UK Ransomware Trends: Lessons for 2023

Ransomware has been a major cyber threat globally since late 2019 and is a top concern for just about every organisation regardless of industry or business model. After year-on-year increases in ransomware attack figures, competing sources have provoked debate on whether ransomware rose or fell as a risk in 2022.

Globally in 2022, JUMPSEC’s data shows that attacker reported ransomware rates experienced diminished growth compared to previous years. However, attacker reported incidents in the UK specifically have increased by a further 17% in 2022, meaning that from a UK perspective at least, any statements about the diminished threat of ransomware should be met with a degree of caution. Furthermore, the initial data for 2023 shows signs of an uptake in UK ransomware activity.

Total UK cases 2020-2023. Total UK reported attacks increased by 17% in 2022 compared to 2021, although the rate of attacks broadly followed a similar pattern to the previous year.

New and emerging vulnerabilities are likely to increase the damage ransomware groups can inflict on organisations following discovery and exploitation. New vulnerabilities such as Spring4Shell, Follina and ProxyNotShell were identified and exploited in 2022, however, not to the same degree as Log4j in 2021.

In 2022, at no point did total attack rates reach the record high of November / December 2021, which saw a total of 20 attacks in the UK over a two-week period – primarily due to the widely exploited Log4j vulnerability.

Total activity in the UK overlaid with a timeline of major cyber security events.

Perhaps more influentially in 2022, new threat actors have become more prominent in the ransomware space following the disintegration of Conti and REvil, formerly the largest ransomware players, and key actors in the December 2021 spike.

After the decline of Conti in May, attack rates fell mid-way through the year, before rising again over the Autumn due overwhelmingly to the resurgence of LockBit.

Lockbit have since taken the mantle as the largest ransomware threat by some distance, both globally and in the UK, claiming over 52% of global reported ransomware attacks. In September alone, Lockbit registered a total of 291 total attacks in just two weeks – the most recorded since the ransomware wave began in 2019.

The most prevalent threats in the UK in 2022. With evidence that individuals formerly operating as part of Conti likely redeployed to other ransomware groups, this may have contributed to the period of reduced activity mid-year, followed by a subsequent surge.

Ransomware groups such as Karakurt and BlackCat have also emerged as more prevalent threats, while others like Vice Society have maintained a consistent presence. Like Lockbit, these groups operate a Ransomware-as-a-Service (RaaS) model which is enabling a greater number of technically unsophisticated cybercriminals to become effective ransomware actors without the skills once required to execute an attack.

Other influences

Geo-political events have impacted the evolution of ransomware in 2022. Hacktivist groups with allegiances to Russia have emerged and are conducting DDoS attacks which may increase the susceptibility of organisations to ransomware, targeting private corporations, hospitals, government agencies and national infrastructure, with reports suggesting links exist between to known ransomware threat actors and hacktivists.

Pro-Russian Killnet for example threatened action against the UK specifically in November. Such groups tend to retaliate following geopolitical events deemed unfavourable to their cause, which in November was nominally the UK’s support for Ukraine with anti-air missiles. Although some may be rightly sceptical about whether Russian hacktivism translates to real world attacks, nation states also use cyber attacks as a form of retaliation as part of ‘grey zone’ military tactics.

For a more concrete example, recent research shows that after Finland joined NATO in July DDoS attacks rose significantly. Despite relatively a relatively low volume immediately after joining in July, it wasn’t until September two months later that attacks began to increase dramatically.

The changing rate of ransom payments may also influence ransomware trends or alter the strategies deployed by attackers. While close to impossible to completely verify, recent Chainanalysis research on the technical side of crypto payments indicates that total payments decreased from $766m to $457m in 2022. However, fewer ransom payments do not necessarily mean less damage to organisations. A survey of affected victim organisation in 2022 showed an increase in respondents who specified lost revenue (56%) and customers (50%) as a result of a ransomware attack – a reminder that direct ransom payment figures are not the only indicator of ransomware’s impact.

Reportedly increased investment in security in 2022, and a shift from denial of cyber security issues to active engagement, may have also impacted ransomware trends. The UK Cyber security sectoral analysis 2022 report shows organisations are investing – total annual UK revenue within the sector reached £10.1 billion in 2022, an increase of 14% since 2021, and the industry saw an increase of 6,000 cyber security employee jobs within the last 12 months (increasing 13% from 2021).

Law enforcement action was diminished in 2022 from 2021’s physical shut down of REvil through bilateral action with Russia. The most high-profile efforts from Western authorities’ to combat ransomware in 2022 involved threating action against Conti (setting a $10 million bounty, contributing to their dissolution), and an arguably more effective remote disruption  operation conducted against Hive ransomware (achieved through international cooperation between US, Dutch and German authorities). Although less verifiable, other reports suggested Lockbit were also ‘hacked back’ on the behalf of a victim organisation in retaliation for an attack, which may indicate a shift in the strategies being deployed to combat ransomware.

That said, additional preventive measures have been imposed on organisations, increasing the threat of prosecution for paying a ransom. The UK’s Office of Financial Sanctions Implementation (OFSI) recently released a ‘Ransomware and Sanctions’ guide which stressed the impact of ransomware payments, and reminded organisations of its power to impose statutory maximum penalty more than £1 million or 50% of the value of the breach.

