Paying ransom can double attack recovery costs, warns Sophos

Paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery, according to the latest The State of Ransomware 2020 study by Sophos.Ransom Sophos

The study highlighted that the total cost of recovery almost doubles when organisations pay a ransom. The survey polled 5,000 IT decision makers in organisations in 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.

More than half (51 percent) of organisations had experienced a significant ransomware attack in the previous 12 months, compared to 54 percent in 2017.

In the UAE, 49 percent of the organisations surveyed mentioned a ransomware attack in the last one year. Globally Data was encrypted in nearly three quarters (73 percent) of attacks that successfully breached an organisation, while in the UAE, it was 78 percent. The average cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was more than $730,000. This average cost rose to $1.4 million, almost twice as much, when organisations paid the ransom. More than one quarter (27 percent) of organisations hit by ransomware admitted paying the ransom. The survey also revealed 19 percent of the organisations that were attacked in the UAE admitted to paying the ransom.

Chester Wisniewski, Sophos
Chester Wisniewski, Sophos

“Organisations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair,” said Chester Wisniewski, principal research scientist, Sophos.

More than half (56 percent) the IT managers surveyed were able to recover their data from backups without paying the ransom compared to 66 percent in the UAE. In a very small minority of cases (1 percent), paying the ransom did not lead to the recovery of data. This figure rose to 5 percent for public sector organisations. In fact, 13 percent of the public sector organisations surveyed never managed to restore their encrypted data, compared to 6 percent overall.

However, contrary to popular belief, the public sector was least affected by ransomware, with just 45 percent of the organisations surveyed in this category saying they were hit by a significant attack in the previous year. At a global level, media, leisure and entertainment businesses in the private sector were most affected by ransomware, with 60 percent of respondents reporting attacks.

SophosLabs researchers have published a new report, Maze Ransomware: Extorting Victims for 1 Year and Counting, which looks at the tools, techniques and procedures used by this advanced threat that combines data encryption with information theft and the threat of exposure. This approach, which Sophos researchers have also observed being adopted by other ransomware families, like LockBit, is designed to increase pressure on the victim to pay the ransom. The new Sophos report will help security professionals better understand and anticipate the evolving behaviors of ransomware attackers and protect their organisations.

“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic,” said Wisniewski.

“Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages,” he added.

Previous ArticleNext Article


The free newsletter covering the top industry headlines