ENISA reports shortcomings of current reporting mechanisms across EU in latest ransomware threat analysis
The European Union Agency for Cybersecurity (ENISA) released insights on Friday that brought out the reality of ransomware incidents through mapping and studying ransomware incidents from May last year to June this year. Ransomware threat has adapted and evolved, becoming more efficient and causing more devastating attacks. As a result, businesses should be ready not only for the possibility of their assets being targeted by ransomware but also to have their most private information stolen and possibly leaked or sold on the Internet to the highest bidder.
“Making detailed analysis and mitigating the ransomware threat necessitates a better understanding of the threat landscape and to do so, more efficient and effective incident reporting is necessary,” the European agency said in its latest report titled ‘ENISA Threat Landscape for Ransomware Attacks.’ In addition, “the fact that we were able to find publicly available information for 17.11% of the cases highlights that when it comes to ransomware, only the tip of the iceberg is exposed and the impact is much higher than what is perceived,” it added.
The agency also highlights issues with reporting ransomware incidents and the fact that limited knowledge and information regarding such incidents are available. The analysis in the report indicates that publicly disclosed incidents are just the tip of the iceberg.
The target audience of the research includes European Commission and European Member States policymakers including but not limited to European Union institutions (EUIs); EU institutions, bodies and agencies (EUIBAs); cybersecurity experts, industry, vendors, solution providers, and SMEs; and member states and national authorities, such as cybersecurity authorities.
The lack of reliable data from targeted organizations makes it very hard to understand the problem fully or even know how many ransomware cases there are, ENISA said. “To this day, the most reliable sources for finding out which organisations have been infected are the web pages of the ransomware threat actors. This lack of transparency is not good for the industry, since the majority of the data leaked, as was found in this report, is personal data that belongs to employees and customers,” it added.
ENISA added that even using the data from the web pages of hackers (an undeniably unreliable source), it is very hard to keep track of the number of attacks, particularly because the media ignore a large majority, go unreported by the victims, and get no coverage. “The most important information that is missing is the technical explanation as to how the attackers obtained access to the targets. This is usually private data that describes the security posture of the target, so it is never shared with the public. As a consequence, our learning as a community of the problems to be solved remains fragmented and isolated,” it added.
Furthermore, the trend of using ransomware-as-a-service (RaaS) makes it hard to identify the hacker behind an attack since now the ransomware tool and command and control are shared between many different affiliates and hacker groups. RaaS has lowered the entry-level barrier to conducting ransomware attacks. Attackers now do not need to know how to write their ransomware. They need to know only how to conduct an attack, and the RaaS operators will provide the ransomware and the platform to operate. It enables anyone can attack and become a target.
The RaaS platforms also introduce a new level of anonymity into cybercrime operations, as it is rarely known who the attacker is while operating as an affiliate, ENISA said. It is now easier than ever to get into ransomware as an affiliate, profit, and retire quickly, as has already been witnessed with some ransomware threat actors.
The ENISA study showed that more than ten terabytes of data a month were stolen by ransomware threat actors. Its research shows that 58.2 percent of the stolen data contains personal data from employees. Given the sensitivity of such data, coordinated actions are needed to counter this threat. Ransomware hackers are motivated mostly to acquire money, which increases the complexity of the attacks and, of course, the adversaries’ capabilities. The study also shows that companies of every size and from all sectors are affected.
ENISA said that in 94.2 percent of the incidents, it is not known whether the company paid the ransom or not. However, 37.88 percent of the incidents had their data leaked on the webpages of the attackers, indicating that the ransom negotiations failed. “This allows us to estimate that approximately 62.12% of the companies might somehow have come to an agreement or solution concerning the ransom demand,” it added.
The ENISA analysis considers 623 ransomware incidents worldwide with a special focus on Europe, the U.K., and the U.S. These incidents were selected from news reports, the reports of security companies, government reports, and the original sites of the ransomware threat actors. Each incident was explored in depth and confirmed from multiple sources.
Of the 623 incidents included in the report, ENISA found proof of data leaks for 288, 46.2 percent of the total incidents. The total accumulated stolen data for all incidents is 136.3 TB, with an average of 518 GB per incident and 10 TB per month. The maximum volume of stolen data found in one incident alone was 50 TB; this was stolen from Brazil’s Ministry of Health (MoH) by the Lapsus$ threat actor.
The top three countries attacked are the U.S. with 112 incidents, Germany with 96 incidents, and France with 78 incidents, ENISA revealed. “Out of the studied 623 incidents, it was not reported how the threat actors got initial access in 594 of them, which is an overwhelming 95.3%. It is understandable that targets don’t want to share how they were (or still are) vulnerable for security reasons but at the same time the lack of information does not help others to realise what they should improve or how they can also be a victim in the future,” it added.
The life cycle of ransomware remained unchanged until around 2018 when ransomware started to add more functionality and blackmailing techniques matured, ENISA said. “We can identify five stages of a ransomware attack: initial access, execution, action on objectives, blackmail, and ransom negotiation. These stages do not follow a strictly sequential path which can vary,” it added.
ENISA provided a general set of recommendations to help organizations deal better with the problem of ransomware, focusing on preparing against ransomware attacks, decreasing the impact of ransomware, and arriving at the decision to pay. The techniques used by attackers are continuously evolving. As a result, they are finding new ways to compromise targets, forcing organizations to think about whether they may suffer a ransomware attack but evaluate when it will happen.
The report recommends strengthening resilience against ransomware by keeping an updated backup of business files and personal data, which should be kept isolated from the network. In addition, organizations must apply the 3-2-1 rule of backup and run security software designed to detect most ransomware in endpoint devices and administrative privileges.
Related
