The latest annual ransomware trends report from cybersecurity solutions provider, Jumpsec suggests that while globally, attacker-reported ransomware rates experienced diminished growth in 2022, in the UK attacker reported incidents increased by a further 17% from more than 32 known cybercrime groups.

Jumpsec threat intelligence analysts compile a report tracking UK ransomware activity each year. Jumpsec focuses on attacks reported by ransomware groups themselves and analyses the data to enable a more effective response to developing patterns.

Jumpsec's analyses found that at least statements about the perceived diminished global threat of ransomware should be met with caution from a UK perspective. 

Compared to 2021, Jumpsec has seen broadly similar figures for most UK sectors, with the notable exception of construction, which was targeted far less in 2022 despite being the most targeted sector of 2021. And initial data for 2023 already show an increased uptick in UK ransomware activity.

Following the disintegration of Conti (the former most prolific ransomware group) in 2022, some pundits predicted a more diverse threat landscape would emerge. However, the equally prolific LockBit ransomware group dominated globally in 2022, accounting for more than 52% of reported attacks. The group – first noted in 2019 - is also the most active threat actor against UK organisations since September 2022. Notable recent attacks on UK organisations include Royal Mail, Ion Trading (the City of London), and Pendragon.

Among more typically "cash-rich" UK organisations, ransomware demands from Karakurt, a cybercrime group believed to have first emerged in 2021, are the primary threat. Karakurt is considered an offshoot or rebrand of Conti and, to date, has predominantly attacked large UK organisations with "cash in the bank" assets exceeding £20 million.

Another group, the Russia-based Vice Society, continues to disproportionately affect education in the UK, accounting for 71% of attacks reported against the sector, while globally, only responsible for 26% of reports against education. Vice Society targets less notable, high-profile and less mature cyber victims by "flying under the radar" to avoid unwanted attention.

Regarding industry-specific targeting, the construction sector was targeted far less in 2022, despite being the most targeted sector of 2021, likely due to attackers finding the sector less profitable for attackers and perhaps more challenging to extort due to reduced reliance on digital infrastructure.

Looking ahead, Jumpsec's initial attacker-reported data in 2023 shows signs of uptake in reported attacks against UK organisations. Of course, these figures naturally fluctuate over the year. 

Jumpsec sees several developments which will influence ransomware trends.

Firstly, cybersecurity experts suggest that emerging widespread vulnerabilities will continue to catalyse periods of increased activity.

“There are early indicators that vulnerabilities affecting VMware ESXi servers are being actively exploited by dedicated ransomware groups seeking to leverage a low-complexity exploit against a prevalent technology, which may be one to watch,” says John Fitzpatrick, Chief Technology Officer at Jumpsec.

Furthermore, 2023 already sees tighter insurance terms, which may restrict threat actors' ability to extort organisations as insurers move to limit their exposure and offer less financial support to victims of ransom payments. There is evidence that attackers may already feel the effects in 2023, as HardBit ransomware threat actors have begun explicitly requesting insurance details from victims so the ransom demand can be adjusted to fall within the victim organisation's policy.  

More ransomware payment regulations and restrictions will be enforced in 2023 as the HM Treasury Office of Financial Sanctions Implementation suggests making a ransomware payment may breach financial sanctions, so it must be reported. In addition, the EU, US and Australia have also introduced additional measures to penalise ransomware payments. 

Meanwhile, grey-zone military tactics have become a feature of international relations irrespective of individual conflicts, making cyberattacks an attractive means to cause immense disruption without crossing the threshold of overt war. 

A recent report by Google’s Threat Analysis Group (TAG) suggests increased interconnectivity between ransomware actors and the Russian state, with “tactics closely associated with financially motivated threat actors being deployed in campaigns with targets typically associated with government-backed attackers”.

“Threat actors may operate using multiple ransomware strains, and groups can disappear, rebrand and often re-emerge without consequence – making it unwise to put too much weight on the changing fortunes of any individual group. However, we hope that understanding the tactics, techniques, and procedures (TTPs) of ransomware groups and their desire to target particular sectors or sizes of business can help organisations identify potential vulnerabilities and develop effective strategies to mitigate risk," says Sean Moran, a researcher at Jumpsec, which tracks global ransomware activity using a mixture of manual investigation and automated bots to search or scrape the public-facing domains of ransomware threat actors. The company has created a Ransomware Hub page which now hosts all the ransomware updates.