Security incidents involving ransomware are generally rarely reported. This writes Enisa, the European cybersecurity agency, in a comprehensive report. Most organizations choose to solve the problem internally and avoid bad publicity. The resulting lack of reliable data makes it difficult to identify the problem.
Enisa conducted research on ransomware attacks from May 2021 to June 2022. In a ransomware attack, cybercriminals use a type of malware that encrypts files from a device or network. The criminals then demand a sum of money from the affected organization or individual in exchange for releasing the files.
The agency Enisa looked at 623 incidents in the European Union, the United Kingdom and the United States in its investigation. To do so, the researchers used reports from companies and governments, media reports, blog posts and, in some cases, even posts on the dark web. On average, ransomware criminals stole more than 10 terabytes of data per month. 58.2% of the data stolen contained employee personal data.
Enisa concluded that in 94.2% of incidents, it was not clear whether the company had paid a monetary amount to the attackers. This results in a lack of reliable data from affected organizations. Enisa argues that this makes it difficult to determine the extent of the problem. Also, knowledge about ransomware incidents and the problems to be solved remains low. Because little information was available about the cases studied, Enisa believes that only "the tip of the iceberg" is known and that the impact of ransomware is much higher than what the researchers observed.
According to Enisa, ransomware incidents are generally rarely reported to authorities. This is because most organizations want to avoid bad publicity by solving the problem internally.
Also often missing is information about how the attackers gained access to the systems. Often this is private data describing the target's security posture. This is not shared with the public. This lack of information disadvantages the community and knowledge of ransomware, Enisa argues.
The researchers call for better legislation around cyber incident reporting. They point to a recent bill in the United States that makes it mandatory to report all security incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency, part of the Department of Justice.
Enisa looks ahead to the arrival of the Network and Information Security Directive 2 in the European Union. This European regulation will require companies within certain sectors to report cyber incidents. This is expected to contribute to a better understanding of relevant incidents.
