During the last decade ransomware has become one of the most devastating types of attacks, impacting organisations of all sizes worldwide. Quickly adapting to new business models with advanced threat actors leveraging the cybercrime ecosystem for a better distribution of labour, ransomware has managed to increase its reach and impact significantly. No business is safe.
This report aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022. The findings are grim.
Ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks. Businesses should be ready not only for the possibility of their assets being targeted by ransomware but also to have their most private information stolen and possibly leaked or sold on the Internet to the highest bidder.
The main highlights of the report include the following:
• A novel LEDS matrix (Lock, Encrypt, Delete, Steal) that accurately maps ransomware capabilities based on the actions performed and assets targeted;
• A detailed and in-depth analysis of the ransomware life cycle: initial access, execution, action on objectives, blackmail, and ransom negotiation;
• Collection and in-depth analysis of 623 ransomware incidents from May 2021 to
• More than 10 terabytes of data stolen monthly by ransomware from targeted
• Approximately 58.2% of all the stolen data contains GDPR personal data based on
• In 95.3% of the incidents it is not known how threat actors obtained initial access into
the target organisation;
• It is estimated that more than 60% of affected organisations may have paid ransom demands;
• At least 47 unique ransomware threat actors were found.
The report also highlights issues with the reporting of ransomware incidents and the fact that we still have limited knowledge and information regarding such incidents. The analysis in this report indicates that publicly disclosed incidents are just the tip of the iceberg.
Along with a general recommendation to contact the competent cybersecurity authorities and law enforcement in cases of ransomware attacks, several other recommendations are put forward, both to build resilience against such attacks and to mitigate their impact.
The threat of ransomware has consistently ranked at the top in the ENISA Threat Landscape for
the past few years and, in particular, in 2021 it was assessed as being the prime cybersecurity
threat across the EU1. Motivated mainly by greed for money, the ransomware business model
has grown exponentially in the last decade2 and it is projected to cost more than $10 trillion by The evolution of the business model to a more specialised and organised distribution of labour through a cybercrime-as-a-service model has turned ransomware into a commodity.
Nowadays, it seems simpler for anyone with basic technical skills to quickly perform ransomware attacks. The introduction of cryptocurrency, the fact that affected companies actually do pay the ransom, and the more efficient division of work, have greatly fuelled the growth of ransomware, generating a catastrophic global effect4,5.
Even though ransomware is not new, technologies evolve and with them so do attacks and vulnerabilities, thus pressurising organisations to be always prepared for a ransomware attack.
In many cases, staying in business requires difficult decisions, such as paying or not paying the ransom6, since this money ends up fuelling ransomware activities. This is despite year-long and consistent recommendation not to pay ransom demands and to contact the relevant cybersecurity authorities to assist in handling such incidents.
This report brings new insights into the ransomware threat landscape through a careful study of
623 ransomware incidents from May 2021 to June 2022. The incidents were analysed in-depth
to identify their core elements, providing answers to some important questions such as how do
the attacks happen, are ransom demands being paid and which sectors are the most affected.
The report focuses on ransomware incidents and not on the threat actors or tools, aiming to
analyse ransomware attacks that actually happened as opposed to what could happen based
on ransomware capabilities.
This ransomware threat landscape has been developed on the basis of the recently published ENISA Cybersecurity Threat Landscape Methodology7.
The report starts by clearly defining what ransomware is since it has proven to be an elusive
concept spanning various dimensions and including different stages. The definition is followed
by a novel description of the types of ransomware that breaks the traditional classification and
instead focuses on the four actions performed by ransomware, i.e. Lock, Encrypt, Delete, Steal
(LEDS), and the assets at which these actions are aimed. By defining the types of ransomware,
it is then possible to study the life cycle of ransomware and its business models. This
characterisation of ransomware leads into the core of this report which is the deep analysis of
623 incidents and its summary in precise statistics. The report ends by highlighting
recommendations for readers and key conclusions.
Chapter 1, Introduction, provides a brief introduction to the problem of ransomware
attacks and the dedicated ENISA ransomware threat landscape report;
• Chapter 2, Focus on Ransomware, discusses what ransomware is and its key
elements, as well as proposing the LEDS matrix to accurately map ransomware
capabilities based on the actions performed and assets targeted;
• Chapter 3, Ransomware Life Cycle, gives a detailed overview of the life cycle of a
• Chapter 4, Ransomware Business Models, discusses the evolution of ransomware
business models and how trust is the key to the ransomware business;
• Chapter 5, Analysis of Ransomware Incidents, presents a detailed study of
ransomware incidents from May 2021 to June 2022, including a timeline of incidents;
• Chapter 6, Recommendations, provides high-level recommendations to better protect
against ransomware incidents;
• Chapter 7, Conclusions, highlights the most important conclusions of the study and
how they can potentially impact the future of the threat landscape.