Cybercrime as a Global Economy: Policy Intervention Through Mandatory Ransom Payment Disclosure

Cybercrime has evolved from isolated hacking incidents into a global, multi-trillion-dollar shadow economy with structures and practices akin to legitimate industries. Recent estimates suggest global cybercrime damages could reach $10.5 trillion annually, surpassing the GDP of all but the world’s largest economies. Even conservative academic projections place losses at $500 billion annually, highlighting a systemic economic burden that threatens business resilience, national productivity, and public confidence in digital infrastructure.

In the United Kingdom, cybercrime costs are estimated between £14.7 billion and £27 billion annually, a figure that represents not just direct financial loss but also secondary costs, such as business disruption, regulatory fines, and reputational damage. Across Europe, the effects are even more pronounced. For example, Germany reported €300 billion in cybercrime-related losses in a single year, demonstrating the scale and sophistication of these attacks across developed economies.

This white paper proposes that:

1. Cybercrime functions as a parallel, illicit economy, complete with structured services, financial flows, and cross-border operations.

2. Ransomware payments serve as direct funding mechanisms for criminal syndicates, fuelling growth, operational sophistication, and technological advancement.

3. Mandatory disclosure of ransom payments for companies above a revenue threshold (e.g., £3 million) will enhance transparency, reduce criminal incentives, and strengthen national and regional cyber resilience.

By introducing such policies, governments can significantly disrupt the funding of cybercrime networks, enhance intelligence capabilities, and encourage businesses to invest in preventive cybersecurity measures.

1. Cybercrime as an Economic Superpower

1.1 Defining Cybercrime as an Economy

For the purposes of this paper, cybercrime is defined as:

“Any criminal activity that involves a computer system, network, or digital device as the primary instrument, target, or location for criminal gain.”

This includes but is not limited to:

• Ransomware attacks – encrypting data and demanding payment

• Phishing schemes – deceiving individuals into revealing sensitive information

• Identity theft and financial fraud – illegally accessing financial accounts

• Business email compromise (BEC) – defrauding businesses via email manipulation

When aggregated globally, the financial flows generated by these activities form a shadow economy, rivalling the GDP of mid- and high-income countries.

1.2 Key Indicators of Cybercrime Scale

• Global losses: Up to $10.5 trillion annually, equivalent to the 3rd largest economy globally.

• UK-specific impact: Cybercrime costs 0.5% of GDP annually.

• Europe-wide impact: German losses alone account for €300 billion annually.

Cybercrime now exhibits industrial characteristics, including supply chains, service models, and subscription-based operations, which allow rapid scaling.

1.3 Industrialised Cybercrime Models

Cybercrime is increasingly professionalised and structured, with business models similar to legitimate industries. Key models include:

1. Ransomware-as-a-Service (RaaS)

   • Criminals provide ransomware “kits” to affiliates, often with technical support and customer service.

   • Affiliates target victims and share a portion of the ransom with the RaaS operator.

2. Phishing-as-a-Service (PhaaS)

   • Subscription-based access to phishing infrastructure, including email templates, compromised domains, and automation tools.

3. Initial Access Brokers (IABs)

   • Sell access to corporate networks, often targeting critical industries or supply chains.

4. Dark Web Marketplaces

   • Platforms for trading stolen data, exploits, and malware.

   • Complete with reputational systems, escrow payments, and dispute resolution, mirroring legitimate marketplaces.

These operational frameworks enable rapid expansion, high revenue generation, and sustained criminal innovation, further demonstrating the economy-like nature of cybercrime.

2. The Ransom Economy: Fuelling Cybercrime Syndicates

Ransomware attacks represent the most direct mechanism for transferring value from legitimate companies to criminal syndicates, creating a self-perpetuating funding cycle.

2.1 Ransom Payment Trends

• Average ransomware incident cost: ~$1.85 million

• Typical ransom payments: ~$1 million in 2025

• Exceptional cases: Some payments exceeding $75 million

• Market resilience: Even when total payments decline (e.g., $813 million in 2024), attacks continue to increase.

These payments provide the financial backbone for cybercriminal operations, funding new malware development, recruitment of affiliates, and expansion into new markets.

2.2 Structural Problems Caused by Ransom Payments

Ransom payments:

1. Provide working capital for ongoing operations.

2. Fund research and development of new malware and attack methods.

3. Enable recruitment and scaling of criminal enterprises.

4. Create a feedback loop of profitability, reinforcing attack frequency and sophistication.

Without disruption, ransomware syndicates maintain a sustainable, lucrative model that undermines law enforcement and cybersecurity initiatives.

