The Threat Landscape

Understanding who attacks organisations — and why — is the foundation of informed board-level risk decisions.

1.2 Nation-State Actors

State-sponsored groups from Russia, China, North Korea, and Iran conduct attacks for geopolitical intelligence, industrial espionage, and critical infrastructure disruption. These actors operate with unlimited time, resources, and legal impunity in their home jurisdictions.

• →China's Volt Typhoon: pre-positioned inside US and European critical infrastructure for years, waiting for geopolitical triggers. Pharmaceutical, energy, and semiconductor organisations are priority targets.
• →Russia's Sandworm: responsible for NotPetya (2017) — $10B+ global damage, including $300M to Maersk and $870M to Merck. Classified by insurers as an 'act of war'.
• →North Korea's Lazarus Group: conducts ransomware and cryptocurrency theft to fund state programmes. Responsible for WannaCry (2017) — $4B+ global damage, 80,000 NHS devices encrypted.

Organised Criminal Ransomware Groups (RaaS)

Ransomware-as-a-Service has industrialised cybercrime. Groups like LockBit, BlackCat/ALPHV, Cl0p, and Royal operate with affiliate models — recruiting technical specialists, negotiators, and money laundering networks.

• →Average enterprise ransom demand (2024): $5M–$50M+. Average total incident cost: $4.5M for mid-size firms, $30M+ for large enterprises.
• →Double extortion: data encrypted AND exfiltrated. Victims face both operational shutdown and threatened public release of sensitive data.
• →Triple extortion: attackers directly contact customers, partners, regulators, and media — creating pressure independent of the organisation's response.
• →The RaaS model means attacks are now accessible to low-skill actors — any criminal can rent the infrastructure.