Trends report reveals ransomware increase across the UK

The latest annual ransomware trends report from cyber security solutions provider, JUMPSEC, suggests that while globally, attacker reported ransomware rates experienced diminished growth in 2022, in the UK attacker reported incidents increased by a further 17%, from more than 32 known cybercrime groups. Each year, JUMPSEC threat intelligence analysts compile a report tracking UK ransomware activity. JUMPSEC focuses on attacks reported by ransomware groups themselves - and analyses the data to enable a more effective response to developing patterns.

JUMPSEC’s analyses found that from a UK perspective at least, statements about the perceived diminished global threat of ransomware should be met with caution.

In comparison to 2021, JUMPSEC has seen broadly similar figures for most UK sectors, with the notable exception of construction, which was targeted far less in 2022 despite being the most targeted sector of 2021.

And initial data for 2023 already shows an increased uptick in UK ransomware activity.

Following the disintegration of Conti (the former most prolific ransomware group) in 2022, some pundits predicted a more diverse threat landscape would emerge. However, the equally prolific LockBit ransomware group dominated globally in 2022, accounting for more than 52% of reported attacks. The group – first noted in 2019 - is also the most active threat actor against UK organisations, since September 2022. Notable recent attacks on UK organisations include Royal Mail, Ion Trading (the City of London), and Pendragon.

Among more typically ‘cash rich’ UK organisations, ransomware demands from Karakurt, a cybercrime group believed to have first emerged in 2021, are the primary threat. Karakurt is thought to be an offshoot or rebrand of Conti, and to date has predominantly attacked large UK organisations with ‘cash in the bank’ assets exceeding £20 million.

Another group, the Russia-based Vice Society, continues to disproportionately affect education in the UK, accounting for 71% of attacks reported against the sector (while globally only responsible for 26% of reports against education). Vice Society is known for targeting less notable high profile and less cyber mature victims by ‘flying under the radar’ to avoid unwanted attention.

In terms of industry-specific targeting, Construction was targeted far less in 2022, despite being the most targeted sector of 2021, likely due to attackers finding the sector less profitable for attackers - and perhaps more difficult to extort due to reduced reliance on digital infrastructure.

What’s ahead

Looking ahead, JUMPSEC’s initial attacker-reported data in 2023 shows signs of uptake in reported attacks against UK organisations. Of course, these figures naturally fluctuate over the year.

JUMPSEC sees several developments which will influence ransomware trends.

Firstly, the cyber security experts suggest that emerging widespread vulnerabilities will continue to catalyse periods of increased activity.

JUMPSEC’s CTO John Fitzpatrick, says: “There are early indicators that vulnerabilities affecting VMware ESXi servers are being actively exploited by dedicated ransomware groups seeking to leverage a low-complexity exploit against a prevalent technology, which may be one to watch.” Furthermore, 2023 is already seeing tighter insurance terms, which may restrict threat actors’ ability to extort organisations, as insurers move to limit their exposure and offer less financial support to victims for ransom payments. There is evidence that attackers may already be feeling the effects in 2023, as HardBit ransomware threat actors have begun to explicitly request insurance details from victims so the ransom demand can be adjusted to fall within the victim organisation’s policy. More ransomware payment regulations and restrictions look set to be enforced in 2023 as the HM Treasury Office of Financial Sanctions Implementation suggests making a ransomware payment may breach financial sanctions – so must be reported. The EU, US and Australia have also introduced additional measures to penalise ransomware payments.

Meanwhile, grey-zone military tactics have become a feature of international relations irrespective of individual conflicts, making cyber attacks an attractive means to cause immense disruption without crossing the threshold of overt war. A recent report by Google’s Threat Analysis Group (TAG) suggests increased interconnectivity between ransomware actors and the Russian state, with “tactics closely associated with financially motivated threat actors being deployed in campaigns with targets typically associated with government-backed attackers”.

JUMPSEC’s Researcher Sean Moran, concludes: “Threat actors may operate using multiple ransomware strains, and groups can disappear, re-brand and re-emerge often without consequence – making it unwise to put too much weight on the changing fortunes of any individual group. However, we hope that understanding the tactics, techniques, and procedures (TTPs) of ransomware groups and their desire to target particular sectors or sizes of business can help organisations identify potential vulnerabilities and develop effective strategies to mitigate risk.”

JUMPSEC threat intelligence analysts track global ransomware activity using a mixture of manual investigation and automated bots to search or ‘scrape’ the public-facing domains of ransomware threat actors. The raw data is then enriched by investigating the geographic location, industry sector, size, and financial profile of each targeted organisation. JUMPSEC have created a Ransomware Hub page which now hosts all the ransomware updates, visit here Ransomware Hub | JUMPSEC