Nearly Half Of Ransomware Victims Pay Up, Sophos Finds

Sophos report finds ransomware encryption attacks at their highest level for four years, with 66 percent of organisations being targetted

UK-based security specialist Sophos has released its annual assessment of the ransomware market, and it confirms the ongoing ransomware threat for organisations in 2023.

Among the main findings in the Sophos ‘State of Ransomware 2023’ report – which details the latest developments in attacks, ransom payments and recovery costs – is that data encryption from ransomware has reached the highest level in four years.

And the Sophos report, which surveyed 3,000 IT and security heads across the world, also found that nearly half (46 percent) of organisations hit by ransomware attacks, actually pay the ransom, despite continued advice against paying the cyber criminals.

Sophos ransomware report

Additionally, the Sophos report also found that those organisations paying the cyber criminals, actually end up doubling their recovery costs.

Perhaps one of the most salient highlights of the Sophos report, is that it showed that data encryption from ransomware has reached the highest level in four years, which belies the impression that ransomware attacks have lessened in the past couple of years.

Indeed, the Sophos report found that the rate of ransomware attacks has remained steady, with 66 percent of organisations surveyed reporting they were a victim of ransomware – the same as last year.

Even more troubling, is that the annual “State of Ransomware 2023” report also found that in 76 percent of ransomware attacks against surveyed organisations, cyber criminals actually succeeded in encrypting data.

This is the highest rate of data encryption from ransomware since Sophos started issuing the report in 2020.

Overall, 46 percent of organisations surveyed that had their data encrypted, ended up paying the ransom.

And it seems that larger organisations are far more likely to pay, despite constant advice not to.

In fact, more than half of businesses with revenue of $500 million or more paid the ransom, with the highest rate reported by those with revenue over $5 billion, Sophos found.

This could partially be due to the fact that larger companies are more likely to have a standalone cyber insurance policy that covers ransom payments.

Don’t pay

But paying the cyber criminals is often not a good idea.

The Sophos survey also found that when organisations paid a ransom to get their data decrypted, they ended up doubling their recovery costs.

For example the study found a typical $750,000 in recovery costs, versus $375,000 for organisations that used backups to get their data back.

Moreover, paying the ransom usually means longer recovery times, with 45 percent of those organisations that used backups recovering within a week, compared to 39 percent of those that paid the ransom.

“Rates of encryption have returned to very high levels after a temporary dip during the pandemic, which is certainly concerning,” said Chester Wisniewski, field CTO at Sophos. “Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes.”

“Incident costs rise significantly when ransoms are paid,” Wisniewski added. “Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation.”

Attack vectors

When Sophos analysed the root cause of ransomware attacks, the most common threat vector was an exploited vulnerability (involved in 36 percent of cases); followed by compromised credentials (involved in 29 percent of cases).

Other key findings from Sophos report that may keep IT management awake at night include:

  • In 30 percent of cases where data was encrypted, data was also stolen, suggesting this “double dip” method (data encryption and data exfiltration) is becoming commonplace;
  • The education sector reported the highest level of ransomware attacks, with 79 percent of higher education organisations surveyed and 80 percent of lower education organisations surveyed reporting that they were victims of ransomware.

“With two thirds of organisations reporting that they have been victimised by ransomware criminals for the second year in a row, we’ve likely reached a plateau,” said Wisniewski.

“The key to lowering this number is to work to aggressively lower both time to detect and time to respond,” said Wisniewski. “Human-led threat hunting is very effective at stopping these criminals in their tracks, but alerts must be investigated, and criminals evicted from systems in hours and days, not weeks and months. Experienced analysts can recognize the patterns of an active intrusion in minutes and spring into action.”

“This is likely the difference between the third who stay safe and the two thirds who do not,” Wisniewski concluded. “Organisations must be on alert 24×7 to mount an effective defense these days.”

Best advice

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

    • Strengthen defensive shields with: Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-exploit capabilities to prevent exploitation of vulnerabilities, and Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
      Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
      24/7 threat detection, investigation and response, whether delivered in-house or by a specialist Managed Detection and Response (MDR) provider
    • Optimise attack preparation, including making regular backups, practicing recovering data from backups and maintaining an up-to-date incident response plan;
    • Maintain good security hygiene, including timely patching and regularly reviewing security tool configurations.