Other nations have also pushed more aggressive sanctions on ransomware. For example, the introduction of more stringent reporting regulations across the EU and U.S., and Australia’s recent steps toward the outright banning of ransomware payment.

Re-brands and internal splits seen in 2021 and early 2022 have not featured in the same vein in recent months, as Lockbit in particular have demonstrated unparalleled longevity in an often-chaotic landscape generally marked by instability.

An overview of the factors contributing to changes in ransomware trends.

On a global level at least, JUMPSEC’s findings appear to conflict to a degree with NCSC’s expectation that ‘a more diverse and capable ransomware landscape’ would emerge in Conti’s absence.

Lockbit have taken the mantle from Conti as the most prevalent ransomware both in the UK and globally, accounting for 52% of attacks. Lockbit’s activity sparked globally and in the UK in September 2022. Notable recent attacks on UK organisations include Royal Mail, Ion Trading (the City of London), and Pendragon.

For UK-specific attacks, Lockbit were the most prevalent threat in 2022.

Left: The proportionate impact of the 10 most prevalent ransomware threats on UK and US organisations. Right: How Lockbit compare to the now defunct Conti – the former most prevalent threat globally.

The proportionate impact of Lockbit on the global ransomware landscape (52% of global attacks).

However, the total attack figures alone are only part of the story. In terms of the financial profile of targeted UK organisations, Lockbit are not the primary threat to more typically ‘cash rich’ organisations. Karakurt (thought to be an offshoot or rebrand of Conti) have emerged as a threat both in the UK and globally and have predominantly been responsible for attacks on large UK organisations with Cash in the Bank assets exceeding £20 million.

Sector-by-sector breakdown of the UK organisations targeted by Lockbit in 2022.

In 2022, Karakurt were responsible for the most reported attacks against large and medium UK organisations (by cash in the bank assets). Another indication that Karakurt are linked with Conti (by total reports since 2019, the now disintegrated Conti have reported the most ‘big game hunting’ attacks.

Another group consistently targeting the UK is Vice Society, who overwhelmingly target the UK Education sector. Vice Society is known for targeting less notable (and arguably less cyber-mature) victims, ‘flying under the radar’ to avoid unwanted attention.

The number of reported attacks by the most prevalent attacker in each of 2022’s most targeted UK sectors (not including many attackers (as over 32 known groups reported attacks on UK organisations in 2022).

While some have speculated that targeting education is less profitable for attackers than other industries, the fact that groups like Vice Society have now consistently targeted UK schools and universities since 2021 (unlike other sectors that were targeted but are not longer i.e. construction), their attacks are certainly yielding a degree of profit.

Other notable threats include:

Threat actors may operate using multiple ransomware strains, and groups can disappear, re-brand and re-emerge often without consequence – making it unwise to put too much weight on the changing fortunes of any individual group. However, understanding the TTPs of ransomware groups and their proclivity to target a particular sector or size of business can help organisations identify potential vulnerabilities and develop effective strategies to mitigate the risk.

As outlined above, we know that certain groups do tend to target particular industries (i.e. Vice Society – education). However, most attackers have a far less established target sector and, as outlined in JUMPSEC’s trends report last year, it is difficult to infer whether ransomware groups are influenced by perceived lower levels of cyber maturity, or the promise of a more lucrative potential payoff from cash rich organisations.

Whether attackers have a defined sector-based strategy or not, the data does indicate the degree to which even random ransomware hackers have targeted particular sectors in 2022.

The data suggests that Education, Law, and Retail and Wholesale Trade were the most targeted industries (as they have been considering all attacks since 2019), but we must examine the financial size and capacity of victimised organisation to gain a more realistic insight on the true sector-by-sector impact of ransomware in the UK.

The most targeted UK sectors in 2022.

In comparison to 2021 we broadly see similar figures for most UK sectors, with the notable exception of construction, which was targeted far less in 2022 despite being the most targeted sector of 2021.

Two primary possibilities contributed to this change. Either the construction industry had a dramatic culture shift and invested heavily in cyber security over 2021 or, targeting construction is simply not that profitable for attackers, and as some have theorised, the fact that the industry is far less reliant on digital infrastructure than other sectors has made construction organisations more difficult to extort.

In this context, the continued attack rates seen the education industry are perhaps an indication that attackers are finding a degree of success by attacking this sector.

As with last year’s ransomware trends report, medium and large organisation in Retail and Wholesale trade and Financial Services have been strongly impacted. Smaller businesses were targeted in Law and Accounting.

The UK’s most targeted sectors, broken down by size (total assets).

The UK’s most targeted sectors, broken down by size (cash in the bank assets).

Some key points to consider from the graphs above include:

*One organisation with over £2 billion total assets and £47 million cash in the back assets was attacked in the Real Estate sector in 2022. Otherwise, the sector was not highly impacted (a total of 4 attacks in 2022).

As we look to 2023, JUMPSEC’s initial attacker reported data show signs of an uptake in reported attacks against UK organisations. However, these figures will naturally fluctuate throughout the year. A number of recent developments may continue to influence ransomware trends: