Skip to main content

UK Ransomware Trends: 2024 Mid-year Update

JUMPSEC’s Ransomware Trends 2024 contextualises global ransomware trends for UK-centric organisations, tracking the latest threat actor activity via data leak sites and interpreting relevant threat intelligence and reporting up to July 2024. Raw data is enriched as we investigate the geographic location, industry sector, and size of each targeted organisation.

Find out more about our research methodology, its limitations, and its strengths here.

TL;DR

The JUMPSEC mid-year UK ransomware report explores the following insights and trends:

  • Midway through 2024, attacker-reported ransomware incidents have fallen by 15.2% in the UK compared to the latter half of 2023. Global rates have also dropped by 8% over the same period.
  • The diminished stature of BlackCat and Lockbit may seem an obvious explanation, but Lockbit only saw a slight decrease from 20% to 17% of global reported attacks in H1 2024. This number is likely inflated due to increased ‘re-extortion’ attempts, reflecting a broader trend.
  • Several highly impactful groups barely feature as a ‘top threat’ to UK organisations. Dark Angels (highest single-attack profit), Medusa (the most active against large UK organisations), and Qilin (a major NHS disruptor) each account for less than ~2% of visible UK attacks.
  • Manufacturing has consistently been the most highly targeted sector in the UK and globally. Small UK-based manufacturing companies (50-200 employees) are disproportionately targeted—approximately 10% more than the general distribution.
  • The UK financial sector is the second most targeted in 2024. As attackers increasingly skip encryption in favour of sensitive data exfiltration to extort financial sector victims, a deeper understanding of advanced techniques (e.g., DNS tunnelling) and mitigations becomes increasingly valuable.
  • The rising targeting of the UK healthcare sector over the past three quarters is most concerning in terms of direct human impact. Previously less targeted than the US, the UK healthcare sector accounted for ~9% of attacks in Q2.
  • The takedowns of Lockbit, BlackCat, Hive, and Dispossessor demonstrate that international authorities have the financial backing and strategy to take on ransomware groups. Ideally, recent collaboration between the UK insurance industry and the NCSC will leverage the dynamic between insurance companies and threat actors’ crypto wallets in a manner that compounds successful law enforcement operations.

Our analysis draws on a global data set of over 14,670 victims from 2020 to June 2024, complemented by additional industry analysis and reporting.

Introduction

As 2023 came to a close, ransomware seemed poised to capture an even larger share of the cybercriminal economy.

Attacker-reported incidents reached record highs both globally and in the UK. The number of zero-day vulnerabilities, a reliable indicator of ransomware extortion spikes, more than doubled to an annual total of 97, according to Google’s Threat Analysis Group (TAG) [1].

It is surprising, then, that by mid-2024, attacker-reported ransomware incidents have fallen by 15.2% in the UK compared to the latter half of 2023. Global rates have also dropped by 8% over the same period. This decrease occurs despite indications that ransomware groups are increasingly inflating attack numbers to create the illusion of prolific activity.

Total UK ransomware attacks from 2020 to July 2024. Ransomware may appear to have briefly cooled its expansion, but on closer inspection we see threats within specific sectors, organisations sizes and countries are not declining.

More noise doesn’t necessarily mean more impact.

One might point to the obviously diminished stature of BlackCat and Lockbit to explain the drop in extortion rates, as these formerly prolific groups were taken down in early 2024. Despite substantial reputation damage, the arrest of affiliates, and a doxxed leader, Lockbit only dropped from 20% to 17% of global reported attacks from H2 2023 to H1 2024.

Yet the ostensibly less prolific Dark Angels (aka ‘Dunghill Leaks’) recorded the largest known ransomware payment of $75 million this year [5,6]. The data indicates the group account for only 0.2% of visible global extortion attempts. To put that in context, in February the FBI reported that Lockbit received an estimated $120 million in total ransom payments, while the second most prevalent group, BlackBasta, is thought to have profited $150 million over the course of 2023 [7,8], only double the sum Dark Angels extorted in a single attack. More noise doesn’t necessarily mean more impact.

