Sophos report finds paying ransomware demands could double costs for victims 

Paying the ransom proved to cost companies more than not paying. Without the ransom, the average cost of addressing the impacts of the demands, including business downtime, lost orders and operational costs, came to more than $730,000. But this almost doubled to $1.4 million when demands were met and the ransom costs taken into account.

Despite this, over a quarter of organisations surveyed (27%) admitted to paying up, but one per cent who paid did not get their data back. Ninety-four per cent of organisations whose data was encrypted retrieved it, 56% from their own backups, and 26% from the fraudsters after the ransom was paid.

The hardest hit sectors were the media, leisure and entertainment industries, who suffered 60% of total ransomware attacks worldwide. Despite perceptions to the contrary, the public sector, at 45%, was least affected.

Fifty-nine per cent of successful attacks where data was encrypted were in cloud storage locations, although the survey didn’t specify whether these included locations such as Google Drive, Dropbox or Veeam.

Many organisations were found to be under-insured. The majority, 84%, of those surveyed had cybersecurity insurance, but only 64% held insurance that covered ransomware.

Cath Goulding, chief information security officer at Nominet, the official registry for .uk domain names, gave this advice to firms:

“Companies should make sure that all their data is backed up to mitigate the impact of a ransomware attack. It’s also important that compromised systems are separated to reduce the chance of the ransomware spreading throughout a network. One of the best ways to ensure companies are equipped to deal with a ransomware attack is to run a business continuity exercise, this will determine whether processes stand up to the job and are explicit enough to deliver an effective response that secures the business quickly and effectively.”

Board members should also ensure that the threat and its mitigation is included in the company’s risk register.

Cath Goulding, Nominet. Pic: Antony David

Abingdon-based Sophos highlighted the added threat of extortion posed by the group behind Maze ransomware, formerly known as ChaCha. In October 2019, in widespread spam campaigns, the perpetrators impersonated the German Finance Ministry and the Italian Internal Revenue service. They have also published victims’ data in order to to coerce payment.

Chester Wisniewski, principal research scientist at Sophos, said: “An effective backup system that enables organisations to restore encrypted data without paying the attackers is business-critical, but there are other important elements to consider if a company is to be truly resilient to ransomware.

“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious manoeuvres is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages,” he added.

Chester Wisniewski, Sophos. Pic: Sophos

The independent survey was conducted during January and February 2020 by Newbury-based research firm Vansen Bourne. Respondents were from 26 countries and from different sized companies in both public and private sectors. Sophos commissioned the report to draw attention to the dangers of ransomware attacks and the need for organisations of all types and sizes to be properly protected.

About the Author

Antony David

A chemistry graduate, Antony spent most of his career using and then making equipment for the music and broadcast industries. He was managing director of Oxford-based electronics and software company, Solid State Logic.