There was a massive rise in ransomware attacks on mid-sized organizations in 2021, according to the recently published State of Ransomware 2022 report from cybersecurity firm Sophos. The survey was conducted by Vanson Bourne on 5,600 mid-sized organizations in North and South America, Europe, the Middle East, Africa, Asia, and Asia-Pacific and revealed 66% of those organizations had suffered at least one ransomware attack in 2021, up from 34% of organizations in 2020.
In addition to more attacks occurring, the ransom payments also increased significantly. In 2021 there was a five-fold increase in ransom payments compared to 2020, which rose to an average of $812,360. In 2020, only 4% of organizations that suffered a ransomware attack paid a ransom of more than $1 million, compared to 11% in 2021, with 21% of organizations saying they paid a ransom of less than $10,000, down from 34% of organizations in 2020.
Ransomware gangs know all too well that paying the ransom is the best option financially for most companies as it allows them to recover more quickly. The faster the recovery, the lower the cost of the attack on the business. It is therefore not surprising that the Sophos study found 46% of businesses that experienced file encryption from a ransomware attack chose to pay the ransom. The study also highlighted the effectiveness of double extortion tactics. 26% of companies that were able to recover files from backups still paid the ransom. The average recovery time from a ransomware attack was one month and the average loss to the attack was $1.4 million.
Another factor contributing to the high number of organizations paying ransoms is most mid-sized organizations have insurance policies for ransomware attacks. 83% of mid-sized organizations said they had taken out insurance to cover ransomware attacks, and in 98% of cases, the insurance policy paid out. 40% of attacked firms with insurance said the insurance company covered the cost of the ransom payment.
Insurance companies that provide ransomware-related policies are increasingly placing demands on their policyholders to implement cybersecurity measures to block attacks, and the policies have become much more complex, and the cost of the policies has increased significantly in the past 12 months. The number of attacks now being conducted has also resulted in fewer insurers offering policies that cover ransomware attacks.
The ransom is only a small percentage of the cost of a ransomware attack. A recent analysis from Check Point suggests the ransom payment is only around 15% of the total cost of an attack. The remainder of the cost comes from incident response, restoring data – which even with the decryption keys can be a slow process – hiring third-party consultants, notifying consumers, business disruption, covering the cost of credit monitoring services, and legal costs. The Check Point analysis also indicates ransomware gangs are using the financial data stolen in the attack, along with information from other sources, to set ransom demands that the victims will likely be able to pay. The ransom demand is often based on a victim’s annual revenue and expenses, with the initial demand ranging from 0.7% and 5% of annual revenue and the average being 2.82%. Many ransomware gangs also appear to be willing to negotiate the demand and offer reductions of between 205 and 25% for quick payment.