Pay the ransom and double your recovery costs, report warns

Ransomware victims who take the difficult decision to pay cyber criminals to prevent their data from being leaked or to regain control of their systems double the costs of recovering from the initial attack, according to statistics gathered by Vanson Bourne on behalf of threat protection specialist Sophos.

In its lastest annual State of ransomware report, which has just been released, Sophos reported that the average cost of recovery from a ransomware attack clocked in at £588,000 for victims that don’t cough up, but £1.1m for those that choose to pay.

Across the survey sample – 5,000 IT decision-makers in 26 countries in the Americas, Asia-Pacific and central Asia, and Europe, the Middle East and Africa – Sophos found that 27% of organisations hit by ransomware admitted paying up.

The survey also found that 51% of organisations had experienced a significant ransomware attack in the past 12 months, down from 54% in 2017, with data encrypted in 72% of successful attacks.

“Organisations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory,” said Sophos principal research scientist Chester Wisniewski.

“Sophos’s findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys, and using them to restore data may be a complex and time-consuming affair.”

“Paying a ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover”

Bearing this out, 56% of the sample group said they had been able to recover their data from backups without paying the ransom, but of those which did pay, about 1% got no data back, rising to 5% of public sector organisations.

However, said Sophos, contrary to popular belief, the public sector was less affected by ransomware than many others, with attacks reported by 45% of organisations in that category, compared with 60% of media, leisure and entertainment businesses.

Like others in the industry, Sophos has also observed a marked evolution in the techniques ransomware gangs are using to increase pressure on their victims.

In a separate report marking a year since the emergence of the Maze ransomware strain, it said the technique of adding the threat of data exposure to the threat of data encryption, as pioneered by the group behind Maze, was becoming much more widespread.

While the Maze group didn’t invent the double extortion technique, they have a tendency towards attention-seeking behaviour – issuing “press releases” and trolling prominent threat researchers is central to their brand identity – which has indubitably served to popularise the technique.

“An effective backup system that enables organisations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware,” said Wisniewski.

“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay.

“The way to address these malicious manoeuvres is to keep backups offline and use effective, multi-layered security solutions that detect and block attacks at different stages,” said Wisniewski.