Ransomware in 2020: UK and Global Threat Overview

The total cost of global ransomware attacks amounted to $345 million in 2015. Current global estimates for financial losses for 2021 via ransomware attacks is predicted to be in the region of a staggering $20 billion. To bring this down to a local level, the UK was the second most-attacked country in the world last year for ransomware attack, costing UK businesses a total of £365 million for the year.

But what is the future of ransomware attacks? Who are the targets of threat actors and what is the motive? What are the common attack vectors that IT leaders should be aware of when identifying their vulnerabilities against the unwarranted installation of ransomware?


The majority of modern day cyberattacks tend to be financially motivated – especially in the case of a ransomware attack. The introduction and growing adoption of virtual currencies over the last decade has made it increasingly easier for cybercriminals to demand monetary ransoms from victims; to add insult to injury to the victims of a ransomware attack, the navigation of paying these virtual currencies has brought up issues with those companies that are not as technologically adept, and hackers have found themselves opening up call centres to provide technical support in signing up for Bitcoin in order to extort the ransom.

Whilst IT teams battle with advancing their cyber security strategy and defences in line with past threat, cybercriminals concentrate their attention on a more sophisticated line of attack, which constantly tests and probes the vulnerabilities of their victims’ networks.

A recent survey of 540 CIOs, CISOs and IT Directors from companies with an average of 5,400 employees has found that 40% of organisations have experienced a ransomware attack in the last year. Of these victims, more than a third lost revenue and, in a few tragic cases, 20% had to cease business completely. As a result, only 4% of respondents to the survey felt ‘very confident’ that they could deal with a ransomware attack.

Who are the targets?

The history of ransomware attacks has seen hackers launch tirades of ransomware attacks on smaller companies, those that previously have not had the budgets or paid keen enough attention to their cybersecurity practises to defend against them.  Today, the sophistication of ransomware attacks has improved with cybercriminals using a ‘Big Game Hunting’ (BGH) technique in order to infect larger companies with ransomware for greater financial extortion and payoff, and time efficiency.  That’s not to say by any means that larger companies are the only ones at risk – whilst 68% of SMEs say that they are not worried about a ransomware attack, they are still very much a target for reasons of financial gain, acquisition of company IP, customer data and, crucially, access: often, SMEs are being used by cybercriminals as a vector for attack, e.g. to a larger parent company, or the supply chain of a larger target.

The large-scale adoption of social media over the course of the last 15 years has been of a great aid to hackers in sophisticating their approach. Not only does it offer key information on job roles, names, and the organisational structure of potential victims – providing the hackers with all the tools for a tailored email scam to infiltrate and subsequently deploy ransomware in the victims’ network – but it can also act as a straight conduit for deploying the malware itself.

Web pop-ups and phishing emails remain the most common vectors of a ransomware attack. The use of web pop-ups in particular has allowed hackers to deploy ‘exploit kits’, which discreetly scan a victim’s machine for vulnerabilities. If the scan successfully identifies a point of entry, ransomware will be deployed. This vector is one to watch out for, as it is an efficient file-less technique and can be injected into the memory without need of a disk, and thereby making them undetectable by traditional antivirus software.

Recent ransomware attacks

There are many different programmes of ransomware employed by advanced threat actors, but many that are also available to the average Joe to setup their own ransomware plan.  One of the most recent reports of a ransomware attack in UK news this week was the ransomware attack on Newcastle University (announced 30th August). The perpetrators claiming responsibility is DoppelPaymer, who have so far reportedly stolen 750Kb of data and put it for sale on their online site. The ransomware in this situation works a lot like another commonly used malware, Dridex, where the network is compromised by the delivery of ransomware through a Word file attached to a personalised email. All files become encrypted and the cybercriminals give instruction for ransom payment, with the specific advice not to turn off all the computers in the organisation for fear of permanent data loss. As it stands currently, the university have not turned their systems off and are expecting it will take ‘several weeks’ to get their services back online following the attack – a severe amount of downtime and blow to the organisation’s reputation.

On a global level, there has been a sudden spike in ransomware attacks to Japan, France and New Zealand from threat actors Emotet, targeting the private sector and public administration entities. Emotet’s malware typically is used to deliver malicious ransomware via spam emails, like Conti (TrickBot). This ransomware infection (like others in its category) sees its operators breaching corporate networks and spreading out undetected before they gain the domain’s admin credentials. Once they have this access, the threat actors then deploy ransomware that encrypts the organisation’s devices. In the grand scheme of things this is alarming, as a recent study conducted by AppRiver has found that 48% of SMEs do not store their most important or confidential data exclusively on a secure network, instead dispersing it across multiple unsecure or unknown locations. This leads to blind spots and gaps in cyber protection, particularly in the case where employees are now being given more permission to use their unsecure personal devices for business purposes.

Overall, the average cost of a breach incident to the UK business is £4,180, and for UK charities it’s £9,470. In many UK cases of ransomware attack, the amount demanded by the criminals is extortionate, and often targeted companies are unable to retrieve their files/data even when payment has been made.

Serbus is an industry leader for secure communications and remote device security, providing solutions to the likes of the MoD, UK Government and world class brands alike. If you are interested to learn more about how we can help protect your business devices against external threat, keeping your company IP and customer data at the highest level of security, contact us for a chat. Size does not ensure safety, and we have solutions for any requirements from SME to MoD. Email us on [email protected] or call our office +44 (0)1432 870 879.