It’s not long into 2026, but British organisations are already facing an upsurge in ransomware compared to last year.
Latest figures show that January alone saw the highest number of attacks compared to any single month in 2025. In this issue, we’ll look at how supply chain resilience should be a key part of your defence strategy.
Also this month, we explain why an unexpected email from Microsoft should be treated with suspicion; why the government wants your supply chain to embrace Cyber Essentials; and how hackers have started to exploit vulnerable cloud infrastructure and what you can do to stop them.
Ransomware on the rise in 2026
Just two months into 2026, security researchers say the year is already making records for the sheer scale of ransomware attacks.
Latest figures from the NMC Threat Intelligence Team (National Management Centre, part of the Police Digital Service) show that the number of UK ransomware attacks in January was 35. This is higher than any single month in 2025. In the UK, construction, manufacturing and finance sectors have been the worst hit so far.
Experts believe that many recent ransomware victims fell prey to the notorious CL0P gang, which targeted the Gladinet CentreStack platform commonly used by businesses for file storage and sharing. Other ransomware groups targeting the UK include Qilin, Sinobi and Beast.
In a seemingly endless game of whack-a-mole, smaller, newer ransomware cells appear to pop up when older, more established cartels get taken down by the authorities.
Experts advise organisations that depend on complex supply chains to be particularly vigilant, due to increased second-degree risk of shared data exposure.
The rising tide of supply chain attacks was a key trend in 2025. As our Head of Security, Jake Ives, cautioned, “Businesses need to get to know their contractors and non-full-time staff, their setup and infrastructure, as well as any business that provides a service to them that stores sensitive information.”
Watch our webinar in partnership with the Cyber Resilience Centre for the East for more advice.
Should you trust a ‘trusted domain’? No, and here’s why…
We’ve long warned clients not to open emails from unknown senders. But this advice is no longer sufficient. Hackers are also exploiting legitimate platforms that are trusted by organisations.
Jake has warned of a weakness in Microsoft’s Power BI – the automated, no-code business analytics platform – now being exploited by hackers.
Jake cautions that the scorecard functionality in Power BI is currently being abused to send phishing emails to external recipients. Worryingly, these emails seem to genuinely originate from no-reply-powerbi(at)microsoft(dot)com, not a spoofed address, making them extremely difficult to detect.
Says Jake, “This is precisely why you should never add Microsoft(dot)com to your email allow list if you’re an administrator. And, if you’re a user, ask your admin to only add trusted suppliers to the email allow/bypass list. Then, crucially, let your email defences analyse each message properly. Remember, just because it came from a trusted supplier domain, it doesn’t mean you should automatically trust it.”
You might think that any email with a malicious link will automatically get blocked by email filters, but that’s not always the case. Jake warns that hackers are increasingly exploiting open redirect vulnerabilities in trusted domains. This allows them to present a reputable URL to a victim, which then redirects to a malicious destination, bypassing traditional link scanning.
For example, that “click here” link may direct to: hxxps[://]supertrusteddomain[.]com/redirect?url=hxxps[://]attackerdomain[.]com
So, even a legitimate domain with an excellent reputation can be vulnerable to open redirect flaws. The malicious email thus passes security checks.
Says Jake: “If you weren’t expecting an email containing a link or attachment, don’t engage with it. Verify through a separate channel first.”
No ifs, no buts – your supply chain must have Cyber Essentials, says NCSC
As we noted late last year, the rise of supply chain attacks was a key theme in the security landscape of 2025. Marks & Spencer, Jaguar Land Rover and the Co-op Group were the big names that took a hit due to chinks in their supply chains. But many lesser-known SMEs, from logistics firms to vendor companies, were also targeted by attackers because of poor supply chain security.
The problem has prompted the government to call for wider adoption of its Cyber Essentials certification as a way to shore up basic cyber defences within the nation’s supply chains.
The National Technical Authority for cyber security – the NCSC (National Cyber Security Centre) – is urging businesses to bolster the UK’s supply chain resilience by insisting that all suppliers in their supply chain sign up to the Cyber Essentials scheme.
To support widespread adoption of Cyber Essentials, the NCSC has also released a Cyber Essentials Supply Chain Playbook, which gives organisations detailed guidance on implementing Cyber Essentials internally and throughout their supply chain. The advice also includes incentives such as free cyber-advisor support, £25,000 in cyber insurance and Cyber Essentials vouchers, to name just a few.
The Cyber Essentials certification scheme will give businesses and their wider supply chains the assurance that they have basic security controls in place to defend against common cyber threats. According to the NCSC, businesses that implement just five main controls can reduce their risk, improve resilience and give stakeholders verified assurance of an organisation’s baseline cyber security standards.
At Intersys, we routinely help organisations with our Cyber Essentials Assessment Service. Do get in touch if you want more information on how to get Cyber Essentials certified.
Cloudy, with a chance of criminals
Security experts have warned organisations reliant on cloud environments to stay alert to a hacker group weaponising modern cloud management services.
Investigations by security firm Flare revealed a group known as TeamPCP, which gained notoriety late last year for targeting misconfigured and vulnerable cloud services.
The hackers aim to create a wider proxy and scanning infrastructure, hack into servers, steal data, distribute ransomware for extortion and mine cryptocurrency.
It’s believed that TeamPCP has compromised at least 60,000 servers worldwide using worm attacks, where each infected system starts to scan for and contaminate the next exposed target. This leads to an exponential growth in infected systems.
The group is believed to be targeting exposed control planes in the cloud, such as Docker APIs, Kubernetes APIs and Ray dashboards.
Western organisations seem to be the primary target, with data stolen from e‑commerce, HR and finance teams.
According to Flare research, 61% of the compromised servers are in Azure and 36% in AWS.
Experts are urging organisations to shore up their defences by revisiting cloud infrastructure fundamentals such as network segmentation, least privilege access polices, widespread MFA adoption and data encryption.
Other vulnerabilities
SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability
Fortinet Authentication Bypass Vulnerability
Microsoft Office Security Feature Bypass Vulnerability
Cisco Unified Communications Products Remote Code Execution Vulnerability