The majority of ransomware infections on European companies and institutions are not reported to authorities. It is also unknown how many victims get infected and whether they pay the ransom. That would complicate the approach to ransomware.
Enisa, the European Union’s agency for cybersecurity, writes in a report that it has little insight into ransomware victims. For its investigation, the agency looked at 623 incidents in both the EU and the United Kingdom and the United States that took place in the past year. In total, ten terabytes of data were stolen. In 58 percent of the cases, data was also stolen from employees. Enisa used reports from companies and governments, media and blog posts and in some cases messages on the dark web.
A notable conclusion in the report is that for 94.2 percent of all incidents, ENISA was unable to determine whether the company paid the ransom. In 37.88 percent of the cases, data was later shared on the internet that was stolen during the attack. “From this we can conclude that 61.12 percent of all companies have come to an agreement with the attackers or have found another solution,” the researchers write. In the case of ransomware infections, it has become the norm for attackers to also threaten to make stolen data public, as an additional means of pressure on the victim. This happens in the vast majority of cases.
The researchers also say that the number of cases studied is “just the tip of the iceberg.” In reality, the number of ransomware infections would be much higher. According to the researchers, this is difficult to determine because many victims do not make their incidents public or do not report them to the authorities.
That also makes further research into ransomware difficult, says Enisa. In many cases, the victims are unable or unwilling to say how the attackers first entered. Combined with the fact that ransomware payments are often made in secret, “that approach does not help in fighting ransomware, quite the contrary,” the researchers write.
ENisa is advocating for better rules that require cyber incidents to be reported. This will become more possible under the Network and Information Security Directive or NIS2. This is a European regulation that is currently being drawn up and that will oblige companies within certain sectors to report cyber incidents.