Fighting Ransomware w/ William Lyne (National Crime Agency)

We interviewed William Lyne, Head of Cyber Intelligence at the UK National Crime Agency (NCA), on the evolving ransomware ecosystem, the business models behind ransomware-as-a-service, and the role of disruption in reducing harm. He shares how the NCA’s approach has shifted, how generative AI fits into the picture, and why effective public-private collaboration is essential.
 

Could you briefly explain the NCA’s role and how it is addressing cybercrime?

The NCA is essentially the UK’s national law enforcement agency focused specifically on serious and organised crime, with a purely criminal remit. The cyber element of the NCA is called the National Cyber Crime Unit, or NCCU, and we lead and coordinate the national response to cybercrime, with a clear focus on this area.

In particular, we focus on what we refer to as “cyber-dependent crime,” which, admittedly, is a term that’s becoming a bit outdated now. It refers to offences that can only be committed using a computer. Ransomware is a prime example of this—it’s a crime unique to the online environment.

On the other hand, there are many crimes that are “cyber-enabled.” These are offences that could be committed using traditional, offline methods, but technology makes them far more scalable, efficient, and profitable for offenders. The NCCU, as the cyber arm of the NCA, leads and coordinates the serious and organised cybercrime response across the UK. We work closely with colleagues across government, as well as with our partners in the City of London Police and with forces and regional organised crime units throughout the country.

It’s very much a team effort, both nationally and in collaboration with our international partners.
 

Could you share a bit about your background in cybersecurity, how you came to work at the NCA, and what your day-to-day looks like in your role?

I actually kind of stumbled into a job in law enforcement. I’ve spent around 15 years with the NCA, working in a variety of roles. This has included serving as a liaison officer in Afghanistan, as well as being a liaison officer to the FBI Cyber Division in Washington, DC. I’ve also led various intelligence and investigation teams within the agency, and most recently, I’ve been the Head of Cyber Intelligence for the NCA.

No two days are the same in this role. A lot of it involves bringing together and leading teams to understand the threats we’re facing and to deliver effective responses to those threats. Given the nature of the online environment and my role, much of my work is desk-based, with plenty of meetings, as you’d expect.

One of the great aspects of working in this space is that every day really is different. For example, this afternoon I have a meeting with partners from the City of London Police, later this week I’m chairing a coordination meeting with various policing partners, and tomorrow I’ll be meeting with colleagues from U.S. law enforcement.

Last week, the NCCU hosted a meeting with some of our private sector partners, so there’s also a lot of engagement with industry. It’s a mix of meetings, coordination, and desk-based work, but it’s a role I find really rewarding and enjoyable.
 

It’s clear ransomware has become a major national security concern. Could you talk about how we got to this point and why ransomware evolved so rapidly into such a critical issue?

Yes, it’s really interesting, isn’t it, how ransomware went from being quite a niche cybercrime issue to a significant national security concern in a relatively short period of time. In the late 2010s, it wasn’t really on many people’s radar, but with the benefit of hindsight, all the ingredients for ransomware to become the problem it is today were already there.

The way I like to think about it is that there’s a broad cybercrime ecosystem, and threat actors operate within that ecosystem with access to various capabilities, tools, and services—many of which are offered as-a-service and can be rented or purchased. All the ingredients came together at a particular point, and ransomware quickly accelerated from a niche issue to a really acute problem.

I think 2021 was a key moment when we saw significant attacks in the U.S., like the incidents involving JBS Foods and Colonial Pipeline, which really brought ransomware into public consciousness. From that point—and probably even a bit before—it became a major focus for the National Cyber Crime Unit and the NCA’s wider cybercrime work.

We see ransomware as a symptom or product of this broader cybercrime ecosystem, rather than the ecosystem being a result of ransomware. Ransomware is just the latest and most acute threat to emerge from it. The ecosystem itself is particularly interesting because it underpins many types of online threats. For example, the same tools and steps used to carry out sophisticated business email compromise (BEC) fraud are often similar to those used in ransomware operations.

So we describe this cybercrime ecosystem as a “cross-threat enabler” because it supports a range of online criminal activities, not just ransomware or purely cyber-dependent crime. It makes the problem space fascinating, but it also means we need to look beyond narrow definitions and think in terms of the wider ecosystem if we want to effectively tackle these threats.
 

How do you see generative AI shaping the cybercrime landscape—and specifically, what impact might it have on ransomware operations?

