Tracking Ransomware: Here's Everything We Still Don’t KnowKnown Unknowns Include Count of Victims and Ransoms Paid, Criminal Profits and More
How many organizations fall victim to a ransomware outbreak? How many victims pay a ransom? How many victims see stolen data get leaked? How are attackers gaining initial access to victims' networks?
Numerous questions remain difficult to answer definitively when it comes to ransomware attacks. Blame the paucity of reliable information on criminals exerting psychological pressure on victims to pay quickly and quietly. Underreporting of such attacks, and ransom payments, remains rampant.
Different studies can at least provide a patchwork of insights.
The latest comes from the European Union Agency for Cybersecurity, which analyzed 623 ransomware incidents covering a 14-month period ending in June 2022 that impacted victims in multiple countries, including the United States.
"These incidents were selected from news reports, the reports of security companies, government reports and the original sites of the ransomware threat actors," ENISA says. "Each incident was explored in depth and confirmed from multiple sources."
Here's what ENISA's researchers found:
- Dozens of strains: At least 47 different strains of active ransomware were in play;
- Payment status unclear: "For 94% of incidents, we do not know whether the company paid the ransom or not";
- But most victims likely pay: In more than 60% of cases, ENISA suspects the victim paid, although in a subset could have "found another solution";
- Data leakage common: Stolen data was leaked in 38% of incidents;
- Personal information leaked: 58% of information stolen by attackers included personally identifiable information, which means the incident could trigger data breach notification rules;
- Initial access unclear: 95% of organizations studied didn't report how attackers gained initial access;
- Broad impact: Organizations of every size, hailing from all sectors, were impacted.
The paucity of good information about ransomware attacks underscores calls by the FBI, U.S. Cybersecurity Infrastructure and Security Agency and others for mandatory reporting of attacks and ransom payments to authorities.
Findings: Yet Again, Big Caveats
ENISA estimates that during the timeframe it studied, there were 3,640 successful ransomware attacks, of which it was only able to obtain details for 623 incidents. "All results and conclusions as presented should take into account this disclaimer concerning the number of incidents used in this analysis" and highlight the overall lack of solid details about so many incidents, it says.
"In addition, the fact that we were able to find publicly available information for [only] 17% of the cases highlights that when it comes to ransomware, only the tip of the iceberg is exposed and the impact is much higher than what is perceived," it says.
Indeed, most attacks never get publicly reported, because victims don't want the negative publicity. Unfortunately, getting a victim to pay quickly and secretly suits ransomware-wielding attackers too.
Law enforcement has a tough time identifying individual attackers or groups at work, prioritizing them based on impact, and issuing warnings to help other organizations block groups' commonly used tactics. It also complicates efforts by investigators to follow the money from victims to criminals' cryptocurrency wallets, and potentially disrupt the flow of funds before they can be cashed out.
Criminals Often Leak Stolen Data
Nearly half of the 623 incidents ENISA studied featured data leakage. About 10% of those involved partial data leakage, while in 38% of incidents, hackers leaked all the stolen data - 518 gigabytes on average.
The volume of leaked data could be much higher. One incident involving the Brazilian Ministry of Health instigated by the Lapsus$ threat actor ended with 50 terabytes worth of leaked data, ENISA says. What's also notable about that incident is that it didn't involve crypto-locking malware but rather extortion based on a pure data-leakge model. Experts say more groups are pursuing this strategy, in part because they believe it makes them less of a target for law enforcement.
From a breach-reporting standpoint, personally identifiable information - including personal data covered by the EU General Data Protection Regulation - often gets stolen during ransomware attacks.
"Our analysis shows that 33% of the stolen data includes employee PII and 18.3% includes customer PII," ENISA says. In addition, 19% contains some type of financial information, such as departmental budgets or financial statements.
Many ransomware groups run data-leak sites, where they will list a subset of non-paying victims. Singapore-based cybersecurity firm Group-IB estimates that on average, only about 13% of a group's victims ever end up on a data-leak site, if it has one.
But it's impossible to extrapolate from individual sites how many victims any given group may have amassed. Attackers also frequently include false information on such sites to make themselves look more notorious, says Brett Callow, a threat analyst at cybersecurity firm Emsisoft.
Completing the Picture
Other studies provide further details.
Based on its incident response investigations, Group-IB estimates that nearly one-third of victims pay a ransom. A self-reported survey of 5,600 midsized organizations conducted by Sophos recently reported similar results.
Coveware, which assists ransomware victims and sometimes negotiates ransom payments, says when a victim pays, on average, it pays $228,125 (see: Ransomware Ecosystem: Big-Name Brands Becoming a Liability).
Like the ENISA research, these ransomware findings also have biases. For example, an organization's efforts or responses might lean toward different sizes of victims or geographies, and thus overrepresent certain ransomware strains or tactics.
Despite our incomplete view of ransomware, we know the takings are enormous. Blockchain intelligence firm Chainalysis has tracked more than $692 million in ransomware payments in 2020, and $602 million for 2021 to cryptocurrency wallets known to be operated by criminals. Both of those figures are sure to increase as new intelligence comes to light.
Clearly, ransomware remains highly lucrative, and details of the vast majority of attacks never become public, thus allowing many in the ransomware ecosystem to continue operating from the shadows. No wonder so many criminals continue to keep trying to get in on the action.