Cybersecurity firm Sophos recently announced the findings of its global survey “The State of Ransomware 2020,” which revealed that paying ransom for data decryption post a ransomware attack is far more expensive. The research said that the total cost of recovery from a ransomware attack almost doubles when organizations pay ransom to cybercriminals.
According to the research, 51% of organizations experienced a significant ransomware attack in the last 12 months, compared to 54% in 2017. Data was encrypted in nearly three quarters (73%) of attacks that successfully breached an organization. It was found that the average cost of addressing the impact of ransomware attack was more than $730,000, which included business downtime, lost orders, and operational costs. However, the average cost increased to $1.4 million when organizations agreed to pay the ransom.
To understand what actually happens once ransomware hits an organization, Sophos surveyed 5,000 IT and security decision makers from 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.
Around 27% of organizations hit by ransomware admitted paying the ransom. More than half (56%) of the IT managers surveyed stated that they were able to recover their data from backups without paying the ransom. A small minority if cases (1%) said paying ransom did not lead to the recovery of data while this figure rose to 5% for public sector organizations. In fact, 13% of the public sector organizations surveyed never managed to restore their encrypted data, compared to 6%, overall.
The public sector was least affected by ransomware, with just 45% of the organizations surveyed in this category stating they were hit by a significant attack in the previous year. At a global level, media, leisure, and entertainment businesses in the private sector were most affected by ransomware, with 60% of respondents reporting attacks.
Chester Wisniewski, Principal Research Scientist, Sophos said, “Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”
Attackers Pressurize for Ransom
In its another research report “Maze Ransomware: Extorting Victims for 1 Year and Counting,” Sophos researchers explained the tools, techniques, and procedures used by the advanced threat actors, which are designed to increase pressure on the victim to pay the ransom.
“An effective backup system that enables organizations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware. Advanced adversaries like the operators behind the Maze ransomware do not just encrypt files, they steal data for possible exposure or extortion purposes. We have recently reported on LockBit using this tactic. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages,” added Wisniewski.