UK Ransomware Trends: 2023 Mid-year Update

Until late last year, it was hard to dispute the prevailing narrative that ransomware would continue to represent a business critical security risk for almost all organisations, given its exponential growth in previous years.

However, as the growth of ransomware slowed in 2022 (evidenced in JUMPSEC’s Lessons for 2023 and across several complimentary metrics), some began to theorise that victims were finally refusing to pay ransoms. Others credited greater investment in security or figured threat actors were redirecting their efforts to Russia-Ukraine, or claimed that bilateral law enforcement efforts were responsible for the diminished attack rates.

Now, midway through 2023, as both UK and global attack figures are rising significantly, analysts may have to revisit their presumptions. Attacker reported ransomware attacks have risen by 87% in the UK during the first half of 2023 compared to the latter half of 2022, while global rates have risen by 37% over the same period. Moreover, there is  evidence to suggest the cryptocurrency revenues of known threat actors have correlated with the recent rise in total attack rates.

Total UK ransomware attacks from 2020 to August 2023. Taking a long-term view, attack rates are almost certainly on course to surpass 2022, and 2021 (which was the most prolific year for ransomware to date).

To put that in context, JUMPSEC recorded a total of 470 attacks globally in July 2023 alone – 30% more attacks than the previous all-time high caused by Log4j in November 2021, which was one of the most widely exploited vulnerabilities in recent memory.

Precisely why ransomware has returned so strongly is up for debate, but the most likely explanations are explored below.

In early 2023, we witnessed the widely publicised Royal Mail and Ion breaches (Ion are a major financial trading software widely used in the City of London) which highlighted the continued dominance of Lockbit, the UK’s most prevalent ransomware.

Lockbit dominated the ransomware space in 2022, however, several less prolific groups have now emerged, particularly Cl0p and BlackCat (ALPHV) who have established a significant presence. JUMPSEC also have tracked ~20% more ransomware groups in 2023 than in 2022, meaning there are simply more active groups increasing the total attack figures.

Total activity in the UK July 2022 to July 2023 overlaid with a timeline of major cyber security events.

In January we also witnessed the successful takedown of Hive ransomware in a novel operation by bilateral law enforcement, as several US and European crime agencies collaborated to infiltrate Hive’s  infrastructure, distributing decryption keys to victims and thwarting a reported $130million in ransom payments.

UK attack rates rose steadily in March and April along with global totals, before perhaps the defining mass vulnerability exploitation event of 2023 in late May – the MOVEit breach.

The mass exploitation of software vulnerabilities is perhaps the most clear-cut contributing factor to the rise of ransomware attacks in 2023. Several vulnerabilities discovered in widely used platforms have contributed to rising attack figures (Rackspace, Zimbra and most notably the MOVEit).

CL0P may challenge Lockbit as the most prevalent variant globally in 2023. As illustrated, CL0P’s attack figures spiked following the MOVEit 0-day. The group’s reported incidents have continued to rise subsequently, not only as a direct result of the MOVEit breach. 

In a broader strategy shift, many attackers such as CL0P are now typically choosing to skip the classic step of network encryption, opting only to exfiltrate data as the primary means of extorting victims.

This transition from ransomware deployment to pure ‘cyber extortion’ lessens the time and effort needed for end-to-end attack execution, but more importantly means that targeted organisations must possess data valuable enough to hold ransom, which has likely contributed to another 2023 trend – the increased exploitation of the financial services, professional services and IT sectors.

JUMPSEC have observed a significant rise in attacks against  IT, professional services, engineering, and financial services which have already surpassed last year’s total attack figures. On the other hand, law appears to be one of the few UK sectors where attacks have not risen significantly in 2023.

Several UK sectors have already surpassed last year’s total attack figures as of August 2023.

Sector-by-sector analysis always provides ample speculation on attackers’ strategies and whether or not particular industries are more or less vulnerable to ransomware. One may suggest that an aversion to business disruption and use of legacy infrastructure in manufacturing and engineering organisations increases their susceptibility to attack, or that the disproportionately sensitive information held by legal firms and insurance brokers makes them more primed for extortion.

Generally, while these assumptions contain a degree of truth we can rarely say with certainty why certain industries have been targeted more or less frequently. However, as the MOVEit breach directly impacted many interconnected organisations within the related financial services, IT and professional services industries, it is safe to say the scale of the breach has played a significant role in the elevated attack rates observed in these industries in 2023.

CL0P victims of the MOVEit breach broken down by industry sector. Large UK based companies such as Aon, Deloitte, PWC were all targeted in the attack and typify the types of organisations now being affected by ransomware more frequently in 2023. 

Big Game Hunting is still very much a priority for the most successful groups irrespective of industry. Last year, Karakurt were the most prevalent ransomware group targeting UK organisations with cash in the bank assets over £10 million. However, in 2023 we have seen Karakurt’s influence diminish as others, namely BlackCat (ALPHV) and CL0P, who have taken the mantle as the groups most frequently attacking large UK organisations.

Vice Society have disproportionately targeted UK education organisations in recent years. However, excluding a spate of attacks on UK schools in January, a more diverse range of ransomware variants beyond Vice Society have impacted UK education in 2023, particularly Rhysida ransomware – a variant that emerged in May who have claimed a disproportionate number of attacks on education institutions globally.

A breakdown of the most active ransomware variants affecting UK organisations in 2023 so far.

Interestingly, beyond the US, the UK is the most targeted country globally. In comparison to countries of a similar population and economy the graphic below compares the UK to its European neighbours, accounting for 20% of all ransomware attacks against European nations.

