to get through different networks. It is really interesting when they are arrested because they want to tell everyone what they have done.”

These are the gamers, motivated by a competitive spirit and criminal high-risk/high-reward energy. They’re almost like big-game hunters tracking the largest, most powerful financial institutions, companies, and governments. McMurdie added, “Cybercriminals like to capitalize on weaknesses and the key story of the day. So any major disaster that’s occurring, they will probably send something out.”

That kind of hacker is very different from the state operative who, at the direction of his political bosses, and from deep within the web shadows, looks to embed his malware on targets like public utilities or foreign elections (the Colonial Pipeline in 2021 and Latvian government services in 2018). And both of those are far afield from other cybercriminals who operate alone, focusing their ransomware on small hospitals and local businesses.

McMurdie lists four types of cybercriminals:

  1. Hacktivists who are willing to operate at the edges or beyond the limits of the law,
  2. Organized crime groups,
  3. Those working for nation-states, and
  4. Insiders

Designing strategic plans to deal with cyber threats begins with a vulnerability assessment. To set alerts and honey traps for would-be attackers at the foreign offices won’t be the same as looking out for malcontent insiders at the home office, those who already have password permissions and freedom of movement in the networks. Companies and law enforcement need to adjust for differences between the solitary misfit and organized syndicates that are beyond the reach of extradition.


The insidious evolution of ransomware has inspired some to adopt traditional business development routes—syndication and venture capitalism. And unlike the solitary hacker who builds armies of hijacked computer botnets (Resilient—Jeanson James Ancheta), penetrates corporate networks at The New York Times, Google, and Yahoo (Homeless Hacker—Adrián Lamo), or specializes in digital bank robbing (AKILL—Owen Walker), these latter-day black hats are becoming corporatized.

Three who wrote some of the early history: The Homeless Hacker (Adrián Lamo), The Condor (Kevin Mitnick), Dark Dante (Kevin Poulson). Photo: 2001 Wikimedia Commons

Their basic model for the ransomware is the same as the independents—social engineer someone to allow you to plant your malware, encrypt key data, and then send the ransom note. And they’re still reaching into the same pots—bitcoins, harvested data, and intellectual property. But now, they’re getting organized.

MonsterCloud, a Florida-based ransomware removal company, posted a list of the top ransomware gangs in 2020, who they predicted would continue to lead in 2021. The gangs offer ransomware programs, ready to use, on an ransomware-as-a-service (RaaS) arrangement. You get the malicious programs from the gang for much less than it would cost you to create them on your own, and the providers generally get a 20% to 30% cut of the ransom payment.

Among the dozens of RaaS gangs operating in 2020, MonsterCloud listed five that were involved in major incidents:

  1. Ryuk. The biggest RaaS gang was responsible for almost 33% of all the ransomware attacks in 2019. Ryuk malware was used in the Sopra Steria attack in Europe, Seyfarth Shaw Law Firm, Universal Health Systems, and several hospitals in the United States.
  2. DopplePaymer. Provided the ransomware for the attacks on Pemex in Mexico, Bretagne Télécom in France, and both Newcastle and Düsseldorf University.
  3. Egregor. Provided the ransomware for attacks on Crytek in Germany, Ubisoft in France, and Barnes & Noble in the U.S.
  4. Netwalker/Mailto. Provided the ransomware for attacks on Toll Group in Australia as well as Equinix, University of California San Francisco, and Michigan State University in the U.S.
  5. REvil/Sodinokibi. Provided the ransomware for attacks on Britain’s Travelex, as well as airports and local governments in the U.S.

And just to add one more element to this dark corporate image, the New York cybersecurity company LIFARS recently reported on an underground venture capital (VC) system growing around the operations of ransomware hackers. LIFARS’s CEO Ondrej Krehel told Fast Company reporter Steven Melendez, “Outside of ransomware, I don’t think that ever actually happened, that you’ve had a VC ecosystem in a criminal cyberscape.”

It works the way it does in Silicon Valley. Melendez says there are calls for investors that could include profiles of the malware founders and lists of their accomplishments on secure chat apps like Telegram. “Certain groups,” Melendez writes, “are accessible only to people who can demonstrate they’re already involved in digital crime, usually by sending a token amount of cryptocurrency traceable to a ransomware incident or something similar to a certain address.”

Krehel says the danger in this investment in ransomware gangs is that it “will lead to the same kind of rapid advances previously seen in other areas of software and digital technology. These enterprises are going to be much smoother to operate.”

Certainly ransomware isn’t the only cybersecurity challenge, but the early successes and massive potential for this kind of attack demands serious attention. MonsterCloud has predicted growth of the gangs offering RaaS in 2021 and offered an early warning about mobile attacks: “Our mobile phones will become a bigger target than ever.”

About the Authors