Beating Cyber Criminals

Why OSINT, Collaboration, and Early Warning Are Key to Survival in the Ransomware War

"Cybercrime is now the fastest-growing form of criminality in the UK." – BBC Panorama.

In a gripping new BBC Panorama episode, viewers were given rare behind-the-scenes looks at the UK cybercrime-fighting apparatus. The show, "Fighting Cyber Criminals," captured the challenge of defending a digitally dependent nation from an expanding, incredibly advanced, and rapidly evolving threat: ransomware.

Despite the nonstop efforts of government agencies such as the UK National Crime Agency (NCA) and the National Cyber Security Centre (NCSC), one harsh fact was acknowledged with unease—the government alone cannot do it.

THE GRITTY REALITY OF TODAY'S CYBERCRIME

The ransomware threat is no longer an exception. It's a cold-hearted, lucrative business model, operated by participants who don't have to hack thousands of systems - tens of high-paying targets are sufficient to make profits.

Panorama revealed that the average UK ransom payment is now £4 million, and the NCA predicts 2025 will be the year of all ransomware attacks.

Much of it is driven by Ransomware-as-a-Service (RaaS), a business model for crooks whereby ransomware developers lease out their kit to affiliates for a percentage of the haul. It's risk-free, well-paid, and very effective.

Aside from financing terrorism or violating sanctions, it’s unclear if paying the ransom is completely legal. The ambiguity has led the government to consider prohibiting ransom payments by public authorities and ordering private firms to apply for formal authorisation prior to making a payment.

RANSOMWARE VICTIMS ARE SLOW TO SPOT ATTACKS

Among the most incriminating trends presented in the programme is the late detection of attacks. In most cases, organisations are unaware they've been compromised until their information is already encrypted or exfiltrated, by which point it is too late.

The cyber complexity of ransomware investigations contributes to this delayed response time. Actors will route their attacks through anonymised networks and cross-border jurisdictions, making attribution impossible.

EARLY DETECTION THROUGH INTELLIGENCE AND OSINT

The only viable defence is early warning and anticipatory intelligence collection. If used effectively, Open-Source Intelligence (OSINT) will catch early warning signals - e.g., hijacked credentials, dark web forum discussions, or hostile infrastructure set-up - far ahead of deployment.

For instance, there was an incident on South Staffordshire Water in which attackers falsely claimed to have released fake screenshots purporting to have breached the water company's control systems. OSINT and media analysis promptly discredited this false information, illustrating that attackers now use disinformation as a strategic weapon.

PUBLIC–PRIVATE PARTNERSHIPS ARE CRITICAL

The BBC show depicts the NCA and cyber police units working tirelessly and openly recognising their limited reach. The criminals operate internationally, and the scale of attacks demands action from the private sector.

The most inspiring successes showcased in the programme weren't solely government-led - they involved public-private partnerships between the public sector and cybersecurity and intelligence companies, merging technical skill with threat understanding.

Organisations must harden their defences, not just with firewalls and EDR technology but also with active OSINT and strategic awareness of criminal enterprise and behaviours.

IT'S TIME TO CHANGE MINDSETS

Cybercrime is no thunderstorm to be weathered. It's the new normal - and as the Panorama programme painfully demonstrates, ransomware is here to stay. Criminals are bold, their business is growing, and the extortion industry is booming.

For businesses, governments, and individuals, the lesson is immediate and absolute:

• Collaborate with intelligence providers

• Leverage OSINT to identify early signs of compromise

• Develop organisational muscle for cyber resilience

• Challenge suspicious claims from threat actors

• Pressure leadership to prepare for - not merely respond to - attacks

Because when it comes to ransomware, prevention isn't more expensive. It's the only viable choice.

To remain ahead of cybercrime trends and ransomware attacks, go to www.coalitioncyber.com

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

©2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator;

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader; and

Lajos Antal (Hungary) Highly Experienced Cyber Forensics, Investigations and Cybercrime Expert.

The Coalition unites leading experts to deliver cutting edge research, OSINT, Investigations & Cybercrime Advisory Services worldwide.

Our two co-founders, Paul Wright and Neal Ysart, offer over 80 years of combined professional experience. Their careers span law enforcement, cyber investigations, open source intelligence, risk management, and strategic risk advisory roles across multiple continents.

They have been instrumental in setting formative legal precedents and stated cases in cybercrime investigations, as well as contributing to the development of globally accepted guidance and standards for handling digital evidence.

Their leadership and expertise form the foundation of the Coalition’s commitment to excellence and ethical practice.

Alongside them, Lajos Antal, a founding member of our Boiler Room Investment Fraud Practice, brings deep expertise in cybercrime investigations, digital forensics and cyber response, further strengthening our team’s capabilities and reach.

The Coalition of Cyber Investigators, with decades of hands-on experience in cyber investigations and OSINT, is uniquely positioned to support organisations facing complex or high-risk investigations. Our team’s expertise is not just theoretical - it’s built on years of real-world investigations, a deep understanding of the dynamic nature of digital intelligence, and a commitment to the highest evidential standards.