“Ransomware is an existential threat for many victims today, and one that’s constantly evolving,” warned William Lyne, Head of Cyber Intelligence at the UK’s National Crime Agency (NCA), during his recent conversation with Deryck Mitchelson, CISO of Check Point Software.
Speaking at Check Point Software’s recent Cyber Leader Summit London, Lyne offered a frank assessment of the ransomware landscape: more fragmented, increasingly agile, and more determined than ever.
Fragmentation in the Underworld
“The ecosystem is evolving,” Lyne explained. “We’re seeing less trust between threat actors, and less reliance on big ransomware-as-a-service platforms or centralized marketplaces.”
Where once large, vertically integrated groups dominated the ransomware space, today’s operators are fragmented into smaller, more agile cells. In part, this is a response to successful law enforcement operations, which have made it clear to criminals that being high-profile is bad for business.
Moreover, infighting among cybercriminal groups has disrupted operations. For example, Conti experienced massive internal fallout following Russia’s invasion of Ukraine in 2022 when a disgruntled member leaked internal chat logs, tools, and sensitive operational data. In 2025, DragonForce (of M&S breach fame) began targeting other cybercriminal gangs, defacing their leak sites and instigating turf wars. As Lyne put it, “the best cybercrime disruptions often come from the threat actors themselves.”
This fragmentation has changed operational models. Rather than outsourcing capabilities through large platforms, where the risk of infiltration or law enforcement visibility is high, many groups now prefer to bring key capabilities in-house and maintain a lower profile.
Rethinking Disruption
The ransomware threat’s fluidity has forced law enforcement to develop new methods. “It’s not just about takedowns anymore,” said Lyne. “Disruption now takes many forms: going after infrastructure, targeting affiliates, undermining the business model.”
While it’s the big police busts that make the headlines, Lyne doesn’t view success solely through the lens of “door-kicking” operations. Modern disruption efforts aim for longer-term, strategic impact. “We’re looking to degrade the ecosystem in ways that reduce threat capabilities over time, not just removing one gang for another to fill the gap.”
Lyne also emphasized the importance of international collaboration. “Everything we do is both national and international,” he said, highlighting partnerships with Europol, Interpol, and the NCA’s international peers. Interestingly, those partnerships increasingly include the private sector. “In 2024, three of our biggest operations involved name industry partners,” Lyne said.
The Role of Data and AI
As with so many aspects of the cybersecurity industry, vast amounts of data sit at the heart of the NCA’s operations. “Data is the critical enabler for everything we do,” Lyne said. From attribution to sanctions to understanding criminal infrastructure, high-quality data underpins every distribution effort.
To manage and make use of this data, the NCA has adopted machine learning and AI technologies. “We were early adopters of AI for automation, and increasingly use it to generate insights,” Lyne explained.
However, Lyne also recognizes the risks associated with AI. With threat actors stockpiling terabytes of stolen data – from NHS badges to sensitive public and private sector records – there is a growing concern that AI could enable new forms of identity exploitation-as-a-service. “That would be hugely harmful, not just to victims of ransomware, but to anyone whose data gets caught up in the wider ecosystem.”
To Pay, or Not to Pay?
Lyne strikes a pragmatic note when asked about whether victims should pay ransoms. “Of course, we never recommend paying because it funds the ecosystems, but we recognize that for some victims it can be an existential decision,” he said. Our role is to empathize, understand, and educate.”
Looking Ahead
As for the future? Lyne foresees more of the same, just with a few new challenges. “AI is already helping threat actors at every stage of their operations,” he said. The continued fragmentation of the cybercrime ecosystem, combined with emerging technologies, means defenders will need to stay focused on disrupting enablers as much as the threats themselves.
Geography will also continue to challenge traditional policing. “Many threat actors are outside the UK. But that doesn’t mean we don’t go after them, it just means we have to get creative,” Lyne said. “We have to be proactive, using all the tools and capabilities at our disposal.”
With that, Lyne offered a window into the often unseen world of cybercrime disruption: one built on data, collaboration, creativity, and, above all, persistence.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.