In its latest report, JUMPSEC revealed that attacker-reported ransomware attacks increased by 87% in the UK and 37% globally in the first half of 2023. This follows reports of ransomware growth slowing at the end of 2022. Victims refusing to pay, higher security spending, or threat actors focusing on Russia-Ukraine were all theories for the slowdown.
The company now expects 2023 to be the most prolific year for ransomware, surpassing the previous highs of 2021. JUMPSEC identified 436 attacks worldwide in July 2023, 20% higher than the previous all-time high caused by Log4j in 2021.
The mass exploitation of software vulnerabilities is perhaps the most clear-cut contributing factor to the rise of ransomware attacks in 2023. Several vulnerabilities discovered in widely used platforms have contributed to rising attack figures (Rackspace, Zimbra and most notably the MOVEit).
Analysis shows that Lockbit are still the most prevalent ransomware variant in 2023, however, Cl0p ransomware, who claim the MOVEit breach, have increased their impact significantly and could be on course to challenge Lockbit as the most prevalent ransomware.
Another 2023 trend reported by JUMPSEC is the increased exploitation of the financial services, insurance and IT sectors, both globally and within the UK. With organisations increasingly opting only to exfiltrate data as leverage for extortion these sectors are becoming increasingly lucrative targets. Large UK based companies such as Aon, Deloitte and PWC were all targeted in the MOVEit attack and are representative of the types of organisations that have experienced higher attack rates.
Another explanation for rising attack figures is simply the proliferation of more ransomware variants as JUMPSEC has monitored 20% more ransomware groups in 2023 than in 2022.
According to the analysis, successful groups continue to prioritise big game hunting. In 2023, BlackCat (ALPHV) and CL0P are the most common ransomware groups targeting UK organisations with £10 million in bank assets, replacing Karakurt as the most common ransomware against large organisations.
UK is the most targeted country outside the US and 20% of European ransomware attacks occur there. While Russian-aligned hacktivist organisations threaten DDoS assaults against the UK, theoretically making UK businesses more susceptible, such attention-grabbing hacktivism is unlikely to have a significant impact.
“We have observed a trend towards the increased personalisation of attacks, which could indicate victims have become less inclined to pay ransoms, causing attackers to exert greater pressure,” said JUMPSEC’s Researcher Sean Moran, “Unfortunately, recent reports of rising cryptocurrency profits by known ransomware threat actors suggests that attacker negotiation tactics have been effective. Organisations need to continually to refine their response to cyber extortion as attackers develop new strategies around mass exploitation of software vulnerabilities, data exfiltration, whilst becoming increasingly personal by targeting individuals and senior leadership within victim organisations.”
JUMPSEC threat intelligence analysts track global ransomware activity using a mixture of manual investigation and automated bots to search or ‘scrape’ the public-facing domains of ransomware threat actors. The raw data is then enriched by investigating the geographic location, industry sector, size, and financial profile of each targeted organisation.
JUMPSEC has created a Ransomware Hub page which now hosts all the ransomware updates, visit here: Ransomware Hub | JUMPSEC