An apparently more diverse playing field. With 35% more active ransomware extortion names in 2024, we mustn’t be blinded by names or notoriety.

Individual cybercriminals continually move between different ransomware variants, and notwithstanding some notable exceptions (e.g., limited Lockbit arrests), when a ransomware group ‘disappears,’ the individuals responsible are largely free to redeploy their skills elsewhere.

Several highly impactful groups barely feature as a ‘top threat’ to UK organisations. The aforementioned Dark Angels, Medusa ransomware (the most active against large UK organisations), and Qilin, which caused major NHS disruption in June, each conducted less than 5% of UK attacks.

UK Industry Breakdown

Sector-by-sector analysis provides ample speculation on attackers’ strategies.

One might assume that an aversion to business disruption and the use of legacy infrastructure in manufacturing increases susceptibility to attack, or that the disproportionately sensitive information held by legal firms primes them for extortion. These assumptions often contain some degree of truth, but we can rarely say with certainty why certain industries have been targeted more or less frequently.

The manufacturing sector has been the most highly targeted sector in 2024 both in the UK and globally, followed by finance, and for the first time healthcare.

Ransomware incidents reported by attackers naturally exclude instances where victims have paid off their attackers. Therefore, while we may reflexively judge highly targeted sectors, it is worth remembering that an unwillingness to bend to an attacker’s pressure can indicate resilience in some scenarios.

On the other hand, well-funded organizations may simply have the means to avoid being ‘named and shamed’ (e.g., the $75 million big pharma payment to Dark Angels that went unnoticed for months). Nonetheless, data leak sites still provide a rough guide on the profile of victim organizations we have seen most frequently targeted thus far in 2024.

Manufacturing Sector

With a steady increase in manufacturing attacks globally in late 2023, there has been much discussion about the potential for increased targeting of exposed Operational Technology (OT) and Internet of Things (IoT) devices within this highly targeted sector.

Organisations’ growing reliance on OT and IoT, combined with attackers’ evolving understanding of how to exploit these technologies, has led to speculation about increased targeting of these systems as part of ransomware attacks. OT refers to the hardware and software that control or monitor industrial equipment, such as Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems. IoT encompasses the network of connected devices and the technologies that enable communication between devices and the cloud.

While OT or IoT disruption can provide invaluable leverage during ransom negotiations, there is little evidence to suggest that ransomware groups are widely targeting OT and IoT specifically within ransomware attacks. Most incidents still primarily involve IT systems.

In the past decade, only 25% of industrial sector attacks have actually impacted the OT network directly [9]. For example, the Colonial Pipeline ransomware attack caused widespread fuel shortages for nearly six days across half of the US East Coast, yet the attackers did not directly attack the OT environment, as many assumed. It’s akin to the brain and body connection—if you switch off the IT infrastructure (the brain) that directs the OT systems (the body), then it’s lights out.

In that sense, the approach ransomware actors take to target a manufacturing organisation may not necessarily be unique, but the vital need to avoid downtime, coupled with the opportunity for immense disruption, makes a ransom payment more likely.

Smaller UK Manufacturing firms have been disproportionately targeted. A smaller manufacturing firm may not be as likely to face advanced OT-specific TTPs commonly attributed to state sponsored threats, but adequately protecting the availability and integrity of OT is still essential.

With the UK manufacturing sector consistently facing high levels of cyberattacks, particularly affecting smaller organisations, it is essential to implement tailored risk reduction strategies. The appropriate measures will vary depending on an organisation’s cyber maturity and security investment capacity.

