Ransomware Payments Increase 500% In the Last Year, Finds Sophos State of Ransomware Report
30 Abril 2024 - 5:30AM
Sophos, a global leader of innovative security solutions that
defeat cyberattacks, today released its annual “State of Ransomware
2024” survey report, which found that the average ransom payment
has increased 500% in the last year. Organizations that paid the
ransom reported an average payment of $2 million, up from $400,000
in 2023. However, ransoms are just one part of the cost. Excluding
ransoms, the survey found the average cost of recovery reached
$2.73 million, an increase of almost $1 million since the $1.82
million that Sophos reported in 2023.
Despite the soaring ransoms, this year’s survey indicates a
slight reduction in the rate of ransomware attacks with 59% of
organizations being hit, compared with 66% in 2023. While the
propensity to be hit by ransomware increases with revenue, even the
smallest organizations (less than $10 million in revenue) are still
regularly targeted, with just under half (47%) hit by ransomware in
the last year.
The 2024 report also found that 63% of ransom demands were for
$1 million or more, with 30% of demands for over $5 million,
suggesting ransomware operators are seeking huge payoffs.
Unfortunately, these increased ransom amounts are not just for the
highest-revenue organizations surveyed. Nearly half (46%) of
organizations with revenue of less $50 million received a
seven-figure ransom demand in the last year.
“We must not let the slight dip in attack rates give us a sense
of complacency. Ransomware attacks are still the most dominant
threat today and are fueling the cybercrime economy. Without
ransomware we would not see the same variety and volume of
precursor threats and services that feed into these attacks. The
skyrocketing costs of ransomware attacks belie the fact that this
is an equal opportunity crime. The ransomware landscape offers
something for every cybercriminal, regardless of skill. While some
groups are focused on multi-million-dollar ransoms, there are
others that settle for lower sums by making it up in volume,” said
John Shier, field CTO, Sophos.
For the second year running, exploited vulnerabilities were the
most commonly identified root cause of an attack, impacting 32% of
organizations. This was closely followed by compromised credentials
(29%) and malicious e-mail (23%). This is directly in line with
recent, in-the-field incident response findings from Sophos’ most
recent Active Adversary report.
Victims where the attack started with exploited vulnerabilities
reported the most severe impact to their organization, with a
higher rate of backup compromise (75%), data encryption (67%) and
the propensity to pay the ransom (71%) than when attacks started
with compromised credentials. The surveyed organizations also had
considerably greater financial and operational impact, with the
average recovery cost sitting at $3.58 million compared with $2.58
million when an attack started with compromised credentials and a
greater proportion of attacked organizations taking more than a
month to recover.
Other notable findings from the report include:
- Less than one quarter (24%) of those that pay the ransom hand
over the amount originally requested, and 44% of respondents
reported paying less than the original demand
- The average ransom payment came in at 94% of the initial ransom
demand
- In more than four-fifths (82%) of cases funding for the ransom
came from multiple sources. Overall, 40% of total ransom funding
came from the organizations themselves and 23% from insurance
providers
- Ninety-four percent of organizations hit by ransomware in the
past year said that the cybercriminals attempted to compromise
their backups during the attack, rising to 99% in both state and
local government. In 57% of instances, backup compromise attempts
were successful
- In 32% of incidents where data was encrypted, data was also
stolen – a slight lift from last year’s 30% – increasing attackers’
ability to extort money from their victims
“Managing risk is at the core of what we do as defenders. The
two most common root causes of ransomware attacks, exploited
vulnerabilities and compromised credentials, are preventable, yet
still plague too many organizations. Businesses need to critically
assess their levels of exposure to these root causes and address
them immediately. In a defensive environment where resources are
scarce, its time organizations impose costs on the attackers, as
well. Only by raising the bar on what's required to breach networks
can organizations hope to maximize their defensive spend,” said
Shier.
Sophos recommends the following best practices to help
organizations defend against ransomware and other cyberattacks:
- Understand your risk profile, with tools such as Sophos Managed
Risk which can assess an organization’s external attack surface,
prioritize the riskiest exposures and provide tailored remediation
guidance
- Implement endpoint protection that is designed to stop a range
of evergreen and constantly changing ransomware techniques, such as
Sophos Intercept X
- Bolster your defenses with round-the-clock threat detection,
investigation and response, either through an in-house team or with
the support of a Managed Detection and Response (MDR) provider
- Build and maintain an incident response plan, as well as making
regular back-ups and practicing recovering data from backups
Data for the State of Ransomware 2024 report comes from a
vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted
between January and February 2024. Respondents were based in 14
countries across the Americas, EMEA and Asia Pacific. Organizations
surveyed had between 100 and 5,000 employees, and revenue ranged
from less than $10 million to more than $5 billion.
Read the State of Ransomware 2024 report for global findings and
data by sector on Sophos.com.
Learn More About Ransomware
- The latest techniques, tactics and procedures (TTPs) of cyber
attackers in the Active Adversary Report for 1H 2024
- The evolving ransomware business model in Junk Gun’ Ransomware:
Peashooters Can Still Pack a Punch
- Ransomware attackers targeting managed service providers (MSPs)
in the 2024 Sophos Threat Report: Cybercrime on Main Street
- The role of unpatched vulnerabilities in ransomware
attacks
- The rise of remote encryption among ransomware groups
- Sophos X-Ops and its groundbreaking threat research by
subscribing to the Sophos X-Ops blogs
About Sophos Sophos is a global leader and
innovator of advanced security solutions that defeat cyberattacks,
including Managed Detection and Response (MDR) and incident
response services and a broad portfolio of endpoint, network,
email, and cloud security technologies. As one of the largest
pure-play cybersecurity providers, Sophos defends more than 600,000
organizations and more than 100 million users worldwide from active
adversaries, ransomware, phishing, malware, and more. Sophos’
services and products connect through the Sophos Central
management console and are powered by Sophos X-Ops, the
company’s cross-domain threat intelligence unit. Sophos X-Ops
intelligence optimizes the entire Sophos Adaptive Cybersecurity
Ecosystem, which includes a centralized data lake that leverages a
rich set of open APIs available to customers, partners, developers,
and other cybersecurity and information technology vendors. Sophos
provides cybersecurity-as-a-service to organizations needing fully
managed security solutions. Customers can also manage their
cybersecurity directly with Sophos’ security operations platform or
use a hybrid approach by supplementing their in-house teams with
Sophos’ services, including threat hunting and remediation. Sophos
sells through reseller partners and managed service providers
(MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More
information is available at www.sophos.com.
Contact:
Samantha Powers
sophos@walkersands.com