One may wonder why the UK appears to be disproportionately affected. The impact of geo-political developments on ransomware are incredibly difficult if not impossible to accurately assess. However, hacktivist groups with allegiances to Russia do continue to threaten action against the UK, generally in the form of DDoS attacks which would theoretically increase organisations’ susceptibility to ransomware.

There is evidence to suggest that links between active ransomware groups and Russian authorities likely exist and ransomware groups like Conti have openly declared support for Russia at the start of the Ukraine war. However, targeted efforts to disproportionately damage UK organisations are nearly impossible to prove, even if both political messaging and military support theoretically make the UK a high priority target.

Not exactly. We are currently seeing consistent attack rates that are slightly higher than 2021 levels, which in real terms equate to an average of 21 reported ransomware attacks in the UK per month. While this may not sound like an earthshattering figure, this excludes successful attacks which go unreported, and attempted breaches than inflict significant cost and disruption on targeted organisations.

Perhaps most worryingly, a correlation now appears to be emerging between JUMPSEC’s attacker reported data and threat actors’ cryptocurrency revenues. At the end of last year, as JUMPSEC reported the diminished growth of ransomware incidents, previously unexplored research from  Chainanalysis demonstrated an equivalent drop in threat actors’ cryptocurrency profits. Now, as we report a jump in attacks six months later, threat actors have reportedly made ~£138.7 million more profits over the same period.

Of course, to accurately gauge whether ransomware is truly worsening we need to assess a diverse range of sources beyond dark web leak sites and crypto wallets. That said, while other key industry studies and annual reports are still to be published in 2023, it appears likely that we will see ransomware rise significantly across these complimentary metrics.

It is perhaps no mystery why ransomware continues to grow in popularity, as Ransomware-as-a-Service (RaaS) becomes an increasingly attractive opportunity for technically unsophisticated individuals to make exorbitant profits without the skills once required to conduct attacks, whilst those continually developing ransomware operate with few tangible repercussions.

What’s more, JUMPSEC have observed increasingly personal extortion tactics that may enable attackers to exact more crypto payments from victims. This trend creates a more malicious dimension to attackers’ extortion strategies and reasserts the depths that threat actors will go to achieve their objectives, even if organisations have increased their resilience to ransomware attacks (either via back-ups, improved incidence response, or by being less concerned about reputation damage).

One could interpret this trend toward increased personalisation as a sign that victims have become more resilient and less inclined to pay. However, recent reports of rising cryptocurrency profits by known ransomware threat actors unfortunately suggest that ransomware (or more broadly ‘cyber extortion’) is very much alive and well in 2023 as attack rates continue to rise.

An overview of the primary factors that are most likely to influence ransomware trends over time.

Why we started

Analysis of ransomware activity is often focused on the US or provides a more global perspective, which expectedly skews the data and any insights that can be gained for UK-based organisations. This is understandable when considering the spread of ransomware activity globally.

While statistics do exist (meaning those which are self-reported through public statements, surveys, and questionnaires), they are only a part of the overall picture. The missing piece can be established by looking more closely at what ransomware groups themselves are reporting. Lack of visibility and transparency of the real number of ransomware cases enables attackers to continually extort organisations while keeping the true extent of their impact hidden – from both security defenders and national policymakers alike.

Whether intentional or not, the underreporting of ransomware incidents is an industrywide issue which this report aims to alleviate.

How we did it

JUMPSEC threat intelligence analysts have gathered data using a mixture of manual investigation and automated bots to search or ‘scrape’ the public-facing domains of the ransomware threat actors and openly available information for ransomware victims.

For the latest report, JUMPSEC have worked to refine the data supplied by John Fitzpatrick (@lab539) who has been central in tracking, analysing and interpreting ransomware trends since the current wave of activity began.

Where appropriate, we have compared and contrasted this information with officially reported statistics, as well as exploring primary and secondary sources addressing the attacks claimed by ransomware actors (such as public statements made by alleged victims, or news articles reporting on the issue from sources close to the incident).

Why we took this approach

There is a clear incentive for organisations who are the victim of data theft and extortion to downplay the severity of a breach, as we explored in a recent article. Organisations have been known to claim the data stolen is outdated, particularly where data theft alone has occurred (without ransomware deployment) – making the attack significantly less visible, and therefore easier to brush under the carpet.

While this approach goes some way to bridge the gap between official and unreported statistics, gaps still exist. One of the primary limitations is that the available data is only based on what ransomware groups are reporting. Therefore, there is a potential gap where victims settle the issue before it hits the public eye (and therefore the breach is never reported, in official channels or otherwise).

While we do consider attempts to track further data points, such as the crypto payments made to the wallets of ransomware actors (i.e Chainanalysis) in our analysis, we acknowledge that there are simply too many wallets to track, too many operators, and too many currencies to build a complete picture in this manner. However, this method of analysis nonetheless presents a useful ballpark estimation.

Further, ransomware attacks are not necessarily perpetrated by a single organisation. Initial Access Brokers (IABs) provide a specialised service, gaining access to an organisation’s network and selling this access to the highest bidding ransomware group. Therefore, while particular ransomware groups may appear to prefer to target particular sectors or company sizes, or to have more success in a certain area, IABs may be equally as influential in dictating the trend of which organisations are targeted.

Despite these limitations, we believe a great deal of insight can be gathered from the data (lest perfect be the enemy of progress). We are continually looking to ways to improve the reach and accuracy of our data set by drawing on different information sources, and our analysis will evolve over time as a result.