Beyond basic best practices like regular OS updates, multi-factor authentication (MFA), and user phishing awareness, manufacturing organisations should consider the following strategies to limit their exposure to ransomware extortion:

  • Foundational controls for less mature organisations – Following the SANS Institute’s five critical controls for industrial cyber security can provide a solid foundation [10]. These controls help in establishing a baseline of security that protects against both common and advanced threats.
  • Attacker-specific threat intelligence – Security teams should stay updated on the latest threat intelligence specific to the manufacturing sector. For instance, Black Basta (the UK’s second most prevalent in ransomware extortion) have used unique tactics against the industrial sector [11]. Realistic attack simulations that emulate such tactics, techniques, and procedures (TTPs) to identify where corresponding defensive controls are required can further enhance resilience.
  • OT and IoT Monitoring & Network Segmentation – Proper segmentation and continuous monitoring of OT and IoT networks are crucial. Organisations with exposed OT and IoT devices are more vulnerable to attacks and, in the event that attackers breach the IT network, adequate segmentation and backups can prevent further compromise.

Financial Sector

Given the UK and London’s prominence, it’s unsurprising that the UK financial sector is highly targeted by ransomware extortion.

FinTech organisations are increasingly opting to go cloud-native and, as established firms increasingly adopt decentralised technology, it is imperative to consider how their most sensitive information is stored, managed, and accessed.

After several high-impact attacks that leveraged widely used software platforms as attack vectors, supply chain attacks remain a top concern for financial services organisations in 2024. As a result, organisations are expanding their definition of the ‘attack surface’ to include third-party software platforms, particularly those used to store or transfer highly sensitive documents that are invaluable during ransom negotiations.

When news of another high-risk vulnerability in the Progress MOVEit Managed File Transfer platform surfaced on 11 June, the financial sector’s collective anxiety understandably spiked, given the platform’s disproportionate impact during last year’s major attack. While it remains unclear whether the critical improper authentication vulnerability (CVSS: 9.1) was a zero-day exploit by attackers or an issue promptly addressed by MOVEit, our data suggests that this year’s exploitation was not as widespread as last year’s incident

Left: To clarify, the June 2023 spike in activity directly related to the MOVEit breach, with a significant proportion of attacks claimed by Cl0p, who first utilised the original zero-day. Right: The June 2024 attack was not comparable in terms of visible impact.

'Data exfiltration’

Data exfiltration is a complex way of saying ‘stealing documents.’ While complex, hard-to-detect methods—such as DNS tunnelling—can be used, exfiltration can also be quite simple. For instance, once an attacker has compromised a legitimate user account, especially one with high-level access, they can use standard communication tools like email, cloud storage, or even file-sharing services to transfer sensitive information outside the organisation if the correct controls are absent.

In 2024, only 49% of ransomware attacks on financial services organisations actually resulted in data encryption, a substantial drop from the 81% encryption rate reported in 2023 [12]. The financial sector is more likely to have sensitive data targeted and used for extortion, making it imperative for organisations to carefully consider how their most sensitive information is stored, managed, and accessed.

Naturally, the more mature an organisation’s current defenses, the greater sophistication required for attackers to steal valuable information. It’s often a case of risk and reward from an attacker’s perspective. As it is lucrative to compromise financial institutions—and increasingly, their supply chain partners who can be used as a ‘jumpbox’ pivot into financial organisation targets—more sophisticated defences are needed.

Unlike in 2023 where the fallout from the MOVEit software supply chain vulnerability caused larger UK financial and business services organisations to be targeted (e.g. PWC, Deloitte, Aon) smaller UK financial organisations—often accounting firms— have been more frequently affected in 2024.

