Sophos: Paying Ransom Can Double Attack Recovery Costs
Organizations that decide to pay their ransomware attackers may end up doubling the overall cost of recovery, according to a new report from Sophos.
The UK-headquartered security firm polled 5000 IT decision makers in organizations across 26 countries to compile its State of Ransomware 2020 report.
It revealed that the average cost of an attack — including business downtime, lost orders, and operational costs, but not the ransom itself — was $730,000. However, this figure rose to $1.4m when the ransom was included.
Over a quarter (27%) of respondents admitted to paying up when hit by an attack.
“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory,” argued Chester Wisniewski, principal research scientist at Sophos.
“Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair.”
Over half (51%) of organizations said they experienced a significant ransomware attack in the previous 12 months, nearly as many as the peak of 54% in 2017, when WannaCry and NotPetya hit. Data was encrypted in 73% of cases where attackers breached the organization.
Over half (56%) of the IT managers surveyed said they were able to recover data from backups without paying the ransom, but while backing up is now industry best practice, there are other elements to consider, according to Wisniewski.
“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic,” he explained.
“Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”