Ransomware Groups Stole Over 136 TB of Data in a Year’s Time

Hacker code in laptop. Cyber security, privacy or hack threat. Coder or programmer writing virus software, malware, internet attack or developing digital design.

Ransomware gangs and other malicious actors stole over 136 TB of data from companies around the globe between May 2021 and June 2022, according to a “grim” report from the European Union Agency for Cybersecurity (ENISA).

ENISA analyzed 623 ransomware incidents across the EU, UK and United States, noting that the publically available findings were only the “tip of the iceberg.”

‘Grim’ Findings in Ransomware Research

According to ENISA researchers, the study on recent global ransomware attacks didn’t turn up a lot of positive data. “The findings are grim. Ransomware has adapted and evolved, becoming more efficient and causing more devastating attacks,” the report states. “Businesses should be ready not only for the possibility of their assets being targeted by ransomware but also to have their most private information stolen and possibly leaked or sold on the Internet to the highest bidder.”

ENISA found that 47 unique threat actors were behind the 623 incidents, the most prolific of which were the Conti, LockBit, and Hive ransomware gangs.

Of the 136 TB of stolen data, the biggest haul came from an attack on Brazil’s Ministry of Health. Though in this case, it was the Lapsus$ hacking group that made off with 50 TB of data in one score. The same group was behind a spade of high-profile security incidents earlier this year. In February the group carried out a ransomware attack on gaming giant Nvidia.

The agency estimates that the total number of ransomware incidents in the time frame was 3,640. Therefore, the report covers around 17% of the estimated total incidents between May 2021 and June 2022. About 58% of stolen data included GDPR personal data.

Furthermore, 33% of the stolen data contains personally identifiable information (or PII), and 18.3% includes personally protected information (PPI) — two categories of personal data belonging to people outside the EU.

Plenty of Questions Remain Unanswered

ENISA also stated it could not accurately assess how many of the victims paid ransoms. This is because most organizations do not make this information publicly available. Also, in many countries, it is either illegal to pay ransoms, or it is strongly discouraged. This deters many organizations from providing accurate incident reports.

The agency could only clarify payment outcomes in 66 out of the 623 incidents (5.8%). In these cases, only 8 victims paid the ransom, while the other 58 did not.

Another startling discovery was that, in an overwhelming majority of incidents (95.3%), it is not known how the attackers gained initial access to their targets’ networks.

The report also found that attackers do not have a preference for any specific industry. Their findings suggest that “ransomware is targeting all sectors indiscriminately and that no type of industrial sector is safe.”

What is ENISA?

As the official EU agency for cybersecurity, ENISA works on the bloc’s cyber policy, and on improving the cybersecurity of ICT products and services. Its main aim is to achieve a “high common level of cybersecurity” across the region.

In its Threat Landscape for Ransomware Attacks report, ENISA studied and mapped ransomware incidents between May 2021 and June 2022. Through the report, the agency aimed to offer new insights to businesses and governments about ransomware incidents.

If you’d like to learn more about ransomware gangs and organized cybercrime, make sure to check out our full guide on the emerging threat of Ransomware-as-a-Service.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.