Home » news »

The Cost of a Ransomware Attack, Part 1: The Ransom

 

According to many estimates, ransomware attacks are one of the most, if not the most, common types of cyber attack. While the number of attacks is generally trending downward, the average cost of an attack is skyrocketing — in part because malicious actors have increasingly taken aim at corporations that have the resources to pay large ransoms (and to eat the ensuing cleanup costs, which can be even more substantial).

Most victims of a ransomware attack aren’t massive organizations like Colonial Pipeline, which shelled out $4.4 billion in May 2021 (much of which was later recovered Here’s a look at the latest research, with insights from two leading experts on the subject: Chester Wisniewski, principal research scientist at Sophos, and Roger Grimes, security consultant and cybersecurity architect at KnowBe4 and author of the Ransomware Protection Playbook.

Decreasing Attacks, Rising Costs

“There are slightly fewer organizations being hit but it’s having a much larger impact because of the costs,” says Wisniewski.

  • According to Sophos’s State of Ransomware 2021 Report, 37% of organizations were hit Ransomware organizations have shifted their focus from individuals and smaller organizations to bigger targets, with accordingly larger payouts. The increasing sophistication of malware has allowed ransomware gangs to penetrate the security systems of larger firms — “big game” — making for more efficient use of their resources.

    “They’ve converged on enterprise ransomware in the last two years,” Wisniewski explains. “There aren’t many threat actors still messing around with individuals. If you can get a few hundred thousand from a victim for a similar amount of work, why would you mess around with individuals who may only pay $500?”

    Double Extortion

    The nature of the attacks has also changed. The rise of double extortion has further incentivized payment. Attackers exfiltrate sensitive corporate data (transfer it out of the network without authorization) before they wallop their target with ransomware. So not only can the attacker lock victims out of their data/systems, they can threaten to release victims’ sensitive data to the public. 

    A report from F-Secure found that 40% of known gangs had data exfiltration capabilities Whereas previously many organizations had failed to back up their data, increased ransomware awareness has led many organizations to create regular backups. Why pay a ransom if the locked-up data exists in viable form elsewhere? The threat of releasing the data drastically alters that dynamic, creating the potential for massive reputational damage as well as regulatory and legal costs. Suddenly, paying a ransom doesn’t seem so bad. 

    The exfiltration and analysis of this data also allows the gangs to fine-tune their ransom demands according to the data’s sensitivity and the financial resources at the victim’s disposal, as noted in Microsoft’s Digital Defense Report. Access to bank statements and insurance policies allows these actors to turn the screws with exquisite precision.

    Average Ransom Demands

    Ransomware demands are growing, but of course they vary depending on the target. Averages drawn from across industries and organizations of varying sizes are thus somewhat misleading.

    “A couple of $25 million payouts make the average seem really big,” Grimes observes. “Really, that’s one of our problems: We don’t have a reliable way to collect statistics.”

    Those million-dollar payments do happen though, and even if the averages are skewed as a result, they are worth a look. Analyses from private organizations tell a far different tale than the FBI’s Internet Crime Complaint Center (IC3) report, which records a mere $29.2 million in ransomware payments in 2020. Ransomware attacks are seriously underreported, as FinCEN’s Bitcoin tracking suggests. According to Sophos, the number of companies that choose to pay the ransom has increased So: Even the broad averages offered “The truth is, the average is $25,000 and the average is $3 million. And when you put the two together you end up at $170,000,” says Wisniewski. “The big guys are typically not doing anything less than a million. People are paying between one and five million on the enterprise side. But there’s clearly fewer of them that are being hit for those large sums.”

    “The vast majority of respondents in the survey are in that $25,000 bucket, but there are 10 times as many of them. When we average them out, we end up with these weird averages like $170,000,” he adds. “That’s too high for the low-grade criminals and too low for the high end criminals. The real bulk of the data ends up in balloons at the ends of the spectrum.”

    Wisniewski thinks that data privacy laws — like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act — may ultimately increase reporting of these attacks, as the exfiltration threat grows. Prior to the surge in threats of data release, organizations were able to rationalize not reporting ransomware events because the data was never actually exposed. Now, when customer data protected Read more in Part 2: Cost of a Ransomware Attack: Response and Recovery.

    What to Read Next:

    Global Tech Policy Briefing for October 2021

    Facing Off with the Ransomware Conundrum

    What You Need to Know About Ransomware Insurance

     

Related Posts

  • No Related Posts