Risk reduction strategies

For addressing vulnerabilities like the recent MOVEit issue, organisations should implement recommended mitigations – in that case blocking inbound RDP access to MOVEit servers and limiting outbound access. However, it’s equally critical to adapt incident response strategies to anticipate and prepare for similar events in the future:

  • Data Exfiltration Mitigation – Organisations should focus on defending against both sophisticated and seemingly simple data exfiltration methods. Implementing strict access controls, regularly monitoring user activity, and deploying robust data loss prevention (DLP) measures are essential steps in safeguarding sensitive information. JUMPSEC’s detailed report on DNS Tunneling should also aid organisations to gain a deeper understanding of more complex techniques [13].
  • Managing sprawling cloud estates – With financial firms expanding their cloud reliance, and some FinTech companies now opting to go cloud-native, organisations must broaden their understanding of their ‘attack surface’ to include third-party software platforms, especially those used for storing or transferring sensitive documents. Implementing additional controls around high-risk platforms is crucial for protecting against potential threats.
  • Supply Chain Security – With financial sector-specific regulations such as the Digital Operational Resilience Act (DORA) set to take effect in January 2025, more stringent continuous monitoring and reporting with key software suppliers will be vital for effective incident response.

At a more strategic level, prescribed testing such as Red or Purple Teaming as part of new DORA regulations should further uplift the financial sector’s existing focus on ‘threat led’ testing on well established frameworks such as CBEST.

Healthcare & Public Sector

Undoubtedly the most concerning sector in terms of direct human impact, UK public services—particularly healthcare—have been more frequently targeted in 2024.

In many ways, the high-priority risks for public services are no different to the financial sector outlined above, with each primarily concerned by supply chain attacks and sensitive data compromise. However, public services face unique pressures, from securely managing outdated (and thus higher-risk) legacy technologies, to coping with increasingly tight budgets, and the more tangible impact of a compromise on vulnerable citizens.

Several high-impact attacks have occurred in 2024, most notably the Synnovis supply chain attack, which subsequently affected NHS King’s College and Guy’s and St Thomas’ hospitals, as well as the NHS Dumfries and Galloway data breach. The former attack on NHS medical diagnostics partner Synnovis delayed more than 800 operations and 700 outpatient appointments [14], while the latter exposed children’s mental health records and potentially thousands of other patients’ health records [15, 16].

UK healthcare attacks have grown for the past three quarters. The highly privatised US healthcare sector has traditionally been disproportionately targeted by financially motivated threat actors, unlike the more nationalised healthcare systems in the UK and even more nationalised healthcare systems in Europe.

One might direct their anger towards the likely Russian-based attackers Incransom—who also attacked Leicester City Council—and Qilin, who dubiously claimed to have been politically motivated. The group asserted that any harm to NHS patients was an unfortunate by-product [16], yet JUMPSEC observed them attempting to extort a US-based nursing home and an addiction treatment facility two weeks later.

While anger toward the attackers is justified, it is clear that further funding is needed to uplift increasingly deteriorating public security processes and technologies

That said, when the most damaging public services cyber attack of 2024 came via the compromise of an advanced medical diagnostics partner worth ~£420 million [17], rather than the NHS itself, more scrutiny will now fall on critical healthcare and public services suppliers.

Risk reduction strategies

As public services and healthcare must often account for challenging budget constraints, collaboration on common technologies and security challenges between public sector organisations (which is generally uncommon in the private sector) can provide a strong foundation. For example, healthcare trusts or local councils can collaborate effectively.

Ideally, organisations can benefit from real-time intelligence sharing during ongoing ransomware attacks, particularly when a common supplier (e.g., Synnovis in June) is breached as the initial access point. As a low- or no-cost strategy, swift communication through established channels could make the difference between significant public impact and routine threat prevention.

As for healthcare or public service suppliers, implementing adequate network segmentation for critical systems (e.g., separating pathology systems and middleware from the broader IT network, as in the Synnovis attack scenario) can help to limit the scope of an attack.

As with all sectors, organisations must defend against both sophisticated and seemingly simple exfiltration methods to prevent patient data breaches. Implementing strict access controls, regularly monitoring user activity, and deploying robust data loss prevention (DLP) measures are essential steps to safeguard sensitive information. JUMPSEC’s detailed report on DNS Tunneling helps organisations gain a deeper understanding of more complex techniques.

What's next?

The only thing we know for certain is that ransomware activity is far from predicable.

Following the takedowns of Lockbit, BlackCat, Hive, and more recently Dispossessor, authorities clearly have the financial backing and strategy to take on ransomware groups head-on.

With mounting law enforcement success, the typical ransomware group marketing strategy of gaining notoriety could change. The formerly most prominent group, Lockbit’s reputation was a double-edged sword: it aided affiliate recruitment and instilled fear in victims, yet it ultimately led law enforcement to prioritize their takedown as a significant coup against the ‘most prolific’ threat.

Dark Angels, for example, may not have welcomed being cited as having received the largest known ransom payment of $75M when they accounted for only ~0.2% of visible attacks globally. Whoever becomes known as the biggest threat will naturally be law enforcement’s next priority, and therefore we may see more quiet yet prolific threat actors.

Dark Angels (aka Dunghill Leaks) do not feature as a ‘top threat’ in terms of visible extortion but may cause substantial impact by disproportionately targeting large organisations. 

Those assessing the emerging ‘big players’ should not assume that extortion attempts reflect impact. Medusa are most active against large UK organisations in 2024 but are only the fourth most visibly active group.

A final trend that may be impactful is the increase in the number of groups, Lockbit included, who are ‘re-victimising’ organisations. Old data is being used to exact a ransom payment even when a recent attack has not taken place, meaning some ransomware groups are undermining their basic promise (and business model) that if you pay, you will be left alone.

This skews the perceived number of attacks, but more importantly, frequent patrons of ransomware groups, such as insurance companies, may be less inclined to pay a ransom if they cannot trust that the problem will actually go away.

Insurance firms simultaneously offer invaluable refuge to organisations on the brink of collapse while playing the role of steady financier to ransomware groups’ crypto wallets. Hopefully, recent efforts to unite the insurance industry against ransomware by the NCSC and the Association of British Insurers (ABI, BIBA and IUA) indicates a more concerted effort to reduce a vital source of funding for ransomware groups.

References

[1] Google TAG and Mandiant. Zero-day in-the-wild exploits 2023: https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/

[2] Chainanalysis.Ransomware disruption and threat actor crypto wallet tracking: https://www.chainalysis.com/blog/ransomware-disruptions-impact/

[3] Sophos. Conflicting indication of a rise in total ransom payments: https://www.sophos.com/en-us/press/press-releases/2024/04/ransomware-payments-increase-500-last-year-finds-sophos-state#.

[4] Zscaler. Reporting on increased ransomware breaches: https://www.zscaler.com/resources/industry-reports/threatlabz-ransomware-report.pdf

[5]  Zscaler. Dark Angels $75 million ransomware payment: https://www.zscaler.com/resources/industry-reports/threatlabz-ransomware-report.pdf

[6] Chainanalysis. Confirmation of Dark Angels $75 million ransomware payment: https://twitter.com/chainalysis/status/1818324083873853734

[7] FBI. Lockbit receive an estimated ~$120 million in total ransom payments: https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

[8] Chainanalysis. BlackBasta profit an estimated $150 million: https://www.chainalysis.com/blog/ransomware-disruptions-impact/

[9] Waterfall Security. Percentage of attacks that directly target OT: https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/2024-threat-report-ot-cyberattacks-with-physical-consequences/

[10] SANS Institute’s 5 critical controls for industrial cyber security: https://sansorg.egnyte.com/dl/R0r9qGEhEe

[11] CISA’s report on Black Basta TTPs:  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a

[7] FBI. Lockbit receive an estimated ~$120 million in total ransom payments: https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

[8] Chainanalysis. BlackBasta profit an estimated $150 million: https://www.chainalysis.com/blog/ransomware-disruptions-impact/

[9] Waterfall Security. Percentage of attacks that directly target OT: https://waterfall-security.com/ot-insights-center/ot-cybersecurity-insights-center/2024-threat-report-ot-cyberattacks-with-physical-consequences/

