Data ProtectionPrivacy

ENISA 2022 ransomware report gives insights also on regulatory measures to be undertaken

The ENISA 2022 ransomware report provides valuable insights to companies on how to deal with cyberattacks, also in relation to regulatory measures to be implemented to limit the risk of data breaches. 

The ENISA Threat Landscape for Ransomware Attacks is the result of the review of 623 ransomware incidents from May 2021 to June 2022, which is a relevant percentage since ENISA estimated the total number of incidents during the same period was 3,640. Below is an analysis of how they are evolving and what are the recommended measures, including regulatory actions, to be taken to protect from ransomware attacks.

Ransomware attacks are becoming more sophisticated

There are four core actions that a ransomware attack can execute: it can

  • Lock access to an asset (e.g., files and folders), such as locking the screen or locking access to a particular application;
  • Encrypt an asset (e.g., data), making it unavailable to the target;
  • Steal an asset, compromising its availability and, in the end, its confidentiality, also through the exfiltration of data which frequently leads to their publication on the dark web; and
  • Delete an asset, making it permanently unavailable.

The stages of a ransomware attack are the following

  • Initial access which often occurs through stolen credentials, phishing, and other solutions that, based on my experience, usually exploit human errors and the lack of understanding by victims of the potential cyber risks arising for the organization from their actions;
  • Execution which can take several weeks since the threat actor is within the IT environment of the victim, studying its infrastructure and performing the preparatory actions. From a regulatory standpoint, such an interim stage is extremely dangerous since regulators might challenge the lack of proper monitoring of the company’s systems;
  • Action on objectives which occurs when the ransomware attack is deployed. The full effects of the attack might take weeks to complete, and there is no guarantee that the encryption has been done correctly, which means that there is no guarantee that paying the ransom data will be decrypted;
  • Blackmail which consists of three main components: 1) the communication to the victim of what occurred, which has now evolved to a notice on public sources as the threat actor’s website leading to considerable, even reputational damages, to the company; 2) the threat of the loss or damage that might occur if the demand is not met that has evolved to a partial/full publication on the dark web, the sale of data to the best bidder as well as of the performance of a DDoS against the victim, and 3) the demand of payment of the ransom or performance of some actions. If the threat actors decrypt data after the payment, their reputation increases which makes the payment from future victims more likely to happen;
  • Ransom negotiation that, based on my experience, normally requires the instruction of an intermediary and the performance of lengthy negotiations aimed at the one hand, lowering the price and, on the other hand, buying some time to enable the company to reinforce its defenses to make a second attack unlikely to happen. I agree with ENISA that the payment of a ransom is not recommended in most cases as there is no certainty of decryption, and of the actual erasure of data can never be certain. But in some circumstances, it might be inevitable if the organization has no other means to regain access to data since, for instance, backup copies of data have also been encrypted.

A ransomware business model becoming exponentially popular is a Ransomware-as-a-Service (RaaS), where threat actor groups offer their software platform to external affiliates to conduct attacks. This type of business model allows the RaaS operators to have multiple revenue streams. At the same time, RaaS has lowered the entry-level barrier to conducting ransomware attacks as attackers now do not need to know how to write their own ransomware.

ENISA data on ransomware attacks

Useful insights originate from data reported by ENISA on ransomware attacks where it appears that in

  • 46.2% of the total incidents led to data leaks which means that in half of the cases, a ransomware attack leads to the exfiltration of data then published on the dark web;
  • 47.83% of the cases of stolen data were leaked which shows a considerably high risk that leakage of data will lead to their publication either in full or (more frequently) in part; and
  • 58.2% of all the stolen data contained GDPR personal data, with 33% of the stolen data that included employees’ personal data and 18.3% included customer personal data. Based on my experience, this data has to be read in the sense that generally, organizations better protect the data of their customers (e.g., through their CRM) than those of their employees, also due to the potential reputational damages.

Recommendations on how to deal with a ransomware attack

ENISA provides several recommendations on security measures to be implemented to lower the risk of a ransomware attack, including the need to have adequate backups, conduct regular risk assessments and adopt protocols for managing attacks. 

Likewise, if a company is the victim of a ransomware attack, they recommend that the organization, among others, contacts the national cybersecurity authorities, does not pay the ransom, quarantines affected systems, and locks down access to backup systems until after the infection gets removed.

Enforcing regulatory compliance is somewhat complex when there are multiple jurisdictions involved. One suggestion is to initially use DLA Piper Global Data Pritection Laws of the World to see in which jurisdictions a notification might be required and then investigate with local consultants to see what the conditions and modalities are for performing notifications. There are, for example, the United States where the conditions and modalities for performing notifications are different from state to state and at the same time in the case of notice to data subjects the risk of class action in a state like California is definitely high. To handle these situations we have created a task force and process at DLA Piper to best assist clients in these types of cyber-attacks.

The above-mentioned measures are useful, but they do not factor in that the following

  1. Most ransomware attacks are the result of human errors, and therefore if the organization is not able to create an internal culture of cyber risks, it will always be exposed; 
  2. Regardless of the technical measures implemented, it is never possible to totally exclude the risk of a cyberattack. The company needs to implement the measures to minimize the risk, but it also has, in parallel, collected evidence of having implemented the appropriate measures. Such requirement is expressly provided by the accountability principle provided by the GDPR, but regulatory obligations are expanding beyond privacy regulations and apply to non-personal data as well. Cybersecurity compliance is often deemed to be a task relegated to the technical department but requires cooperation with the legal department of the company; and
  3. The organization needs to be trained to react to a ransomware attack since procedures are often valid on paper but never tested, which prevents identifying potential weaknesses and ensuring the efficiency of the plan.

On a similar topic, you may find interesting the article “How to deal with a data breach following a ransomware cyberattack?“.

Photo by Markus Spiske on Unsplash

Don't miss our weekly insights

Show More

Giulio Coraggio

I am the location head of the Italian Intellectual Property & Technology department and the global co-head of the IoT and Gaming and Gambling groups at the world-leading law firm DLA Piper. IoT and artificial intelligence influencer and FinTech and blockchain expert, finding solutions to what's next for our client's success.

Related Articles

Back to top button