3. UK and European Context

3.1 United Kingdom

• Cybercrime incidents: 8.58 million annually affecting businesses.

• Annual economic impact: £14.7bn – £27bn.

• Over 50% of UK firms report cyberattacks.

• Underreporting remains significant, particularly among large corporations, due to reputational concerns and fear of regulatory penalties.

3.2 Europe

• Germany: €300bn annual losses from cybercrime.

• Increasing intersection between state-sponsored attacks and criminal cyber operations.

• Critical infrastructure and supply chains are increasingly vulnerable, creating systemic risks across EU economies.

4. The Transparency Gap

4.1 Defining the Transparency Gap

The transparency gap refers to the lack of publicly available, accurate information regarding cybercrime, particularly ransom payments. This gap undermines policy-making, law enforcement, and strategic cybersecurity planning.

4.2 Current Issues

• Payments are often hidden in company accounts as “incident response” or other operational costs.

• Companies fear reputational damage, regulatory scrutiny, or shareholder backlash.

• Absence of reporting leads to opaque criminal financing structures, allowing cybercriminals to operate with minimal financial risk.

4.3 Consequences of the Gap

• Governments lack actionable intelligence on criminal revenue flows.

• Law enforcement agencies cannot effectively disrupt funding of ransomware syndicates.

• Criminals gain advantage from predictable victim behaviour and minimal financial accountability.

5. Policy Proposal: Mandatory Ransom Payment Disclosure

5.1 Core Recommendation

All companies with annual revenue exceeding £3 million should be legally required to disclose any ransom payments made to cybercriminals.

5.2 Key Policy Features

1. Scope

   • Applies to UK-registered companies above £3m turnover.

   • Covers all forms of ransom payments, including cryptocurrencies and intermediary channels.

2. Reporting Requirements

   • Mandatory disclosure within 72 hours of payment.

   • Reports submitted to the National Cyber Security Centre (NCSC) and National Crime Agency (NCA).

3. Data Points

   • Amount paid, payment method, known threat actor, attack vector, and recovery time.

4. Confidentiality Safeguards

   • Sensitive data protected; aggregated statistics used for intelligence and policy.

5. Penalties

   • Financial fines for non-disclosure.

   • Director liability for deliberate concealment.

6. Expected Impact

6.1 Disrupting Criminal Business Models

Mandatory disclosure reduces:

• Anonymity of financial flows.

• Ease of laundering ransom payments.

• Predictability of victims, weakening ransomware economics.

6.2 Improved Intelligence

• Enables mapping of cybercrime revenue streams.

• Identifies repeat offender networks.

• Supports cross-border law enforcement collaboration.

6.3 Organisational Behavioural Shift

• Encourages proactive cybersecurity investment.

• Discourages paying ransoms due to disclosure stigma.

• Improves incident response planning and resilience.

7. Real-World Scenarios

7.1 UK Manufacturing SME

• £10m turnover firm attacked; £750,000 demanded, £400,000 paid in Bitcoin.

• Without disclosure: Criminals continue targeting similar SMEs.

• With disclosure: Payment traced, intelligence shared across EU, attack patterns identified.

7.2 European Logistics Company

• Mid-sized German firm hit with €2m ransom demand; 1 in 7 firms report paying.

• Policy impact: Europol coordination, identification of shared threat actor, and disruption of criminal network.

7.3 UK Healthcare Supply Chain

• NHS supplier attacked; disruption causes cancelled procedures.

• Risk: Encourages repeated attacks on critical healthcare supply chains.

• With disclosure: Sector-wide alerts issued, preventive measures deployed.

8. Risks and Counterarguments

1. Disclosure may discourage reporting

   • Mitigated with safe harbour provisions and confidentiality protections.

2. Companies may still hide payments

   • Mitigated by linking disclosure to audits and cyber insurance claims.

3. Operational risk increase

   • Mitigated by government support frameworks and funding for incident response.

9. Complementary Measures

• Ban on ransom payments for public sector entities.

• Mandatory cyber incident reporting frameworks.

• Enhanced cryptocurrency tracking and regulation.

• EU-wide harmonised cybercrime reporting standards.

10. Conclusion

Cybercrime is no longer merely a technical challenge; it is a macro-economic threat. Its financial flows rival those of legitimate industries, and its operations mirror corporate structures in efficiency and reach. Mandatory ransom payment disclosure represents a high-impact intervention, disrupting criminal funding, improving intelligence, and incentivizing proactive cybersecurity investment. Without such measures, cybercrime will continue expanding as a shadow economy, undermining economic stability across the UK and Europe.