[10] SANS Institute’s 5 critical controls for industrial cyber security: https://sansorg.egnyte.com/dl/R0r9qGEhEe

[11] CISA’s report on Black Basta TTPs:  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a

[16] BBC. Impact on children’s mental health records: https://www.bbc.co.uk/news/articles/cglvpnpxx87o

[16] The Register. Interview about NHS attack: https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/

[17] Companies House. Synnovis financial records (revenue and EBITDA-based valuation):
https://find-and-update.company-information.service.gov.uk/company/OC337242/filing-history

Our Methodology

Why we started

Analysis of ransomware activity is often focused on the US or provides a more global perspective, which expectedly skews the data and any insights that can be gained for UK-based organisations. This is understandable when considering the spread of ransomware activity globally.

While statistics do exist (meaning those which are self-reported through public statements, surveys, and questionnaires), they are only a part of the overall picture. The missing piece can be established by looking more closely at what ransomware groups themselves are reporting. Lack of visibility and transparency of the real number of ransomware cases enables attackers to continually extort organisations while keeping the true extent of their impact hidden – from both security defenders and national policymakers alike.

Whether intentional or not, the underreporting of ransomware incidents is an industrywide issue which this report aims to alleviate.

How we did it

For the latest report, JUMPSEC have collaborated to refine the data supplied by Duncan Walls, Editor @Data Breaches Digest who’s detailed data tracking and analysis methods have supported JUMPSEC to produce this report.

Data is gathered using a mixture of manual investigation and automated bots to search or ‘scrape’ the public-facing domains of the ransomware threat actors and openly available information for ransomware victims.

Where appropriate, we have compared and contrasted this information with officially reported statistics, as well as exploring primary and secondary sources addressing the attacks claimed by ransomware actors (such as public statements made by alleged victims, or news articles reporting on the issue from sources close to the incident).

Why we took this approach

There is a clear incentive for organisations who are the victim of data theft and extortion to downplay the severity of a breach, as we explored in a recent article. Organisations have been known to claim the data stolen is outdated, particularly where data theft alone has occurred (without ransomware deployment) – making the attack significantly less visible, and therefore easier to brush under the carpet.

While this approach goes some way to bridge the gap between official and unreported statistics, gaps still exist. One of the primary limitations is that the available data is only based on what ransomware groups are reporting. Therefore, there is a potential gap where victims settle the issue before it hits the public eye (and therefore the breach is never reported, in official channels or otherwise).

While we do consider attempts to track further data points, such as the crypto payments made to the wallets of ransomware actors (i.e Chainanalysis) in our analysis, we acknowledge that there are simply too many wallets to track, too many operators, and too many currencies to build a complete picture in this manner. However, this method of analysis nonetheless presents a useful ballpark estimation.

Further, ransomware attacks are not necessarily perpetrated by a single organisation. Initial Access Brokers (IABs) provide a specialised service, gaining access to an organisation’s network and selling this access to the highest bidding ransomware group. Therefore, while particular ransomware groups may appear to prefer to target particular sectors or company sizes, or to have more success in a certain area, IABs may be equally as influential in dictating the trend of which organisations are targeted.

Despite these limitations, we believe a great deal of insight can be gathered from the data (lest perfect be the enemy of progress). We are continually looking to ways to improve the reach and accuracy of our data set by drawing on different information sources, and our analysis will evolve over time as a result.

Sign up for Quarterly Ransomware Updates

"*" indicates required fields

Profile-Pic-BW-cropped copy

Sean Moran

Sean is a security writer with a focus on ransomware extortion and its impact on the wider cyber security industry.

×

Under attack? Call our 24/7 Incident Response Hotline now

Get in touch with an accredited Incident Response experts who can help you contain, recover and mitigate attacks.

0333 987 4048

For regular switchboard please
contact - 0333 939 8080