Author Description

The threat of ransomware has consistently ranked at the top in the ENISA Threat Landscape for the past few years and, in particular, in 2021 it was assessed as being the prime cybersecurity threat across the EU. Motivated mainly by greed for money, the ransomware business model has grown exponentially in the last decade and it is projected to cost more than 10 trillion USD by 2025. The evolution of the business model to a more specialised and organised distribution of labour through a cybercrime-as-a-service model has turned ransomware into a commodity. Nowadays, it seems simpler for anyone with basic technical skills to quickly perform ransomware attacks. The introduction of cryptocurrency, the fact that affected companies actually do pay the ransom, and the more efficient division of work, have greatly fuelled the growth of ransomware, generating a catastrophic global effect. Even though ransomware is not new, technologies evolve and with them so do attacks and vulnerabilities, thus pressurising organisations to be always prepared for a ransomware attack. In many cases, staying in business requires difficult decisions, such as paying or not paying the ransom6, since this money ends up fuelling ransomware activities. This is despite year-long and consistent recommendation not to pay ransom demands and to contact the relevant cybersecurity authorities to assist in handling such incidents. This report brings new insights into the ransomware threat landscape through a careful study of 623 ransomware incidents from May 2021 to June 2022. The incidents were analysed in-depth to identify their core elements, providing answers to some important questions such as how do the attacks happen, are ransom demands being paid and which sectors are the most affected. The report focuses on ransomware incidents and not on the threat actors or tools, aiming to analyse ransomware attacks that actually happened as opposed to what could happen based on ransomware capabilities. This rans