A new threat landscape report on ransomware attacks published by the European Union Agency for Cybersecurity (ENISA) analysed a total of 623 ransomware incidents across the EU, the United Kingdom, and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs, and in some cases using related sources from the dark web.
Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2 percent of the data stolen included employees' personal data.
For 94.2 percent of incidents, it is unclear whether the company paid the ransom or not. However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 37.88 percent of incidents.
ENISA therefore concludes that the remaining 62.12 percent of companies either came to an agreement with the attackers or found another solution.
The study also shows that companies of every size and from all sectors are affected.
According to ENISA, the above figures only portray a part of the overall picture as many organizations do not make their incidents public or do not report on them to the relevant authorities.
Information about the disclosed incidents is also quite limited since in most cases the affected organizations are unaware of how threat actors managed to get initial access. In the end, organizations might deal with the issue internally (e.g. decide to pay the ransom) to avoid negative publicity and ensure business continuity. However, such an approach does not help fight the cause – on the contrary, it encourages the phenomenon instead, fuelling the ransomware business model in the process, says ENISA.
ENISA is currently exploring ways to improve the reporting of incidents. The revised Network and Information Security Directive (NIS 2) is expected to change the way cyber security incidents are notified in the EU. The new provisions will aim to support a better mapping and understanding of the relevant incidents.
To protect against and respond to ransomware attacks, ENISA recommends the following:
Strengthen your resilience against ransomware by taking actions such as:
- Keep an updated backup of your business files & personal data;
- Keep this backup isolated from the network;
- Apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
- Run security software designed to detect most ransomware in your endpoint devices;
- |Restrict administrative privileges; etc.
If you fall victim of a ransomware attack:
- Contact the national cyber security authorities or law enforcement for guidance;
- Do not pay the ransom and do not negotiate with the threat actors;
- Quarantine the affected system;
- Visit the No More Ransom Project - This is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.