Evolution of ransomware incidents: ENISA recommendations to mitigate the threat

ENISA has published a report that illustrates the most recent threat scenario deriving from ransomware through the mapping and study of incidents that occurred from May 2021 to July 2022. Here are the details on the life cycle of the threat, the main types and business models, and recommendations to mitigate it

Ransomware, one of the most feared attacks by companies and public administrations today, has evolved in recent years and threat actors have adapted business models and actions in order to derive value and profits from such incidents.

In order to help organizations mitigate the risk of attack, the European Union Agency for Cybersecurity (” ENISA “) recently published the report ” ENISA threat landscape for ransomware attacks ” which illustrates the most recent threat scenario arising from ransomware through mapping and studying incidents that occurred from May 2021 to July 2022.

The findings of ENISA focus, in particular, on the analysis of ransomware, their life cycle and business models, offering its recommendations and food for thought on the impacts that such incidents may still have on the general panorama of security threats. systems.

The types of ransomware

First of all, the ENISA report defines ransomware as the incident through which threat actors take control of the systems and assets of a target organization, demanding a ransom to restore the availability and confidentiality of information and systems. compromises.

The essential elements of ransomware are:

  1. assets, which represent a value for the organization affected by the attack (eg files and folders – and their contents – present in operating systems);
  2. the effects deriving from a ransomware-type attack, collectively defined with the acronym ” LEDS “, and which consist of: blocking (” lock “), for example, access to a device or application; in the ” encrypt ” of an asset to make it no longer intelligible; in the cancellation (” delete “) aimed at irreversible compromise of the availability of an asset; in the theft (“ steal ”), intended as the subtraction of the availability of the asset;
  3. the ransom, which is usually of an economic nature, but which can also be aimed at obtaining further and different objectives of interest for the criminal organization.

The life cycle of ransomware and the business models adopted

In the report, the life cycle of ransomware, which remained unchanged until 2018, is summarized in five phases:

  • initial access, which could derive, for example, from the exploitation of software vulnerabilities or the theft of access credentials;
  • execution, understood as the phase in which the threat actors study the vulnerabilities of the assets, identify the network and the systems to which they are connected and adopt the attack strategies that allow to compromise the greatest number of systems and information of the organization to be hit;
  • action on objectives, through which the availability and/or confidentiality of information and IT systems are compromised;
  • ransom, through which the threat actors make known the subject of their request, communicating the attack in progress and the expected consequences on the assets;
  • negotiation of the ransom, which usually takes place through private communications between the affected organization and the threat actors.

The ENISA report also provides a summary illustration of the business models thanks to which threat actors are able to create, distribute and obtain value from their attacks.

In the past, in fact, this kind of attacks were conducted by individuals or small groups who, without real need for organization, aimed only at developing and spreading ransomware.

Today, however, threat actors organize themselves into groups , dividing the tasks and objectives foreseen and necessary to carry out the various phases of the attack.

The CD. Ransomware-as-a-Service (“RaaS”) represents one of the most relevant threats among those currently due to the spread of ransomware. It is, in fact, a real attack service that threat actors – also through platforms – make available to anyone who intends to conduct a ransomware attack (so-called RaaS affiliates). In this scenario, the threat actors are solely concerned with initial access and execution, leaving the further phases of the attack to the RaaS affiliates.

Furthermore, looking to the future, threat actors will increasingly shift their attention to the CD model. Data Brokerage, maximizing the profits of its attacks by selling access or data obtained illegally to the highest bidder.

Finally, the public acknowledgment of compliance with agreements by threat actors also constitutes a valid business model. In fact, to ensure that the incidents are successful and that the affected organizations meet the ransom demands, it is often necessary to be recognized as an organized group that, following the payment of what has been requested, restores – as promised – the availability and the confidentiality of the compromised assets. To this we owe the concern of many threat actors to also give public demonstration of the unlocking of the systems that follows the obtaining of the object of the ransom.

Some numbers on accidents from 2021 to today

The focal point of the report, which helps us to understand the reality of ransomware , is certainly constituted by the detailed analysis that ENISA has conducted with reference to the incidents of the last fourteen months.

To this end, ENISA has examined 623 incidents that have occurred throughout the world and of which it has been able to verify the real implementation by the threat actors.

According to the report, 46.2% of the analyzed incidents involved a data leak which, on average, amounts to 518GB of information volume compromised per incident. Moreover, in most of these cases, the compromise concerned the totality of the data present on the attacked systems.

It is also important to highlight that 58.2% of the data involved in the ransomware attacks were ” personal data and that more than 24% , on the other hand, consisted of confidential company information (eg production data, administrative documents or confidentiality agreements, etc.). ).

The lack of information on vulnerabilities exploited by threat actors did not, however, allow ENISA to offer within the report a description of the methods used to access the affected assets.

In any case, from the analysis of the recurrent behaviors of the threat actors, ENISA was able to estimate that about 60% of the organizations have found an agreement or a compromise with the criminal organizations following their request for ransom.

ENISA recommendations

According to the report, the approach recommended by ENISA to strengthen the security of systems against this kind of incidents consists of the adoption of technical and organizational measures – aimed at improving the resilience of systems and corporate assets – and in collaboration and dialogue with the competent authorities .

The measures recommended by ENISA, among others, may consist of:

  1. in adequate backupprocedures of files and data of greater value, ensuring their isolation from networks, as well as in adopting the ” 3-2-1 ” backup rule (for each document, prepare 3 copies, 2 backup media , 1 copy not saved on the network);
  2. in the use of valid controland risk management and encryption procedures , in accordance with the principles dictated by the GDPR regarding the protection of personal data;
  3. in the preparation of security policies and proceduresor even diversified access systems.

Great value is also attributed to the collaboration of the organizations affected with the competent authorities . In this regard, ENISA strongly emphasizes the importance of sharing, at the government level, the elements that characterize the various accidents, through which to develop more aware and effective protection measures and mechanisms for all. The energies and efforts of companies, we read, should focus on improving systems and security governance, without lending side to the practice of unconditionally satisfying the requests of threat actors (redemption), however, it does not guarantee the recovery of systems and compromised information.


The analysis of the ENISA report clearly shows a serious and worrying picture on the reality and the most recent spread of ransomware attacks which, also due to the presumably unknown data, could still be incomplete.

The attention of companies and organizations to the protection of their data and systems is ascribed to a broader duty to raise awareness and adapt to international strategies for the protection of personal data and cybersecurity, increasingly adapted to national realities and specific sectors and industries of reference.

The value of protecting corporate assets has grown in tandem with the natural development of the company and work organization model, which today is characterized by a considerable interconnection and exposure of devices and systems. Moreover, the failure to consider these threats entails, for companies of all sizes, obligations and consequences that are potentially onerous in cases of security incidents, especially if they concern personal data and the provision of essential services, as identified in Italy. within the National Cyber ​​Security Perimeter.

For these reasons, the numbers that characterize the reality of cyber crimes must induce companies to re-evaluate the risk prevention and management systems that derive from the new and changing security threats of the cyber ecosystem.

Therefore, it appears necessary to identify the most sustainable solutions and the most appropriate measures to protect the systems, lowering the assessments on the specific technological and organizational realities that are most exposed and which represent the most important value of companies.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts