Threat landscape on Ransomware attacks
Source: ENSIA
As one of the most devastating types of cybersecurity attacks over the last decade, ransomware has grown to impact organisations of all sizes across the globe.
What is ransomware?
Ransomware is a type of cybersecurity attack that allows threat actors to take control of the assets of a target and demand ransom for the availability and confidentiality of these assets.
What the report covers
This threat landscape report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.
The findings and what they tell us
Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data. At least 47 unique ransomware threat actors were found. For 94.2% of incidents, we do not know whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37,88% of incidents.
We can therefore conclude that the remaining 62,12% of companies either came to an agreement with the attackers or found another solution.The study also shows that companies of every size and from all sectors are affected. The study reveals that the total number of ransomware attacks is much larger than reported. At present the total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.
Information about the disclosed incidents is also quite limited since in most cases the affected organisations are unaware of how threat actors managed to get initial access. In the end, organisations might deal with the issue internally (e.g. decide to pay the ransom) to avoid negative publicity and ensure business continuity. However, such an approach does not help fight the cause – on the contrary, it encourages the phenomenon instead, fuelling the ransomware business model in the process.
It is in the context of such challenges that ENISA is exploring ways to improve this reporting of incidents. The revised Network and Information Security Directive (NIS 2) is expected to change the way cybersecurity incidents are notified. The new provisions will aim to support a better mapping and understanding of the relevant incidents.
What can Ransomware do: the lifecycle and the business models
According to the analysis of the report, ransomware attacks can target assets in four different ways: the attack can either Lock, Encrypt, Delete or Steal (LEDS) the target's assets. Targeted assets can be anything such as documents or tools from files, databases, web services, content management systems, screens, master boot records (MBR), master file tables (MFT), etc.
The life cycle of ransomware remained unchanged until around 2018 when ransomware started to add more functionality and when blackmailing techniques matured. We can identify five stages of a ransomware attack: initial access, execution, action on objectives, blackmail, and ransom negotiation. These stages do not follow a strict sequential path.
5 different ransomware business models emerged from the study:
- A model focused around individual attackers;
- A model focused around group threat actors;
- A ransomware-as-a-service model;
- A data brokerage model; and,
- A model aimed mostly at achieving notoriety as key for a successful ransomware business (ransomware operators need to maintain a certain reputation of notoriety, otherwise, victims will not pay the ransom).
The report recommends the following:
- Strengthen your resilience against ransomware by taking actions such as:
- keep an updated backup of your business files & personal data;
- keep this backup isolated from the network;
- apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
- run security software designed to detect most ransomware in your endpoint devices;
- restrict administrative privileges; etc.
- If you fall victim of a ransomware attack: contact the national cybersecurity authorities or law enforcement for guidance;
- do not pay the ransom and do not negotiate with the threat actors;
- quarantine the affected system;
- visit the No More Ransom Project, a Europol initiative;
This ransomware threat landscape report was developed on the basis of the recently published ENISA Threat Landscape Methodology — ENISA (europa.eu). The new methodology aims to provide a consistent and trusted baseline for the transparent delivery of horizontal, thematic and sectorial cybersecurity threat landscapes using a systematic and transparent process for data collection and analysis.
ENISA is constantly looking for ways to gather feedback and to continually improve and update the methodology applied to the performance of cybersecurity threat landscapes. Please feel free to reach out to etl@enisa.europa.eu with suggestions.
Target audience:
European Commission and European Member States policy makers (including but not limited to European Union institutions (EUIs);EU institutions, bodies and agencies (EUIBAs); Cybersecurity experts, industry, vendors, solution providers, SMEs;
Member States and national authorities (e.g. cybersecurity authorities);
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Forum SPONSORS
Invitations for Annual Sponsorship of IISF has now reopened.
(your logo & profile link here)
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more
