RANSOMWARE attacks are expanding at such an exponential rate that they will cost the global economy ten trillion dollars ($10 trillion) by 2025, according to an influential new study.

The figure came from researchers at the European Union Agency for Cybersecurity (ENISA), which has been monitoring cyber-crime across the world since 2004.

The Athens-headquartered organisation arrived at its projection after analysing 623 ransomware incidents which took place between May 2021 and June 2022.

And ENISA’s “Threat landscape for Ransomware Attacks” makes chilling reading.

It reveals how ransomware has now become a franchise commodity where a cyber-criminal with even basic computer skills can quickly target companies and individuals pretty much anywhere around the world – with the USA (112 recorded incidents 2021-2022), Germany (96), and France (78) the most targeted countries.

Reported ransomware incidents country by country
Reported ransomware incidents country by country (Credit: ENISA)

The sectors most heavily targeted were so-called “heavy industry” – which would include oil and gas refineries global shipping, and large-scale manufacturing plants. Governments were also targeted, as were Information Services, and health sectors.

Although these were the top targeted sectors, cyber criminals will literally target anywhere
Although these were the top targeted sectors, cyber criminals will literally target anywhere (Credit: ENISA)

In more than 95.3% of incidents, victims of cyber-crimes did not know how the ransomware threat actors had gained access to their systems.

The report stated: “Interestingly, from our previous analysis of leaked data, we found that 37.88% of the targets had their data fully leaked on the Internet. This suggests, but does not imply, that around 62.12% of the incidents might have actually paid the ransom, and that is why their data was not leaked.”

Adding: “Of course, there are many mitigating situations, such as targets that paid and their data was leaked anyway, or targets that did not pay and their data was not leaked. However, the estimation of 62.12% is very close to the result of a survey from the Claroty security company that found that 62.14% of the respondents confirmed that their company paid the ransom. Although these numbers should not be taken as a guide because they are merely indicators, they certainly bring the problem into focus.”

ENISA said the findings are “grim,” adding that businesses needed to be “ready for the possibility of their assets being targeted by ransomware, but also to have their most private information stolen and possibly leaked or sold on the internet to the highest bidder.”

And while financial inducement was the most common motivation for online blackmail, cyber criminals were also asking for changes in corporate policy, new software features, and asking targets to infect their social circle.”

Blackmail demands from cyber criminals could also include infecting your social circle
Blackmail demands from cyber criminals could also include infecting your social circle (Credit: ENISA)

An evolving feature of ransomware identified by the report’s authors was “data brokerage,” where stolen data was sold on.

“In this model, threat actors take further advantage of the stolen data by selling it to the highest bidders. This also includes reselling the access obtained to the target to other threat actors for additional exploitation,” the report added.

The report recommended potential targets take the following steps:

  • Keep an updated backup of your business files & personal data. Keep this backup isolated from the network;
  • Apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
  • Run security software designed to detect most ransomware in your endpoint devices; and
  • Restrict administrative privileges.

If you fall victim of a ransomware attack:

  • Contact the national cybersecurity authorities or law enforcement for guidance;
  • Do not pay the ransom and do not negotiate with the threat actors;
  • Quarantine the affected system; and
  • Visit the No More Ransom Project, a Europol initiative.


  • Dennis Rice

    National Security News (NSN) welcomes the appointment of Dennis Rice, former Chief Reporter of the Daily Express and Investigations Editor of the Mail on Sunday, as its Launch Editor. He brings with him three decades of experience covering national and international news, which has also included a stint working as a producer at Channel 4 Dispatches. Commenting on his new role, Dennis said: “NSN is a digital platform which exists purely to break stories and uncover new twists and exclusives around existing ones. Whether it’s reporting on the cloak and dagger world of espionage, cyber terrorism, subversion, or intelligence we are very much looking forward to giving the existing media a run for its money.” Dennis Rice is a veteran investigative journalist who has finished as a runner up in Journalist of the Year category at the British Press Awards. He also worked as Investigations Editor of the Mail on Sunday, Chief Reporter of the Daily Express, and as a senior journalist at the Sunday Mirror and the News of the World. His Dispatches credits include working as a producer on How To Stop Your Nuisance Calls (an expose on charity fundraisers) and Murder in the Sky: Flight MH17 (reporting on the crash of the Malaysia Airlines flight MH17, shot down over the eastern Ukraine). While at the Mail on Sunday he wrote a series of articles which resulted in the resignation of BP Chief Lord Browne, and earlier David Blunkett as the then Work and Pensions Secretary. In 2011 he was paid damages at the High Court after his former employer the News of the World admitted hacking his phone.