Paying the Ransom Doubles Cost of Recovering from a Ransomware Attack: Sophos
Global survey shows the average cost of recovery is $1.4 million if organizations pay the ransom, $730,000 if they don’t
SophosLabs reports on Maze ransomware techniques that increase pressure to pay
Key survey findings for India:
– Eighty-two percent Indian organizations hit by ransomware, 15% increase from 2017
– Organizations in Delhi (85%) followed by Bangalore (83%), Kolkata (81%), Mumbai (81%), Chennai (79%) and Hyderabad (74%) were impacted by ransomware
– Indian organizations incur costs of around ₹80,270,000 to rectify the impact of each ransomware
– Data of most of the organizations in Bangalore (97%) was encrypted followed by Delhi (96%), Mumbai (88%), Hyderabad (88%), Kolkata (87%) and Chennai (68%)
– Eight percent of victims were able to stop the attack before their data could be encrypted, compared with a global average of 24%
– Two thirds (66%) of organizations whose data was encrypted paid the ransom
– Twenty-nine percent of the IT managers surveyed were able to recover their data from backups without paying the ransom
Sophos, a global leader in next-generation cybersecurity, has announced the findings of its global survey, The State of Ransomware 2020, which reveals that paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery. In fact, the total cost of recovery almost doubles when organizations pay a ransom. The survey polled 5,000 IT decision makers in organizations in 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.
More than 80% of Indian organizations had experienced a significant ransomware attack in the previous 12 months, compared to 67% in 2017. Data was encrypted in 91% of attacks that successfully breached an organization in India. The average cost of addressing the impact of such an attack in India, including business downtime, lost orders, operational costs, and more, was ₹80,270,000. Two out of three (66%) organizations hit by ransomware in India admitted paying the ransom.
“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair,” said Chester Wisniewski, principal research scientist, Sophos.
Nearly 30% of the IT managers surveyed in India were able to recover their data from backups without paying the ransom.. Every organization in India that paid the ransom got their data back, although this was not always the case elsewhere. Globally, nearly 5% of public sector organizations paid the ransom but didn’t get their data back. In fact, 13% of the public sector organizations surveyed never managed to restore their encrypted data, compared to 6% overall.
However, contrary to popular belief, the public sector was least affected by ransomware globally, with just 45% of the organizations surveyed in this category saying they were hit by a significant attack in the previous year. At a global level, media, leisure and entertainment businesses in the private sector were most affected by ransomware, with 60% of respondents reporting attacks.
Attackers increase pressure to pay
SophosLabs researchers have published a new report, Maze Ransomware: Extorting Victims for 1 Year and Counting, which looks at the tools, techniques and procedures used by this advanced threat that combines data encryption with information theft and the threat of exposure. This approach, which Sophos researchers have also observed being adopted by other ransomware families, like LockBit, is designed to increase pressure on the victim to pay the ransom. The new Sophos report will help security professionals better understand and anticipate the evolving behaviors of ransomware attackers and protect their organizations.
“An effective backup system that enables organizations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware,” added Wisniewski. “Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”
The State of Ransomware 2020 survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2020. The survey interviewed 5,000 IT decision makers in 26 countries, in the US, Canada, Brazil, Colombia, Mexico, France, Germany, the UK, Italy, the Netherlands, Belgium, Spain, Sweden, Poland, the Czech Republic, Turkey, India, Nigeria, South Africa, Australia, China, Japan, Singapore, Malaysia, Philippines and UAE. All respondents were from organizations with between 100 and 5,000 employees.
# # #
- Learn about escalating extortion tricks in LockBit Ransomware Borrows Tricks to Keep up with REvil and Maze
- Learn more about SophosLabs’ Snatch and Robbinhood ransomware reports
- Learn more about ransomware behaviour in the Sophos ransomware playbook: How Ransomware Attacks
- Learn about the threat landscape and trends in 2020 in the SophosLabs Threat Report
- Get an overview of the central role Emotet plays with Sophos’ new infographic
- Read the latest security and company news on Naked Security and on Sophos News
As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today’s most advanced cyber threats. Powered by SophosLabs – a global threat intelligence and data science team – Sophos’ cloud-native and AI-powered solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos’ entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single “synchronized security” system accessible through a set of APIs. Sophos has been driving a transition to next-generation cybersecurity, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more, to deliver enterprise-grade protection to any size organization. Sophos sells its products and services exclusively through a global channel of more than 53,000 partners and managed service providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K. More information is available at www.sophos.com