Paying the ransom doubles cost of recovering from a cyber attack


    COMPANIES who give in to ransomware attacks lose more than those who recover from a cyber-attack using their own backup or retrieval service.

    This was revealed in “The State of Ransomware 2020,” a report by cybersecurity expert Sophos. According to the report the total cost of recovery almost doubles when organizations pay a ransom. It mentions that paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery. But many small and medium companies, with minimal or no cyber defenses, usually end up paying for fear of losing important business information.

    The average global cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was $730,000. This average cost rose to $1.4 million, almost twice as much, when organizations paid the ransom. Some 27 percent of all organizations hit by ransomware globally admitted paying the ransom.

    One in three (30 percent) organizations in the Philippines had experienced a ransomware attack in the previous 12 months. On a global level, data was encrypted in nearly three quarters (73 percent) of attacks that successfully breached an organization.

    “Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory,” Chester Wisniewski, principal research scientist at Sophos said.

    At a global level, for 5 percent of public sector or government organizations, paying the ransom did not lead to the recovery of data. In fact, 13 percent of those surveyed in this sector never managed to restore their encrypted data, compared to 6 percent of all organizations globally.

    Media, leisure and entertainment businesses in the private sector were most affected by ransomware, with 60 percent of respondents reporting attacks.

    An effective back up can thwart an attack

    “An effective backup system that enables organizations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware,” Wisniewski added.

    Around 56 percent of all the IT managers surveyed globally were able to recover their data from backups without paying the ransom. In a very small minority of cases (about 1 percent), paying the ransom did not lead to the recovery of data.

    Attackers increase pressure to pay

    A second but related study “Maze Ransomware: Extorting Victims for 1 Year and Counting,” also by Sophos co-relates its findings with the “State of Ransomware” report. It revealed how and what kind of tools, techniques and procedures are used by this advanced threat that combines data encryption with information theft and the threat of exposure.

    This approach, which Sophos researchers have also observed being adopted by other ransomware families, like LockBit, is designed to increase pressure on the victim to pay the ransom. The new Sophos report will help security professionals better understand and anticipate the evolving behaviors of ransomware attackers and protect their organizations.

    “Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”

    “Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair,” Wisniewski concluded.

    The State of Ransomware 2020 survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2020. The survey interviewed 5,000 IT decision makers in 26 countries, in the US, Canada, Brazil, Colombia, Mexico, France, Germany, the UK, Italy, the Netherlands, Belgium, Spain, Sweden, Poland, the Czech Republic, Turkey, India, Nigeria, South Africa, Australia, China, Japan, Singapore, Malaysia, Philippines and UAE. All respondents were from organizations with between 100 and 5,000 employees.

    Further information is available on SophosLabs Uncut and Naked Security.


    Please enter your comment!
    Please enter your name here