Zffoto - stock.adobe.com

Paying the Ransom Can Double Ransomware Attack Recovery Costs

The FBI has repeatedly warned against paying the ransom, but Sophos research confirms giving into the hackers’ demands does not ease recovery time – and doubles the overall recovery costs.

The FBI, Microsoft, and others have repeatedly warned victims to not pay the ransom demands after a cyberattack for a host a reasons. And new research from Sophos confirms that ransomware payments can actually double the amount of recovery costs and don’t ensure an easier path to recovery.

To compile its State of Ransomware 2020 report, Sophos researchers surveyed 5,000 global IT decision makers across a range of sectors. They found that 51 percent of these organizations faced a ransomware attack within the last year, compared to 54 percent in 2017.

For the US, 59 percent of respondents reported falling victim to an attack. Notably, 25 percent of US respondents said they were able to stop an attack before data was encrypted. But overall, data was encrypted in 73 percent of these successful attacks.

On average, the cost to recover from these attacks – without paying the ransom – totaled more than $732,520 in the US, which included business downtime, lost orders, operational costs, device costs, and other expenses. But when the organizations paid, the recovery costs nearly doubled to $1.4 million.

While 56 percent of the surveyed IT managers said they were able to recover the encrypted data from backups without paying the ransom, still another 27 percent of organizations hit by ransomware admitted to paying the hackers.

Interestingly, 1 percent of respondents said that paying the ransom did not lead to the data being decrypted, which rose to 5 percent for public sector organizations. What’s more, 13 percent of public sector organizations were never able to restore their encrypted, compared to just 6 percent across all sectors.

“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime,” Chester Wisniewski, Sophos’ principal research scientist, said in a statement. “On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory.”

“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost,” he added. “This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”

Overall, the private sector was the most affected by ransomware, with 60 percent of organizations facing an attack within the last year. Comparably, just 45 percent of public sector respondents reporting a serious ransomware attack during the same time frame.

Further, the most successful ransomware attacks involved data stored in the public cloud, with 59 percent of these attacks. Researchers stressed that “it’s clear that cybercriminals are targeting data wherever it stored.”

Specifically, the trend for ransomware attacks in 2020 is for server-based attacks, which are highly targeted and employ more effort to accomplish. Sophos explained the sophisticated nature has led to a reduction in the number of attacks but are “far more deadly due to the higher value of assets encrypted.”

Sophos added these attacks can cripple an organization as hackers typically ask for multi-million-dollar ransom requests. The data supports another recent Sophos report on Maze ransomware attacks from the past year, which reaffirms several recent FBI alerts that show hackers are increasing pressure to pay demands.

Microsoft recently released guidance, of particular interest to the healthcare sector, designed to bolster defenses against these human-operated ransomware attacks.

“An effective backup system that enables organizations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware,” said Wisniewski. “Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes."

"Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay," he added. "The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”

Next Steps

Dig Deeper on Cybersecurity strategies