Total cost of ransomware attack heading towards $2m

The average total cost to an organisation of recovering from a ransomware attack has more than doubled in the space of just 12 months, rising from $761,106 (£588,000 at prevailing exchange rates) in 2020 to $1.85m (£1.33m) in 2021, with the average ransom paid now standing at $170,404.

This is according to Sophos’ annual State of ransomware report, which also revealed that of the 32% of organisations that ill-advisedly chose to pay a ransom in the past 12 months (up from 26%), only 8% managed to decrypt and retrieve all of their compromised data, with 29% getting back no more than half of their data.

The highest ransom paid among those surveyed was $3.2m, with the average payment clustering around the $10,000 mark. This means the average cost of remediating an attack is now, on average, 10 times the cost of paying up.

“The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay. Despite more organisations opting to pay a ransom, only a tiny minority of those who paid got back all their data,” said Sophos principal research scientist Chester Wisniewski.

“This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.

“Recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data,” said Wisniewski. “Whole systems need to be rebuilt from the ground up, then there is the operational downtime and customer impact to consider, and much more.”

This said, at the same time, the number of organisations that experienced a ransomware attack during the past 12 months dropped, from just over half to just over a third, reflecting the well-observed trend for ransomware operators to extensively research their targets and tailor bespoke attacks to maximise their chances of a pay-off.

This trend was reflected elsewhere in the report, which found more than half of organisations now consider ransomware attacks to be too complex for in-house IT and security teams to handle.

“The apparent decline in the number of organisations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect – at least in part – changes in attacker behaviours,” said Wisniewski.

“We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking. While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher. Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs.”

A further point of note in Sophos’ data is the rise of ransomware attacks that don’t involve the use of encryption. This trend was aptly demonstrated earlier in April 2021 by the ReVIL/Sodinokibi gang’s recent attempt to extort Apple after apparently stealing its proprietary data from a technology partner.

“The definition of what constitutes a ransomware attack is evolving. For a small, but significant minority of respondents, the attacks involved payment demands without data encryption. This could be because they had anti-ransomware technologies in place to block the encryption stage or because the attackers simply chose not to encrypt the data,” said Wisniewski.

“It is likely that the attackers were demanding payment in return for not leaking stolen information online. A recent example of this approach involved the Cl0p ransomware gang and a known financially motivated threat actor hitting around a dozen alleged victims with extortion-only attacks.

“In short, it is more important than ever to protect against adversaries at the door, before they get a chance to take hold and unfold their increasingly multi-faceted attacks. Fortunately, if organisations are attacked, they don’t have to face this challenge alone. Support is available 24/7 in the form of external security operations centres, human-led threat hunting and incident response services.”