The average payment for ransomware attacks has increased by 500% in the past year to $2-million, up from $400 000 in 2023, cybersecurity firm Sophos reports in its 'State of Ransomware 2024' report.

Additionally, excluding ransom payments, the survey found the average cost of recovery reached $2.73-million, which is an increase of almost $1-million from the $1.82-million that Sophos reported in 2023.

The latest report also found that 63% of ransom demands were for $1-million or more, with 30% of demands for more than $5-million, suggesting ransomware operators are seeking huge payoffs.

“Unfortunately, these increased ransom amounts are not just for the highest-revenue organisations surveyed, as nearly half, or 46%, of organisations with revenue of less $50-million received a seven-figure ransom demand in the past year,” the cybersecurity firm noted.

Meanwhile, this year’s survey indicates a slight reduction in the rate of ransomware attacks, with 59% of organisations being hit compared with 66% in 2023.

“While the propensity to be hit by ransomware increases with revenue, even the smallest organisations, those with less than $10-million in revenue, are still regularly targeted, with just under half, or 47%, hit by ransomware in the past year,” the company added.

“Ransomware attacks are still the most dominant threat today and are fuelling the cybercrime economy. Ransomware increases the variety and volume of precursor threats and services that feed into these attacks,” said Sophos field CTO John Shier.

“The skyrocketing costs of ransomware attacks belie the fact that this is an equal opportunity crime. The ransomware landscape offers something for every cybercriminal, regardless of skill. While some groups are focused on multimillion-dollar ransoms, there are others that settle for lower sums by making it up in volume,” he said.

ATTACK VECTORS
For the second year running, exploited vulnerabilities were the most commonly identified root cause of an attack, impacting on 32% of organisations. This was closely followed by compromised credentials at 29%, and then by malicious email at 23%.

Victims where the attack started with exploited vulnerabilities reported the most severe impact to their organisation, with a higher rate of backup compromise at 75%, data encryption at 67% and the propensity to pay the ransom at 71% than when attacks started with compromised credentials, Sophos highlighted.

“The surveyed organisations also had considerably greater financial and operational impact, with the average recovery cost at $3.58-million compared with $2.58-million when an attack started with compromised credentials, and a greater proportion of attacked organisations taking more than a month to recover when an attack started with exploited vulnerabilities.”

Further, 94% of organisations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack, rising to 99% in both State and local government. In 57% of instances, backup compromise attempts were successful, the cybersecurity firm noted.

In 32% of incidents where data was encrypted, data was also stolen. This is a slight lift from the prior year’s 30%, and increases attackers’ ability to extort money from their victims.

“The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable, yet still plague many organisations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately.

“In a defensive environment where resources are scarce, organisations must impose costs on the attackers, as well. Only by raising the bar on what is required to breach networks can organisations hope to maximise their defensive spend,” said Shier.

SOUTH AFRICAN STATISTICS
Findings from the independent, vendor-agnostic, survey of 330 information technology professionals in mid-sized organisations in South Africa show that 69% of South African organisations were hit by ransomware in the past year.

This is a decrease on the 78% reported in the company's 2023 survey, but a substantial increase on the 51% reported in 2022. By comparison, globally, 59% of respondents said their organisation had experienced a ransomware attack in the past 12 months.

Malicious email was the most common root cause of attack for South African organisations, used in 32% of incidents. Compromised credentials were the second most frequent attack vector, used in 26% of attacks.

Further, 76% of attacks resulted in data being encrypted, which is above the global average of 70%, but below the 89% reported by South African respondents in the prior year's survey.

“Data was also stolen in 35% of attacks where data was encrypted, above the global average of 32%, but in line with the 35% reported by South African respondents in our 2023 study,” Sophos said.

In 97% of South African ransomware attacks, cybercriminals tried to compromise the organisation’s backups, slightly above the global average of 94%. However, 44% of backup compromise attempts were successful, which is below the global average of 57%.

Backups remain the most common method used for restoring data, with 72% of South African respondents whose data was encrypted using this approach. This is a decrease from the 76% that used backups in the 2023 survey, the company noted.

The mean South African ransom demand was $975 675 and the median South African ransom demand was $165 000. Further, 29% of demands were for $250 000 or more.

Further, excluding any ransom payments, the average bill incurred by South African organisations to recover from a ransomware attack was reported at $1.04-million. This is an increase on the $0.75-million reported in 2023. This includes costs of downtime, people time, device cost, network cost and lost opportunity, among others.

Of the South African ransomware victims, 99% reported the attack to law enforcement and/or an official government body. Of them, 64% received advice on dealing with the attack, 68% got help investigating the attack, and 47% received assistance in recovering data encrypted in the attack, the survey showed.

Additionally, 61% of those that reported the attack found it easy to engage with law enforcement and/or official bodies, while 35% found it somewhat difficult and 4% said it was very difficult to engage.

“Ransomware remains a major threat to South African organisations of all sizes around the globe. While the overall attack rate has dropped over the past year, the impact of an attack on those that fall victim has increased. As adversaries continue to iterate and evolve their attacks, it is essential that defenders and their cyberdefences keep pace,” Sophos said in its report.