How many organizations across the world were successfully breached by ransomware in the last 12 months?
Normally, blogs such as this rely on guesstimates to answer such questions, but now the European Union Agency for Cybersecurity (ENISA) has helpfully crunched the evidence and come up with a very specific answer for the period between May 2021 and June 2022—3,640.
This column has circled around the issue of ransomware statistics on several occasions, most recently in July when we looked at the issue of whether reports of declining attacks are genuine or simply a relative dropoff after a period of sustained growth.
Nevertheless, in a world awash with malware statistics, ENISA’s analysis marks the first time an independent agency has invested the time to analyze the ransomware phenomenon on a global scale and in sufficient depth.
ENISA’s calculation was based on attacks reported to government agencies around the world (e.g., the 3,729 complaints made to the Internet Crime Complaint Centre (IC3) in 2021), reports sourced from security companies or the media (for example, Sophos reporting 3,696 in the year from April 2021), and public disclosures of attacks by ransomware groups themselves (including 1,852 in 2022 up to June).
Adjusting for different reporting periods, that resulted in the figure of 3,640 incidents, of which the organization was able to find more detailed information on only 640, or 17% of the total.
Despite this smaller subset, revealing details emerge. One interesting point is that data was leaked in at least 46% of cases, equivalent to 136TB or an average of 518GB per incident. (A few outliers might have skewed this, such as the extraordinary 50TB leaked by a single victim, Brazil’s Ministry of Health (MoH), in December 2021.)
Unfortunately, a crucial detail that was reported in only 29 of the incidents was how ransomware attackers gained access to victims’ systems. The numbers aren’t large enough to be statistically significant, but for general information purposes, they were led by remote access compromise (12), phishing (8), and supply chain compromise (4).
Similarly, in 94% of cases, it proved impossible to know whether a ransom was paid. ENISA’s researchers infer, from the fact that nearly two-thirds of victims did not have data leaked to the Internet, that many probably paid up.
As to the sectors targeted, it seems ransomware attackers aren’t choosy and will simply target any company with enough weaknesses to be compromised.
On the face of it, the analysis holds few surprises—there’s a lot of ransomware around, most of it not made public. Although the U.S. is the leading target for ransomware, the issue is now a global problem.
As to whether the figure of 3,640 successful attacks is meaningful, that’s more debatable. The number looks plausible when considering the 2,252 incidents during 2021 in which criminals leaked victim data (leaking being more indicative than public reporting). But we don’t know what percentage of incidents are big enough to merit leaking, or whether all ransomware attackers bother with this methodology.
That leaves to the alarming conclusion that these numbers probably only measure the larger ransomware incidents, leaving a longer tail of much smaller but still miserable attacks unrecorded. Meanwhile, public reporting is still the exception rather than the rule.
Either way, it’s abundantly clear that a huge volume of data is being stolen every day. That, arguably, is the real story of ransomware, because once data has been lost it can never be un-lost. Where does this data go and how is it abused over time? Frustratingly, in most cases, that remains a much bigger mystery.