your current location is：Home > TechnologyHomeTechnology

As one of the most damaging types of cybersecurity attacks of the past decade, ransomware has grown to impact organizations of all sizes around the world.

What is ransomware?

Ransomware is a cybersecurity attack that allows threat actors to take control of a target's assets and demand a ransom to guarantee the availability and confidentiality of those assets.

The report analyzed a total of 623 ransomware incidents in the EU, UK and US during the reporting period from May 2021 to June 2022. The data comes from government and security company reports, the media, verified blogs, and in some cases relevant sources from the dark web.

Between May 2021 and June 2022, ransomware threat actors are known to steal around 10 terabytes of data per month. 58.2% of the stolen data included employee personal data. At least 47 unique ransomware threat actors were identified. For 94.2% of the incidents, we don't know if the company paid the ransom. However, when negotiation fails, attackers often expose the data on their web pages and make it available. This is what happens in general and is the reality for 37.88% of events.

Therefore, we can conclude that the remaining 62.12% of companies either made an agreement with the attackers or found another solution. The study also shows that companies of all sizes and industries are affected.

However, the above figures only paint part of the overall picture. In fact, research shows that the total number of ransomware attacks is much larger. This total is currently impossible because too many organizations still do not disclose their incidents or report them to the appropriate authorities.

Information about disclosed incidents is also very limited, as, in most cases, affected organizations do not know how threat actors managed to gain initial access. Finally, the organization may handle the issue internally (such as deciding to pay a ransom) to avoid negative publicity and ensure business continuity. However, this approach doesn't help solve the problem -- instead, it fuels the phenomenon, fueling the ransomware business model in the process.

It is in the context of these challenges that ENISA is exploring ways to improve this reporting of incidents. The revised Network and Information Security Directive (NIS 2) is expected to change the way cybersecurity incidents are notified. The new regulations are designed to support better mapping and understanding of relevant events.

According to the report's analysis, ransomware attacks can target assets in four different ways: Attacks can target, encrypt, delete, or steal (LEDS) the targeted assets. A target asset can be anything, such as a document or tool from a file, database, web service, content management system, screen, master boot record (MBR), master file table (MFT), etc.

The ransomware lifecycle has remained the same until around 2018, when ransomware started adding more features and ransomware technology matured. We can identify five stages of a ransomware attack: initial access, execution, targeted action, extortion, and ransom negotiation. The stages do not follow a strict sequential path.

4 different types of

Ransomware business model:

An individual attacker-centric model

Models Focused on Group Threat Actors

Ransomware as a Service Model

data mediation model

A model that primarily aims to use notoriety as a key to a successful ransomware business (ransomware operators need to maintain a certain notoriety or victims will not pay the ransom)

The five stages of the ransomware life cycle