Paying Cyber Hijackers’ Ransoms Doubles Cost of Recovery, Sophos Study
by D. Howard Kass • May 11, 2023
In three out of four cyberattacks, the hijackers succeeded in encrypting victims’ data, cybersecurity provider Sophos said in its newly released State of Ransomware 2023 report.
Data Encryption Tops Ransomware Exploits
The rate of data encryption amounted to the highest from ransomware since Sophos first issued the report in 2020, the company said. Overall, roughly two-thirds of the 3,000 cybersecurity/IT leaders’ organizations were infected by a ransomware attack in the first quarter of 2023, or the same percentage as last year.
Much advice has been doled out by cybersecurity providers and law enforcement urging cyber-kidnapped organizations to not pay a ransom. According to Sophos’ survey, the data shows that when organizations paid a ransom to decrypt their data, they ended up doubling their recovery costs. On average, those organizations paying ransoms for decryption forked out $750,000 in recovery costs versus $375,000 for organizations that used backups to recover their data.
Moreover, paying the ransom usually meant longer recovery times, with 45% of those organizations that used backups recovering within a week, compared to 39% of those that paid the ransom.
Chester Wisniewski, Sophos field chief technology officer, explained that rates of encryption returning to very high levels after a temporary dip during the pandemic is “concerning”:
“Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation.”
Education Sector Most Attacked
Additional key findings from the report include:
- The most common cause of a ransomware attack was an exploited vulnerability (36% of cases), followed by compromised credentials (29% of cases).
- In 30% of cases where data was encrypted, data was also stolen, suggesting this double dip method (data encryption and data exfiltration) is becoming commonplace.
- The education sector reported the highest level of ransomware attacks, with 79% of higher education organizations surveyed and 80% of lower education organizations surveyed reporting that they were victims of ransomware.
- Overall, 46% of organizations surveyed that had their data encrypted paid the ransom.
- Larger organizations were far more likely to pay ransoms. In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion. Cyber insurance policies may be the modifying factor.
Human-led threat hunting is very effective at stopping cyber criminals in their tracks, said Wisniewski:
“Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action. This is likely the difference between the third who stay safe and the two thirds who do not. Organizations must be on alert 24×7 to mount an effective defense these days.”
Steps to Defense Against Ransomware
Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:
- Deploy security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access to thwart the abuse of compromised credentials.
- Use adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond.
- Implement 24/7 threat detection, investigation and response, whether delivered in-house or by a specialist managed detection and response (MDR) provider.
- Optimize attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan.
- Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations.