It said criminals had been using unsecured Internet of Things (IoT) devices to launch giant distributed denial of service (DDoS) attacks, and have launched extortion attacks against commercial organisations that have "achieved very high levels of ransom and high rates of paying victims", and demonstrated the ability to affect the outcome of democratic processes like the US presidential elections.
Executive director of ENISA Udo Helmbrecht said: "As we speak, the cyber-threat landscape is receiving significant high-level attention: it is on the agenda of politicians in the biggest industrial countries. This is a direct consequence of 'cyber' becoming mainstream, in affecting people's opinions and influencing the political environment of modern societies."
Malware tops ENISA's lists, with over 600 million samples identified per quarter, and mobile malware, ransomware, and information stealers the main areas of criminal malware innovation.
"Equally impressive was the fact that state-sponsored threat actors have launched malware that has had high efficiency by exploiting quite a few zero-day vulnerabilities," the report said.
It noted that the average lifespan of malware hashes -- the unique identification of a malware variant used by malware detection tools -- has shrunk so much that a specific malware variant might exist for just one hour.
"This is indicative of the speed of malware mutation in order to evade detection on the one hand, and one of the reasons for gaps in end-point protection measures (i.e. anti-virus software)," it said.
The report also blamed the availability of 'malware-as-a-service' offerings, which allow users to rent the infrastructure for a few thousand dollars per month to launch, for example, ransomware attacks with $100,000 monthly revenues.
The report said that DDoS attacks -- once used by activists to disrupt corporate websites -- are now being used for extortion attempts, part of the trend toward monetising hacking. Similarly, the report noted that phishing has successfully reached the executive level: CEO fraud is now causing significant losses to companies.
And while it may be a surprise that, following the controversy around the US presidential election, ENISA ranked cyber-espionage at the bottom of its list, it noted: "Known/confirmed cases are the top of the iceberg. This is because espionage campaigns are difficult to identify. And once identified are difficult/costly to analyse. It is believed that cyber-espionage is the motive of much more undetected campaigns. To this extent, the assessed descending trend of this threat may not be fully valid. Secondly, cyber-espionage is much targeted: it uses the same methods as cyber-crime, but it possesses intelligence allowing it to lure victims much more efficiently."