Average ransom payments surged by 500% in the past year to reach $2m per payment, according to Sophos’ The State of Ransomware 2024 report.
This compares to an average payment of $400,000 calculated by Sophos in its 2023 study, demonstrating that ransomware operators are seeking increasingly large payoffs from victims.
Nearly two thirds (63%) of ransom demands made in the past year were $1m or more, with 30% of demands demanding over $5m.
This is despite a reduction in the rate of organizations being hit by ransomware in the past year, at 59%, which compares to 66% in Sophos’ State of Ransomware 2023 report.
Ransomware Actors Demanding Bigger Payouts
Of those who received a seven-figure ransom demand in 2023, 46% had a revenue of less than $50m.
Less than a quarter (24%) of respondents that paid a ransom demand handed over the amount originally requested by the attacker, with 44% reporting paying less than the original demand.
On average, ransom payments sent were worth 94% of the initial ransom demand.
The report also found that funding for ransom payments came from a variety of sources in 82% of cases. Overall, 40% of the funding for payments came from the victim organizations themselves, with the organization’s parent company and/or governing body typically providing 19%.
Nearly a quarter (23%) of all ransom payment funding comes from insurance providers, with insurers contributing toward the ransom in 83% of cases.
Large organizations were more likely to pay a ransom demand, with 61% of organizations with an annual revenue of $5bn+ paying attackers after being hit. This compares to 25% of organizations with a revenue of under $10m.
Excluding ransom payments, the average cost of recovery from a ransomware attack was $2.73m, nearly $1m higher than the previous year, which was $1.82m.
The recovery time also grew in 2023, with only 35% of ransomware victims fully recovered within a week. This compares to 47% of victims in in 2022.
How Ransomware Actors Are Targeting Organizations
Exploited vulnerabilities were the most common root cause of ransomware attack in 2023, making up 32% of incidents. This is a fall compared to 2022, when 36% of incidents were caused by an exploited vulnerability.
The next most common root causes were compromised credentials (29%), malicious email (23%) and phishing (11%).
When an exploitation of an unpatched vulnerability was the cause of a cyber-attack, victim organizations reported significantly more severe outcomes than those where the attack began with compromised credentials.
This included being more likely to:
- Have backups compromised (75% vs 54%)
- Have data encrypted (67% vs 43%)
- Pay the ransom demand (71% vs 45%)
- Have higher overall attack recovery costs ($3m vs $750,000)
Read here: Vulnerability Exploitation on the Rise as Attackers Ditch Phishing
Large organizations were more likely to experience a ransomware attack that started with an unpatched vulnerability, impacting 38% of organizations with a revenue of $5bn+ who were hit.
The research also found that cybercriminals attempted to compromise backups in 94% of ransomware victims in the past year, with over half (57%) of these attempts proving to be successful.
Those organizations whose backups were compromised received on average double the ransom demand compared to those whose backups were not compromised ($2.3m vs $1m).
The rate of data theft in ransomware incidents rose in the past year, occurring in 32% of cases in 2023 versus 30% in 2022. Data theft provides an additional means for attackers to extort victims alongside encrypting data, by threatening to publish the stolen information on the dark web.
Almost all organizations that had data encrypted managed to get their data back. The two primary ways of achieving this were restoring from backups (68%) and paying the ransom to get the decryption key (56%).