Publicly Reported Ransomware Incidents Are Just The Tip Of An Iceberg

Uploaded on 2022-08-03 in NEWS-Cybersecurity News, FREE TO VIEW

The threat landscape report on ransomware attacks just published by the European Union Agency for Cybersecurity (ENISA) uncovers the shortcomings of the current reporting mechanisms across the EU. As one of the most devastating types of cyber security attacks over the last decade, ransomware has grown to impact organisations of all sizes across the globe.

Ransomware is a type of cyber security attack that allows threat actors to take control of the assets of a target and demand ransom for the availability and confidentiality of these assets.

What The Report Covers 

This threat landscape Report analysed a total of 623 ransomware incidents across the EU, the United Kingdom and the United States for a reporting period from May 2021 to June 2022. The data was gathered from governments' and security companies' reports, from the press, verified blogs and in some cases using related sources from the dark web.

Between May 2021 and June 2022 about 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees' personal data. At least 47 unique ransomware threat actors were found. For 94.2% of incidents, we do not know whether the company paid the ransom or not. 

However, when the negotiation fails, the attackers usually expose and make the data available on their webpages. This is what happens in general and is a reality for 38% of incidents. We can therefore conclude that the remaining 62% of companies either came to an agreement with the attackers or found another solution.

The study also shows that companies of every size and from all sectors are affected although at present the total is impossible to capture since too many organisations still do not make their incidents public or do not report on them to the relevant authorities.

Information about the disclosed incidents is also quite limited since in most cases the affected organisations are unaware of how threat actors managed to get initial access. In the end, organisations might deal with the issue internally (e.g. decide to pay the ransom) to avoid negative publicity and ensure business continuity. However, such an approach does not help fight the cause, on the contrary, it encourages the phenomenon instead, fuelling the ransomware business model in the process.

It is in the context of such challenges that ENISA is exploring ways to improve this reporting of incidents. The revised Network and Information Security Directive (NIS 2) is expected to change the way cybersecurity incidents are notified. The new provisions will aim to support a better mapping and understanding of the relevant incidents.

What Ransomware Does: The Lifecycle & Business Models

According to the analysis of the report, ransomware attacks can target assets in four different ways: the attack can either Lock, Encrypt, Delete or Steal (LEDS) the target's assets. Targeted assets can be anything such as documents or tools from files, databases, web services, content management systems, screens, master boot records (MBR), master file tables (MFT), and many others.

The life cycle of ransomware remained unchanged until around 2018, when ransomware started to add more functionality and blackmailing techniques matured.

ENISA identify five stages of a ransomware attack: initial access, execution, action on objectives, blackmail, and ransom negotiation, although these stages do not follow a strict sequential path. The five different ransomware business models are:-  

  • A model focused around individual attackers;
  • A model focused around group threat actors;
  • A ransomware-as-a-service model;
  • A data brokerage model; and,
  • A model aimed mostly at achieving notoriety as key for a successful ransomware business (ransomware operators need to maintain a certain reputation of notoriety, otherwise, victims will not pay the ransom).  

Report Recommendations

Strengthen your resilience against ransomware by taking actions including:

  •  Keep an updated backup of your business files & personal data;
  •  Keep this backup isolated from the network;
  •  Apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
  •  Run security software designed to detect most ransomware in your endpoint devices;
  •  Restrict administrative privileges; etc.

If you fall victim to a ransomware attack

  •  Contact the national cybersecurity authorities or law enforcement for guidance;
  •  Do not pay the ransom and do not negotiate with the threat actors;
  • Quarantine the affected system;
  • Visit the No More Ransom Project, a Europol initiative.

ENISA strongly recommended to share your ransomware incident information with your relevant authorities to be enable them to alert potential victims, identify threat actors, support the security research and develop means to prevent such attacks or better respond to them.

ENISA Threat Landscape for Ransomware Attacks

You Might Also Read:

The European Union Adopts A Cyber Security Strategy:

 

« Flunking Cyber Education
How to Prepare Your Security Team For The Future Of Vulnerability Management »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Bulb Security

Bulb Security

Whether your internal red team or penetration testing team needs training, or you lack internal resources and need an outsourced penetration test, Bulb Security can help.

National Cyber League (NCL)

National Cyber League (NCL)

The NCL provides a virtual training ground for participants to develop, practice, and validate their cybersecurity knowledge and skills.

Materna Virtual Solution

Materna Virtual Solution

Materna Virtual Solution security solutions enable user-friendly, secure mobile working environments.

IT Association of Slovakia (ITAS)

IT Association of Slovakia (ITAS)

ITAS is a professional association of domestic and foreign companies operating in the field of information and communication technologies

Signifyd

Signifyd

Signifyd is the world's largest provider of Guaranteed e-Commerce Fraud Protection.

Aujas Cybersecurity

Aujas Cybersecurity

Aujas has deep expertise and capabilities in Identity and Access Management, Risk Advisory, Security Verification, Security Engineering, & Managed Detection and Response services.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

MONITORAPP

MONITORAPP

MONITORAPP is responsible for complete web security. Protect your business environment with Application Security Solutions from MONTORAPP.

Take Five

Take Five

Take Five is a national campaign offering straight-forward, impartial advice that helps prevent email, phone-based and online fraud – particularly where criminals impersonate trusted organisations.

Dectar

Dectar

Dectar (formerly 4Securitas) is a cybersecurity company that provides solutions that predict, detect, defend and react against cybersecurity threats.

South West Cyber Resilience Centre (SWCRC)

South West Cyber Resilience Centre (SWCRC)

The South West Cyber Resilience Centre (SWCRC) is led by serving police officers, as part of a not-for-profit partnership with business and academia.

Park Place Technologies

Park Place Technologies

Park Place Technologies' mission is to drive uptime, performance and value for critical IT infrastructure.

Oxeye

Oxeye

Oxeye fills the gap between cloud and code to show exploitable vulnerabilities, and their path from API to code. More visibility. Less noise. More time to build.

Federal Bureau of Investigation (FBI)

Federal Bureau of Investigation (FBI)

The mission of the FBI is to protect and defend against intelligence threats, uphold and enforce criminal laws, and provide criminal justice services.

AuditBoard

AuditBoard

AuditBoard is the leading cloud-based platform transforming audit, risk, ESG, and InfoSec management.

Securily

Securily

Securily offers the ultimate solution for small to medium-sized businesses, blending cutting-edge AI with expert human insight to deliver the world’s easiest and most effective pentesting experience.