Yes, it’s a really interesting question, isn’t it? When it comes to cybercriminals—particularly ransomware threat actors—they tend to be quite steady-state. They typically only change their approach if what they’re currently doing becomes less profitable or if they spot a new opportunity to make significantly more money.

Sometimes we like to think of ransomware groups as being highly sophisticated, finely tuned operations. But actually, a more accurate comparison I’ve heard is that they resemble chaotic tech start-ups—often disorganised, not always efficient, and certainly not the sort of vertically integrated criminal enterprises people might imagine. So in that sense, they’re probably slower to adopt new technologies than many would expect.

That said, yes—they will adopt AI, just like everyone else in the broader tech space is exploring how to use it. Right now, I wouldn’t say AI has revolutionised the ransomware landscape, but it is beginning to play a role across the various stages of the cybercrime business model.

When you look at the steps required to run a cybercrime operation—whether it’s reconnaissance, phishing, exploitation, extortion—generative AI can make each of those steps slightly easier. It makes tools more accessible, workflows more efficient, and actors more productive. So rather than completely transforming the ecosystem at this point, it’s incrementally improving threat actors’ capabilities.

But could it eventually revolutionise things? Yes, I think it could. It hasn’t happened just yet—but we’re definitely heading in that direction.
 

How well do you think current legal and jurisdictional frameworks support enforcement efforts in tackling cybercrime? Where do you see the most significant gaps or obstacles?

I mean, yes, working and collaborating with partners—whoever they may be—means you always need to overcome barriers of some sort, whether that’s legal, jurisdictional, or operational.

But actually, I think we’ve become much more joined up and sophisticated in how we work nationally, partnering across law enforcement and the wider UK government system. We’ve also got really strong relationships with our international partners. The NCA has excellent ties with our Five Eyes partners—Australia, New Zealand, Canada, the US—as well as with our European colleagues in France, the Netherlands, Germany, and others.

We often use multilateral platforms like Interpol and Europol to bring partners together, and they’re a big part of what we do. Of course, there are barriers when working in this way, but the benefits far outweigh the challenges. Bringing together different resources, expertise, perspectives, and capabilities is incredibly powerful.

The last point I’d highlight is the private sector. Online threats are a prime example of why we need to work closely with industry to understand the threat landscape and deliver effective responses. That’s quite different from other serious organised crime areas. For example, if you’re running a drug trafficking investigation, you don’t typically need to consult private companies or threat intelligence firms to shape your understanding or response. Law enforcement owns that space and has done for a long time.

But with online threats, we recognise the need for deep collaboration with private sector partners. They help us understand the threats better, and they help shape and deliver tactical responses. So, yes, there are certainly challenges—different rules, regulations, legislative frameworks—but the benefits of collaboration massively outweigh those obstacles.
 

What more would you like to see from private sector organisations in terms of prevention, response, and strategic collaboration with law enforcement?

We always have to push to do more, don’t we? And it’s not just the responsibility of private sector partners or purely of law enforcement—we have to meet each other halfway.

We all want the same thing in many ways: protecting the public, protecting vulnerable people and organisations, and generally doing the right thing. It’s about making connections with our partners on a “rainy day” so that when the time comes, the contacts and trust are there to push forward together.

A lot of the big disruptive actions we delivered in 2024 as the NCA—like the takedowns and sanctions work against Evil Corp—publicly named private sector partners alongside our national and international law enforcement partners. Hopefully, that demonstrates that we’re on a journey of working collaboratively, recognising how important those private sector partnerships are in helping us understand the threats and deliver effective responses.
 

Finally, what’s one thing you wish more people in security leadership understood about the cybercriminal ecosystem?

I think I’ve kind of said it already: we all want the same thing, and many in the security leadership community already share that understanding of the ecosystem and threat landscape. When people come into it with that perspective, it helps align perspectives and activities much better.

Reaching out to us, helping us understand the problem, and helping steer the response is really important, and we talk a lot about having a “dare to share” attitude. We’ve come a long way in being more progressive and open about what we’re doing, and many of our partners are doing the same.

But like all relationships, you always have to keep working at it. The threat actors and the threat landscape are constantly changing and innovating, and we have to work hard and collaboratively to keep up. None of the threat actors in the ecosystem face the same challenges around collaboration that we do, so it’s on us to keep pushing to do more and do it better.