The Cost of a Ransomware Attack, Part 1: The Ransom

By many estimates, ransomware attacks are among the most common, if not the most common, type of cyber attack. While the number of attacks is generally trending downward, the average cost of an attack is rising exponentially — in part because malicious actors are increasingly targeting companies with the resources to pay large ransoms (and to eat up subsequent cleanup costs, which can be more substantial).

Most of the victims of the ransomware attack are not huge organizations like Colonial Pipeline, which paid out $4.4 billion in May 2021 (many of which was later recovered by the FBI). What can the average victim of a ransomware attack expect? Or: Is there such a thing as a mean ransomware attack, given the broad scope of the organizations targeted now?

Here’s a look at the latest research, with insights from two leading experts on the topic: Chester Wisniewski, Principal Research Scientist at Sophos, and Roger Grimes, security consultant and cybersecurity engineer at KnowBe4 and author of Ransomware Protection Guide.

Reduce attacks and increase costs

“There are a few fewer organizations that have been hit, but they have a much bigger impact because of the costs,” Wisniewski says.

  • According to Sophos’ State of Ransomware 2021 report, 37% of organizations were affected by ransomware attacks in 2020, down from 54% in the previous year.
  • Mimecast’s Email Security Status Report states that 61% of businesses have been attacked.
  • However (according to Mimecast), the average treatment cost more than doubled over the same period, from $761,106 to $1.85 million.
  • And IBM’s data breach cost report proved even higher – at $4.62 million.
  • A report released by the Financial Crimes Enforcement Network (FinCEN) in October cited $5.2 billion in bitcoin transfers as potential ransom payments in the first half of 2021 alone.

Ransomware organizations have shifted their focus from smaller individuals and organizations to larger targets, and thus larger payments. The increasing sophistication of malware has allowed ransomware gangs to infiltrate the security systems of major corporations – the “big game” – making the use of their resources more efficient.

“I’ve gotten closer to enterprise ransomware in the last couple of years,” Wisniewski explains. “There aren’t many threat actors still manipulating people. If you can get a few hundred thousand victims for the same amount of work, why manipulate people who might only pay $500?”

double blackmail

The nature of the attacks has also changed. The advent of double racketeering has led to more incentives to pay. Attackers hack sensitive company data (transfer it off the network without permission) before attacking their target with ransomware. So not only can the attacker prevent the victims from accessing their data/systems, but they can also threaten to release the sensitive data of the victims to the public.

A report by F-Secure found that 40% of known gangs had data mining capabilities by the end of 2020. Coveware saw a 20% increase in threats to data dissemination between the third and fourth quarters of 2020 alone.

While many organizations have previously failed to backup their data, the growing awareness of ransomware has led many organizations to create regular backups. Why pay a ransom if the locked data is in a viable form elsewhere? The threat of data release radically alters that dynamic, leading to the potential for significant reputational damage as well as regulatory and legal costs. Suddenly, paying the ransom doesn’t seem that bad.

Extracting and analyzing this data also allows gangs to adjust ransom demands according to the sensitivity of the data and the financial resources available to the victim, as noted in Microsoft’s digital defense report. Access to bank statements and insurance policies allows these representatives to turn screws with extreme precision.

Average ransom requests

Ransomware requests are on the rise, but of course they vary depending on the target. Averages derived from industries and organizations of different sizes are somewhat misleading.

“Paying $25 million makes the average seem really big,” Grimes notes. “Really, that’s one of our problems: we don’t have a reliable way to collect statistics.”

However, these multi-million dollar payments are already happening, and even if averages skew as a result, they are well worth looking into. Analytics from private organizations tell a very different story from the FBI’s Internet Crime Complaint Center (IC3) report, which records just $29.2 million in ransomware payments in 2020. Ransomware attacks are seriously underreported, Bitcoin tracking suggests FinCEN’s. According to Sophos, the number of companies choosing to pay the ransom increased by 6% between 2019 and 2020.

So: Even the broad averages provided by researchers paint a more accurate picture.

  • The results are within an approximate range. Coveware, for example, found that ransom demands actually fell, to $154,108 in Q4 2020 from $233,817 in Q3.
  • However, even that encouraging decline was hovering above the $84,000 average the company found for the fourth quarter of 2019.
  • A ransomware threat report 42 from Palo Alto Networks showed that the average payment was $115,123 in 2019, which rose to $312,493 in 2020.
  • Sophos calculated an average of $170,404 for 2020.
  • It’s worth noting that reports focused on small and medium-sized businesses found much lower demands – the Datto Global State of the Channel Ransomware Report puts in an average of $5,600.

“The truth is that the average is $25,000 And The average is $3 million. And when you put the two together, you end up with $170,000,” says Wisniewski. “Big guys usually don’t do anything under a million. People pay between one and five million on the side of the foundation. But it is clear that there are fewer of those who are being paid such large sums.”

“The vast majority of survey respondents are in that $25,000 bucket, but there are 10 times that number. When we average it out, we end up with these odd rates of like $170,000.” “This is too high for low-ranking criminals and too low for high-end criminals. The real bulk of the data ends up in balloons at the ends of the spectrum.”

Wisniewski believes that data privacy laws – such as the EU’s General Data Protection Regulation and California’s Consumer Privacy Act – may eventually increase the reporting of these attacks, as the threat of intrusion grows. Before the rise of data release threats, organizations were able to rationalize not reporting ransomware events because the data was not actually exposed. Now, when customer data protected under this legislation can already be disclosed, there is an additional incentive to report.

Read more in Part 2: The cost of a ransomware attack: response and recovery.

What to read next:

Global Technology Policy Brief October 2021

Facing the ransomware dilemma

What you need to know about secure ransomware


Leave a Comment