2022 ENISA Report Finds Ransomware Attacks Continue to Dominate the Global Cybersecurity Landscape

Published 30 August 2022

Many organisations have had to confront the harsh reality that no matter how large or small their business, they are not safe from ransomware attacks as threat actors are more sophisticated and easily adapt to different business models. These attacks allow threat actors to take control of the data of a target organisation and then demand a ransom to ensure the availability and confidentiality of this data.

The European Union Agency for Cybersecurity (“ENISA”) published a report on 29 July 2022 which analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was collated from various sources including, but not limited to, governments’ and security companies’ reports, verified blogs and in some instances using related sources from the dark web.

We have summarised the key takeaways from the report below:

• Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors.
• At least 47 unique ransomware threat actors were found.
• Approximately 58.2% of the data stolen contains personal data (as defined under the GDPR) including, but not limited to, employees' personal data.
• In 95.3% of the incidents, it is not known how threat actors obtained initial access into the target organisation.
• Based on the analysis, it is estimated that 62.12% of affected organisations may have paid ransom demands.
• When negotiations between the target organisation and the threat actor fail, the attackers may expose the data on their webpages which occurs in approximately 37.88% of incidents.

The findings serve as a warning to organisations of all sectors and size that there is a very real possibility of their data and assets being targeted, and potentially leaked or sold on the dark web.

The study reveals that the gross number of ransomware attacks is much larger than anticipated, particularly considering that a vast proportion of organisations do not publish the fact they have been subjected to ransomware incidents or do not report them to the relevant authority.

The fact that targeted organisations are usually unaware of how the threat actor obtained initial access to their network further limits the information available on disclosed incidents. Ultimately, organisations may address the issue internally to protect the reputational image of the company and ensure business continuity.

The ENISA report has recommended the following actions be taken by organisations to prevent and limit the likelihood of ransomware attacks:

• Businesses should maintain an updated backup of their files and personal data;
• The backup of business files should be isolated from the main network;
• Apply the 3-2-1 rule of backup: 3 copies, 2 different storage media and 1 copy offsite;
• Limits should be enforced on the administrative privileges to access a business network; and
• Businesses should actively run security software which is designed to detect ransomware in endpoint devices.

Our Cyber team is experienced in responding to ransomware attacks, and assisting organisations with managing their business response to these attacks. Should you wish to discuss any matters outlined in this article or otherwise, please get in touch with the authors.