A new report from cybersecurity firm Sophos indicates that ransomware recovery costs have shot up in the past year, with the average case approaching $2 million in total expenses. This is up from an average of $761,000 in 2020.
Organizations are also not finding that paying the ransom circumvents the expensive cleanup; only 8% report recovering all of their data after an attack, and 29% only recovered about half of their data. While ransomware recovery costs have ballooned to an average of 10x the usual ransom demand, it is increasingly apparent that this spending will be inevitable following a breach of this type.
Ransomware recovery costs trend upward as focus shifts to “bigger fish”
The Sophos survey included 5,400 business decision makers from 30 countries, with about 100 to 300 respondents from each country and a broad mix of company sizes (100 to 5,000+ employees). There was also a mix of industry types, from IT to local government agencies.
37% of these organizations were hit by ransomware in 2020. 54% of these attacks were successful in encrypting data. The average ransom paid was $170,404, compared to an average ransomware recovery cost of $1.85 million in total. Of those that paid the ransom, only 65% recovered any amount of their data, and about half of those lost more than half of the data. The cost disparity becomes even more stark when you examine the data in detail; of those that paid the ransom, the average was skewed by two organizations that each paid about $3.2 million. Most respondents only paid about $10,000, but still experienced very heavy ransomware recovery costs and faced difficulties restoring data.
There are some common drivers of this massive increase in ransomware recovery costs. While extortion attempts are still not a common component of general ransomware attacks, they are on the rise (up 4% from last year). Ransomware groups are also becoming more selective in terms of targets, favoring larger organizations that they see as having the greatest need and ability to make payments. The overall percentage of respondents hit by ransomware was actually down from last year (by 14%), yet costs doubled. Sophos attributes this to more selective and sophisticated attacks, predominantly conducted by actual humans rather than automated scripts designed to cast a broad net. The respondents backed this hypothesis up, with 42% of the organizations of 1,000+ employees reporting an attack versus 33% of the smaller groups.
India takes the lead in number of ransomware attacks
The report also found some emerging new geographical factors. India is now experiencing the largest number of ransomware attacks, and Sophos reports that a primary driver is criminal actors within the country attacking domestic targets. Austria is second and the US is third, with slightly over half of US respondents reporting a ransomware attack in 2020. The report notes that Japan has an unusually low rate of ransomware attempts for a developed and prosperous country, something it possibly attributes to the language posing problems for attackers. In general, developed Western economies are the most frequently targeted and are also presented with the highest average demands ($214,096).
There is also great disparity in ransomware recovery costs based on geographical location. Austria, which was the second most frequently attacked, was also way ahead of the pack in terms of average cost at $7.75 million. Belgium, Singapore and India all had average recovery costs of over $3 million. Other nations above the world average were the Netherlands, the United States, Mexico, the United Kingdom, Canada and Australia. About a dozen countries had ransomware recovery costs that came in at under $1 million, going as low as $370,000 in the Czech Republic. The report notes that remediation costs tend to correlate with average national salaries.
The most heavily-hit industries were retail, education and business & professional services. Though health care made the news throughout 2020 for serious ransomware attacks, it was actually in the middle of the pack in terms of overall incidents. However, it was among the industries most unlikely to be able to stop the encryption of data during an attack (along with energy utilities and local government). Media and entertainment, transport and manufacturing were the industries most hardened against encryption attempts.
Organizations taking action, believe that ransomware attacks are inevitable
Among the organizations that escaped a significant ransomware attack last year, 40% believed it was inevitable that they would eventually be hit. 32% said they were seeing an increase in attempts, and 37% said that they knew of other organizations in their industry that had been targeted. 22% admitted to having gaps in their security, while 60% said that they have trained IT security staff that they are confident will be able to stop attacks. An additional 52% have invested in anti-ransomware technology, 37% have air-gapped backups and 32% have ransomware insurance. 90% said that they have some sort of a malware response plan in place, with 51% describing their plan as “full and detailed.” Somewhat alarmingly, local and central governments are the groups that are least likely to have a malware recovery plan in place.
The Sophos report concludes with a series of recommendations for organizations based on this data, one of the most important of which is to not pay ransoms to threat actors; the odds of data recovery are poor and the impact on overall remediation costs is trivial. Layered cybersecurity protection to block attackers, keeping a set of backups offline and a malware recovery plan are much more important.