The ransomware landscape is in flux. According to many estimates, ransomware attacks are the most common type of data breach. While the number of attacks is generally trending downward, the average cost of an attack is skyrocketing — in part because malicious actors have increasingly taken aim at corporations that have the resources to pay large ransoms (and to eat the ensuing cleanup costs, which can be even more substantial).
Most victims of a ransomware attack aren’t massive organizations like Colonial Pipeline, which shelled out close to $5 million in Bitcoin in May 2021, though. What can the average victim of a ransomware attack expect to face? Or: is there even such a thing as an average ransomware attack, given the broad range of organizations that are now targeted?
Here’s a look at the latest research, with insights from two leading experts on the subject: Chester Wisniewski, principal research scientist at Sophos, and Roger Grimes, security consultant and cybersecurity architect at KnowBe4 and author of the Ransomware Protection Playbook.
Decreasing Attacks, Rising Costs
“There are slightly fewer organizations being hit but it’s having a much larger impact because of the costs,” says Wisniewski.According to Sophos’s State of Ransomware 2021 Report, 37% of organizations were hit by ransomware attacks in 2020, down from 54% the previous year. Mimecast’s State of Email Security report states that 61% of businesses have been attacked. However (according to Mimecast), the average cost of remediation more than doubled during that same period, from $761,106 to $1.85 million. IBM’s Cost of a Data Breach report report pegged it even higher — at $4.62 million. A report released by the Financial Crimes Enforcement Network (FinCEN) in October flagged a remarkable $5.2 billion in Bitcoin transfers as potential ransomware payments in the first half of 2021 alone.
Ransomware organizations have shifted their focus from individuals and smaller organizations to bigger targets, with accordingly larger payouts. The increasing sophistication of malware has allowed ransomware gangs to penetrate the security systems of larger firms — “big game” — making for more efficient use of their resources.
“They’ve converged on enterprise ransomware in the last two years,” Wisniewski explains. “There aren’t many threat actors still messing around with individuals. If you can get a few hundred thousand from a victim for a similar amount of work, why would you mess around with individuals who may only pay $500?”Double Extortion
The nature of the attacks has also changed. The rise of double extortion has further incentivized payment. Attackers exfiltrate sensitive corporate data (transfer it out of the network without authorization) before they wallop their target with ransomware. So not only can the attacker lock victims out of their data/systems, they can threaten to release victims’ sensitive data to the public.
A report from F-Secure found that 40% of known gangs had data exfiltration capabilities by the end of 2020. And Coveware saw a 20% increase in threats to release data between the third and fourth quarters of 2020 alone.
Whereas previously many organizations had failed to back up their data, increased ransomware awareness has led many organizations to create regular backups. Why pay a ransom if the locked-up data exists in viable form elsewhere? The threat of releasing the data drastically alters that dynamic, creating the potential for massive reputational damage as well as regulatory and legal costs. Suddenly, paying a ransom doesn’t seem so bad.
The exfiltration and analysis of this data also allows the gangs to fine-tune their ransom demands according to the data’s sensitivity and the financial resources at the victim’s disposal, as noted in Microsoft’s Digital Defense Report. Access to bank statements and insurance policies allows these actors to turn the screws with exquisite precision.
Average Ransom Demands
Ransomware demands are growing, but of course they vary depending on the target. Averages drawn from across industries and organizations of varying sizes are thus somewhat misleading.
“A couple of $25 million payouts make the average seem really big,” Grimes observes. “Really, that’s one of our problems: We don’t have a reliable way to collect statistics.”
Those million-dollar payments do happen though, and even if the averages are skewed as a result, they are worth a look. Analyses from private organizations tell a far different tale than the FBI’s Internet Crime Complaint Center (IC3) report, which records a mere $29.2 million in ransomware payments in 2020. Ransomware attacks are seriously underreported, as FinCEN’s Bitcoin tracking suggests. According to Sophos, the number of companies that choose to pay the ransom has increased by 6% between 2019 and 2020.
So: Even the broad averages offered by researchers paint a more accurate picture.The results fall within a rough range. Coveware, for example, found that ransomware demands had actually dropped, to $154,108 in Q4 of 2020 from $233,817 in Q3. Still, even this encouraging decrease hovered well above the $84,000 average the company found for Q4 of 2019.Palo Alto Networks’ Unit 42 Ransomware Threat Report showed an average payment of $115,123 in 2019, which rose to $312,493 in 2020. Sophos calculated an average of $170,404 for 2020. It’s worth noting that reports focusing on SMBs found far lower demands — Datto’s Global State of the Channel Ransomware Report
calculated an average of $5,600.
“The truth is, the average is $25,000 and the average is $3 million. And when you put the two together you end up at $170,000,” says Wisniewski. “The big guys are typically not doing anything less than a million. People are paying between one and five million on the enterprise side. But there’s clearly fewer of them that are being hit for those large sums.”
“The vast majority of respondents in the survey are in that $25,000 bucket, but there are 10 times as many of them. When we average them out, we end up with these weird averages like $170,000,” he adds. “That’s too high for the low-grade criminals and too low for the high end criminals. The real bulk of the data ends up in balloons at the ends of the spectrum.”
Wisniewski thinks that data privacy laws — like the European Union’s General Data Protection Regulation and the California Consumer Privacy Act — may ultimately increase reporting of these attacks, as the exfiltration threat grows. Prior to the surge in threats of data release, organizations were able to rationalize not reporting ransomware events because the data was never actually exposed. Now, when customer data protected by this legislation could actually be exposed, there is additional motivation to report.
What to Read Next:
Global Tech Policy Briefing for October 2021
Facing Off with the Ransomware Conundrum
What You Need to Know About Ransomware Insurance