Ransomware payments by organizations made up about a seventh of the overall costs of ransomware attacks in 2020 according to a new study by Check Point Research and Kovrr. While ransom payments make up about a seventh of the total costs for the attacked organizations, expenses such as response and restoration expenses, legal fees, or monitoring costs, make up the bulk of the total expenses for organizations.
Most ransomware attacks are designed to encrypt data on organization devices after successful breaches; the attackers use the encrypted data as a bargaining chip, but may also threaten to leak data that was dumped during the attack to pressure organizations into giving in to ransom demands.
Check Point Research saw an increase in ransomware attacks by 24% year-over-year globally, with 1-in-53 organizations suffering a ransomware attack on average. Ransomware gangs and operations have evolved, and gangs are establishing structures and policies that resemble those of legitimate organizations.
The duration of ransomware attacks went down as a result of the professionalization of ransomware gangs and improved response processes on the victim’s side. At its peak, ransomware attacks lasted for an average of 15 days according to Check Point Research. The number of days dropped to an average of 9.9 days in 2021, and the researchers believe that structural changes in ransomware organizations and improved processes in legitimate organizations play a role in this.
Tip: Windows users may enable ransomware protection on Windows 10 and 11.
Ransom demands and how they are calculated
Ransomware gangs use research, that is very similar to the research of financial analysts, to determine the ransom. Research looks at the annual revenue of organizations, the industry, and other parameters to come up with a number.
Analysis of Conti Group activity, a ransomware group that has been in operation since 2020 at the least, revealed an average demand of 2.82% of an organization’s annual revenue. Individual percentages of revenue ranged from 0.71% to 5% in the analyzed data set.
The requested percentage decreased, the higher the annual revenue of the organization was. Check Point Research explains that lower percentages still led to higher payments, because of the organization’s higher annual revenue.
Check Point Research identified five major steps in the ransomware negotiation process:
- Finding leverage. Ransomware gangs are interested in completing transactions quickly. They will analyze the stolen data to find leverage that they may use in negotiations with company representatives. They attempt to find the “most sensitive files” for use as leverage. Groups may publish files on private sites and threaten to make the data public if the ransom is not payed by the organization.
- Discounts for quick payments. Ransomware gangs may give organizations a discount if they pay in the first couple of days after the attack hit the organization’s infrastructure. The Conti group offered discounts between 20% to 25% of the ransom in those cases.
- Negotiations. Some organizations hire third-party negotiations to act on their behalf. At this stage, organizations may attempt to reduce the ransom demand further, or provide explanations why payments take longer than expected.
- More threats and last chance to come to an agreement. Groups may upload more data on that they have stolen to private sites at this point to put additional pressure on the organization.
- Agreement or the dumping of data. The final stage of the negotiations has one of two outcomes: both parties agree on a ransom, which is then paid, or the data may be leaked to the public if both parties do not come to an agreement.
Established ransomware gangs depend on their reputation. Not handing out the decryption keys after ransom has been paid could impact future negotiations severely.
The financial impact of ransomware attacks
Victims of ransomware attacks are often unaware of the costs associated with ransomware attacks. The duration of ransomware attacks may have serious impact on an organization’s capabilities to operate its business.
The encryption of key servers, databases or employee endpoints may result in a slow down or standstill of operations. Toyota had to halt production in some of its facilities after a successful ransomware attack in 2022.
The average and media ransomware attack duration decreased in 2021 for the first time since 2017. In 2020, average and median attack lasted for 15 and 12 days; the numbers dropped to 9.9 and 5 days in 2021.
Check Point Research suggests that the peak in 2020 was caused by a rise in double-extortion attacks in 2020, which “caught organizations off guard and resulted int long negotiations between attackers and victims”. Organizations “established better response plans to mitigate ransomware events” to better react to double-extortion attacks, and this resulted in decreased attack durations.
Negotiations may reduce the actual ransom payment significantly. In 2021, the ratio of average extortion payments to extortion demands was 0.486. Victims paid less than half of the requested ransom on average in 2021.
The number was higher in 2019, when it was 0.889, and lower in 2020, when it was at 0.273. Explanations for the dropping since 2019 include the implementation of effective ransomware response plans in many organizations, which often include professional payment negotiations.
The researchers suggest that the ratio increase between 2020 and 2021 is a direct result of professionalization of ransomware groups. Groups “have become more efficient at calculating their extortion demands”.
Breakdown of costs
The financial impact of ransomware attacks consists of several components. The ransom that is paid, “response and restoration costs, legal fees, monitoring and additional costs”. The majority of costs apply regardless of whether the ransom is paid by the organization.
Organizations may lose income during the attack and after it has ended, as core systems and processes may not be accessible. The ratio of total attack costs to extortion payments rose from 3.463 in 2019 to 7.083 in 2020. Ransom demands made up a little bit more than 15% of all expenses associated with ransomware attacks in 2020 on average; this is a huge increase in costs.
The researchers did not include data from 2021, as it was not complete at this point. They explain that there are delays between when ransomware attacks occur and the reporting of the attacks. Additionally, it may take time to calculate costs caused by the attack, as factors such as long-term reputational damage or legal costs may take time to be factored in.
Now you: have you experienced ransomware attacks on your devices or in your organization?