The majority of ransomware infections in European companies and institutions go unreported to the authorities. It is also unknown for a large part of the victims how they got infected and whether they pay the ransom. That would make tackling ransomware more difficult.
ENISA, the European Union Agency for Cybersecurity, is signing up a report that it has little visibility into ransomware victims. The agency looked at 623 incidents in the EU as well as the United Kingdom and the United States that took place in the past year. In total, ten terabytes of data would have been stolen. Data was also stolen from employees in 58 percent of the cases. ENISA used reports from companies and governments, media reports and blog posts and in some cases messages on the dark web.
A striking conclusion in the report is that in 94.2 percent of all incidents, Enisa could not find out whether the company paid the ransom. In 37.88 percent of the cases, data that was stolen during the attack was shared on the internet at a later time. “We can conclude from this that 61.12 percent of all companies have come to an agreement with the attackers or found another solution,” the researchers write. With ransomware infections, it has become the norm for attackers to also threaten to make stolen data public, as an extra means of pressure on the victim. This happens in the vast majority of cases.
The researchers also say that the number of cases studied is “just the tip of the iceberg.” In reality, the number of ransomware infections would be much higher. According to the researchers, this is difficult to determine, because many victims do not publicize their incidents or do not report them to the authorities.
That also makes further research into ransomware difficult, says Enisa. In many cases, the victims are unable or unwilling to say how the attackers first got in. Combined with the fact that ransomware payments are often made in secrecy, “that approach does not help in the fight against ransomware, on the contrary,” the researchers write.
ENISA advocates that there should be better rules under which cyber incidents must be reported. This becomes more possible under the Network and Information Security Directive or NIS2. This is a European regulation that is currently being drafted that obliges companies within certain sectors to report cyber incidents.