Sophos Reports Ransomware Payments Up 500 Percent Over Last Year

Sophos released its annual State of Ransomware 2024 survey, finding that the average ransom payment has increased by 500 percent in the last year. Organizations that paid the ransom reported an average payment of $2 million, up from 2023’s $400,000.

Unfortunately, it noted that ransoms are just one part of the cost. Excluding ransoms, the survey found the average cost of recovery reached $2.73 million, an increase of almost $1 million since the $1.82 million that Sophos reported in 2023.

Despite soaring ransoms, this year’s survey indicates a slight reduction in the rate of ransomware attacks, with 59 percent of organizations being hit, compared with 66 percent in 2023. While the propensity to be hit by ransomware increases with revenue, even small organizations with less than $10 million in revenue are regularly targeted; 47 percent were hit by ransomware in the last year.

The report also found that 63 percent of ransom demands were for $1 million or more, with 30 percent for over $5 million, suggesting ransomware operators are seeking huge payoffs. Unfortunately, increased ransom amounts are not just for the highest-revenue organizations surveyed. Forty six percent of organizations with revenue of less $50 million received a seven-figure ransom demand in the last year.

“We must not let the slight dip in attack rates give us a sense of complacency,” said John Shier, field CTO, Sophos. “Ransomware attacks are still the most dominant threat today and are fueling the cybercrime economy. Without ransomware we would not see the same variety and volume of precursor threats and services that feed into these attacks. The skyrocketing costs of ransomware attacks belie the fact that this is an equal opportunity crime. The ransomware landscape offers something for every cybercriminal, regardless of skill. While some groups are focused on multi-million-dollar ransoms, there are others that settle for lower sums by making it up in volume.”

For the second year running, exploited vulnerabilities were the most commonly identified root cause of an attack, impacting 32 percent of organizations, followed closely by compromised credentials (29 percent) and malicious e-mail (23 percent). This is directly in line with recent, in-the-field incident response findings from Sophos’ most recent Active Adversary report.

Victims where the attack started with exploited vulnerabilities reported the most severe impact to their organization, with a higher rate of backup compromise (75 percent), data encryption (67 percent) and the propensity to pay the ransom (71 percent) than when attacks started with compromised credentials. The surveyed organizations also had considerably greater financial and operational impact, with the average recovery cost sitting at $3.58 million, compared with $2.58 million when an attack started with compromised credentials and a greater proportion of attacked organizations taking more than a month to recover.

Other notable findings from the report included:

  • 24 percent of those that pay the ransom handing over the amount originally requested; 44 percent paying less than the original demand.
  • Average ransom payment coming in at 94 percent of the initial ransom demand.
  • In 82 percent of cases, ransom funding came from multiple sources. Overall, 40 percent of total ransom funding came from the organizations themselves and 23 percent from insurance providers.
  • 94 percent of organizations hit by ransomware in the past year noting that the cybercriminals attempted to compromise their backups during the attack, rising to 99 percent in both state and local government. In 57 percent of instances, backup compromise attempts were successful.
  • In 32 percent of incidents where data was encrypted, data was also stolen – a slight lift from last year’s 30 percent.

“Managing risk is at the core of what we do as defenders,” said Shier. “The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable, yet still plague too many organizations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately. In a defensive environment where resources are scarce, its time organizations impose costs on the attackers, as well. Only by raising the bar on what’s required to breach networks can organizations hope to maximize their defensive spend.”

Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:

  • Understand your risk profile, with tools that can assess an organization’s external attack surface, prioritize the riskiest exposures and provide tailored remediation guidance.
  • Implement endpoint protection that is designed to stop a range of evergreen and constantly changing ransomware techniques.
  • Bolster your defenses with 24×7 threat detection, investigation and response.
  • Build and maintain an incident response plan, in addition to making regular back-ups and practicing recovering data from backups.

Data comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

The full report is accessible here.

For the Sophos partner program, click here.