UK finance firms faced a torrent of ransomware attacks in 2023 as threat actors ramped up activities

Ransomware stock image featuring a digitized red padlock with binary code in background
(Image credit: Getty Images)

The number of ransomware incidents reported to the UK’s Financial Conduct Authority (FCA) doubled in 2023, indicating a relative boom in activity compared to the previous year.

A freedom of information request submitted to the regulatory body by Picus Security reveals the FCA received 51 cyber incident reports in the first half of 2023, marking a 10% increase on the same period in 2022.

The FCA regulates over 50,000 organizations operating in the financial sector in the UK, with firms mandated to report any cyber incidents to the regulatory body.

Nearly one-third (31%) of cyber incidents reported to the FCA in 2023 were classified as ransomware attacks, compared to 11% in the first half of 2022. 

Described as “an unusually quiet period” in the report, 2022 saw relatively few (~45) cyber incidents, according to the FCA, with virtually no ransomware attacks being reported to the regulator between July and December that year.

The spike in activity in 2023 suggests threat actors have ramped up operations once more. However, the report notes that cyber incidents in 2023 were still significantly lower than the 2021 high, which saw over 70 attacks disclosed. 

Commenting on the results, co-founder and VP at Picus Security Labs Dr Suleyman Ozarlan said 2023 was a busy period for security specialists at financial firms, with a seemingly endless number of cyber gangs lining up to launch new ransomware attacks.

“The first six months of 2023 was a hectic period for financial services security teams. This sector has always been one of the biggest targets for both politically and financially motivated cybercriminals. Cl0p Ransomware, for example, is known to target major banks,” Ozarlan said.

“Ransomware gangs burst onto the scene, scale up their campaigns, and put a target on their backs. After the coordinated crackdowns and arrests from global government agencies, ransomware activity can start to die down until the next group looks to fill the void left by their predecessor.”

2023 was a year of boom and busts for ransomware activity

Analysis of ransomware attacks by month indicates there are consistently boom and bust periods for ransomware attacks over the course of a year.

The data shows March is often a hotbed of activity for digital extortion specialists, with December consistently proving to be a relatively quiet period.

March in 2019, 2021, 2022, and 2023 saw a relatively high number of cyber incidents reported to the FCA and the study highlights the impact critical vulnerabilities CVE-2023-23397 and CVE-2023-24880 have had on the inflated activity in H1 of 2023.

These vulnerabilities affected Microsoft Office Outlook and Windows respectively, and were identified by Ozarlan as contributing factors to the elevated levels of ransomware incidents in the first half of 2023.

“Two major Microsoft vulnerabilities may have also contributed to more incidents than usual this year, as was the case in 2021 when the Hafnium hacking group was actively exploiting another Microsoft Exchange Server bug”, Ozarlan explained.


How to Extend Zero Trust to Your Cloud Workloads whitepaper

(Image credit: Zscaler)

Discover why it is essential to use zero trust architecture to secure cloud workloads


“The numbers for the first half of 2023 are also far higher than the second half of 2022 when cyber incident reports almost ground to a halt by the end of the year. It is interesting to see such consistently low numbers in December.”

Ozarlan added that the decline in activity observed consistently in December might reflect the reduced office attendances during this month, but he noted it could also be explained by more concerning behaviors from security teams in the festive period.

“A slight decline in cyber incident reports would reflect the fact that many people are away from the office, but there is such a sizable gap between December and January figures. We know that breaches happen all year round, so the numbers should fall off a cliff in this manner. 

“I don’t know which is worse, if security teams don’t discover incidents in December, or if they choose not to report them until after the holidays.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.