Active Threat Actors Targeting UK Financial Services
| Actor / Group | Origin | Primary Method | Active Techniques (ATT&CK IDs) | SME Risk |
|---|---|---|---|---|
|
Scattered Spider
aka UNC3944, Octo Tempest
|
CYBERCRIME | SIM-swapping and social engineering to bypass MFA; targets IT helpdesks to gain access. | T1078 T1566.001 T1621 | HIGH |
|
ALPHV / BlackCat
Ransomware-as-a-Service group
|
CYBERCRIME | Ransomware deployment following stolen credentials and VPN exploitation. Known to target professional services firms. | T1486 T1190 T1657 | HIGH |
|
APT29 / Cozy Bear
SVR, Russian Foreign Intelligence
|
RUSSIA / STATE | Spearphishing and supply chain compromise. Primarily targets government and finance. Sophisticated, long-dwell operations. | T1566.002 T1195 T1071.001 | MEDIUM |
|
APT40 / BRONZE MOHAWK
Chinese MSS-linked group
|
CHINA / STATE | Exploitation of internet-facing services and VPNs. Actively targeting financial data and intellectual property. | T1190 T1133 T1041 | MEDIUM |
|
MuddyWater
STATIC KITTEN, Iranian MOIS
|
IRAN / STATE | Phishing and exploitation of web frameworks (Laravel, Zimbra). Targeting professional services and finance for espionage. | T1566.001 T1190 T1059 | MEDIUM |
|
LockBit 3.0 Affiliates
Ransomware-as-a-Service network
|
CYBERCRIME | Access brokers sell network entry to affiliates who then deploy LockBit ransomware. SMEs frequently targeted as easier entry points. | T1486 T1078 T1083 | HIGH |
|
TA4903 (BEC Specialists)
Business Email Compromise group
|
CYBERCRIME | Impersonation of senior staff, solicitors, and payment processors to redirect bank transfers. Primary threat vector for insurance brokers. | T1566.002 T1534 T1078 | HIGH |
How Much of This Does GET-IT Cover?
Coverage by Tactic
Techniques in Use Against UK SMEs This Week
Current Risk Status for UK Financial Services SMEs
Elevated Maintained — Agentic Ransomware Confirmed, SharePoint Under Active Exploitation
RAG status remains Elevated/Amber. This week marks a significant capability milestone: Sysdig researchers have identified Jadepuffer, assessed as the first documented end-to-end agentic ransomware attack — a complete extortion operation driven by a large language model with no human operator at the keyboard. Five Eyes agencies warned in late June that AI-driven attacks could appear within months; the prediction took two weeks to materialise. This does not yet represent a confirmed active campaign targeting UK SMEs directly, but it signals a step change in attacker capability that compresses the timeline for organisations still addressing basic hygiene. Microsoft SharePoint Server (CVE-2026-45659) has been added to CISA KEV — code execution via deserialization by an authorised network attacker. SharePoint is widely deployed across UK professional services environments. The UK government launched the Cyber Resilience Pledge today, with supply chain pressure on SMEs explicitly built into the framework.
Agentic AI Ransomware (T1486 / T1059) — Jadepuffer: First Documented End-to-End LLM-Driven Attack
Sysdig Threat Research Team has identified and documented Jadepuffer — assessed as the first confirmed instance of agentic ransomware, in which a large language model autonomously completes a full ransomware extortion chain without a human operator. Five Eyes agencies issued a joint advisory in late June 2026 warning that AI-powered cyberattacks could emerge within months. The prediction materialised within two weeks. The attack demonstrates that LLMs can now handle reconnaissance, lateral movement, encryption, and extortion coordination end-to-end. This removes the human bottleneck from the attack chain and enables attacks to run at machine speed and scale. The CISA KEV entry this week — Microsoft SharePoint Server deserialization vulnerability (CVE-2026-45659, added 1 July 2026) — allows an authorised network attacker to execute arbitrary code. SharePoint is deployed across a significant proportion of UK professional services and insurance environments, either directly or via Microsoft 365 integrations. Authorised attacker in this context means someone with network access and valid credentials — a low bar given the volume of credential compromise activity in recent weeks. The UK government launched the Cyber Resilience Pledge on 7 July 2026, with M&S, Nationwide, ITV, Microsoft UK and Accenture among the first 60 signatories. Critically for SMEs: the pledge documentation explicitly states that SMEs will need to sign if they wish to remain in the supply chains of larger signatory organisations — making this a commercial requirement, not a voluntary aspiration.
ACTIVE — LockBit 3.0 Affiliates and ALPHV/BlackCat Successors Operational
Both ransomware-as-a-service ecosystems remain active with affiliate networks continuing to acquire access from initial access brokers. UK professional services firms make up approximately 18% of confirmed UK ransomware victims in Q1 2026 (NCSC data). Offline backups, patching cadence, and tested recovery plans are the three most effective mitigations at this level.
Live Source Summary
Does Your Security Stack Cover These Techniques?
64% coverage of active techniques is a starting point. If you'd like to understand exactly where your gaps are — and what it would cost to close them — book a resilience scan.
Book a Resilience Scan →Intelligence sourced from NCSC UK, the CISA Known Exploited Vulnerabilities Catalog, FCA ScamSmart, and the MITRE ATT&CK framework (licensed under CC BY 4.0). Technique descriptions are plain-English interpretations for SME audiences and are not verbatim reproductions of MITRE documentation. Coverage assessments reflect the GET-IT stack as configured for a typical SME client — actual coverage depends on your specific environment. This dashboard is updated weekly; data may not reflect events in the 24–48 hours prior to the last refresh date. GET-IT Solutions Ltd is not responsible for inaccuracies in third-party source data.