Kenjo - stock.adobe.com

Ransomware victims paying out when they don’t need to

Sophos’s annual State of Ransomware report shows dramatic increases in the impact of ransomware attacks, but also finds many organisations are paying ransoms when they don’t need to

Just over a quarter of ransomware victims that paid off their attackers did so even though they have other means of data recovery, such as restoration from backups, according to the latest annual State of Ransomware report from Sophos.

The study of more than 5,000 organisations found that the volume and impact of ransomware attacks continued on a relentless upward trajectory last year, with 66% of organisations hit by ransomware attacks in 2021, up from 37% in 2020.

Sophos found the average pay-out grew by nearly five times to $812,360 (£646,709), and the proportion of organisations paying over a million dollars to get their data back grew from 4% in 2020 to 11% in 2021. Sophos said 46% of victims paid some kind of ransom, but 26% of those had the means to restore encrypted data of their own accord.

“Alongside the escalating payments, the survey shows that the proportion of victims paying up also continues to increase, even when they have other options available,” said Chester Wisniewski, principal research scientist at Sophos.

“There could be several reasons for this, including incomplete backups or the desire to prevent stolen data from appearing on a public leak site. In the aftermath of a ransomware attack, there is often intense pressure to get back up and running as soon as possible.

Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk. Organisations don’t know what the attackers might have done, such as adding backdoors, copying passwords and more. If organisations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack.”

“Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk”
Chester Wisniewski, Sophos

The Sophos report also contains new data on the average cost to recover from a ransomware attack, which now clocks in at $1.4m over an average of a month, with 86% of victims saying they had lost business and/or revenues as a result.

Many more victims are now turning to cyber insurance as a vital element of the recovery process, with 83% of mid-sized organisations having a policy that contained ransomware cover. Insurance was found to have covered some or all of the costs incurred in 98% of documented incidents.

The study also documented the changing nature of the ransomware insurance market – likely as a result of the increasingly high-profile nature of the beast. A total of 94% of those that held cyber insurance policies said they were now faced with more demanding clauses for security measures, more complex and expensive policies, and less choice of provider.

Wisniewski suggested this may mean the evolutionary journey of ransomware has reached something of a peak. “Attackers’ greed for ever higher ransom payments is colliding head-on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” he said.

“In recent years, it has become increasingly easy for cyber criminals to deploy ransomware, with almost everything available as a service. Second, many cyber insurance providers have covered a wide range of ransomware recovery costs, including the ransom, likely contributing to ever higher ransom demands. However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky-high ransoms.

“Sadly, this is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource-intensive as some other, more hand-crafted cyber attacks, so any return is a return worth grabbing and cyber criminals will continue to go after the low-hanging fruit.”

By most measures, UK less impacted

For organisations located in the UK, the data revealed that, by many measures, British organisations have tended to be less dramatically impacted by ransomware.

Average payments made to ransomware gangs by UK organisations were significantly below the global figures, coming in at $166,828, with 40% of victims choosing to pay a ransom. The average recovery cost was $1.08m, again lower than the global average.

Whether or not UK organisations are less affected because they are less frequently targeted, or because they are better prepared, is not readily apparent from the data, but Sophos found the majority had made changes to their cyber defences over the past year, with new technology and services, improved training and education, and changes to processes and behaviours the most common responses.

Read more about ransomware

 

Read more on Hackers and cybercrime prevention