Thoughts on the ENISA Ransomware report
I have just finished reading the ENISA report on ransomware attacks in the past year and uncharacteristically for me, I have thoughts. And feelings. Maybe mostly feelings.
It’s a great effort and the team that composed this clearly spent hours trying to get it right. It’s unfortunate that the old adage of “garbage in, garbage out” applies so strongly here. The data this is based on is either sketchy or completely missing. This is not the fault of the team but rather a symptom of the subject area. The report is well written, the graphs are informative, but there’s nothing that can save it from the fact that it’s based on at most 17% of ransomware attacks in Europe, UK and USA. There are no conclusions that can be drawn from such a small sample size. Kudos to the team, they don’t actually try to draw any, except that as a society we need to be better at reporting and documenting these attacks, otherwise we are never going to improve.
There’s a lot of secrecy around ransomeware. I am sure there’s a million reasons for it, a few come to mind immediately:
1. Shame - you got attacked, therefore you did something wrong. I can see us trying to work that one through as a society, since it is in essence victim blaming.
2. Fear - you got attacked, therefore you are vulnerable, therefore it will happen again. I think this one is surmountable as well, it's a culture shift, don't get me wrong, but the more we learn from the attacks, the stronger we become.
3. Shareholders - I am by no means an expert in investment, shares and boards, but I am going to assume that being attacked isn't rocket fuel for share prices. This one is a challenge, since markets work in mysterious ways and there's no way I can say that reporting an attack would be beneficial. I'd like it to be.
4. Confusion - you got attacked, what are you supposed to do exactly? Is this a 999 thing? Is there a different number? This one is probably the easiest one to tackle. Even if I am the first to admit that corporate training videos put me to sleep.
Mostly this report made me sad. A lot of effort, a lot of goodwill and the main thing I got out of it was that we don’t know much. And that paying the ransom probably works. Sad 😞
P.S. Also interesting that in one case decryption took such a long time, that even though the victim paid the ransom, there was still a lot of disruption.