The Sophos report "The State-of-Ransomware 2021" shows what happens in companies when ransomware attacks occur: Horrific costs, too complex and hardly any data is returned. Ransomware restoration costs an average of around 970.000 euros in Germany - far more than double compared to 2020.
Sophos announces the results of its global study "The State of Ransomware 2021". Particularly striking: the international average costs for recovery after a ransomware attack have more than doubled in one year, specifically from around 630.000 euros in 2020 (Germany 390.000 euros) to 1,53 million euros in 2021 (Germany 970.000 euros). The average ransom payment is 140.000 euros worldwide and 115.000 euros in Germany. The Sophos study also shows that only eight percent of the organizations affected got all the data back in the event of a payment. Almost a third (29 percent) worldwide did not get back more than half of the encrypted data.
Less successful attacks, but more damage
The number of organizations that fell victim to a ransomware attack fell from 51 percent (Germany 57 percent) in 2020 to 37 percent (Germany 46 percent) in 2021 and fewer companies suffered from data encryption (54 percent in 2021 compared to 73 percent in 2020 ). Still, the new study results reveal a worrying trend in terms of the effects of a ransomware attack.
Changes in attacker behavior
"The alleged decline in the number of organizations affected is good news, but it is hurt by the fact that this number reflects, at least in part, changes in attackers' behavior," said Chester, Wisniewski, principal research scientist at Sophos. “We've seen attackers move from large-scale, generic, and automated attacks to more targeted attacks that include human keyboard hacking. While the total number is lower, our experience shows that the damage potential from these targeted attacks is far higher. Recovering from such attacks is much more complex, which is reflected in the doubled costs for restoring the data. "
Key findings of the Sophos report on ransomware in 2021
The average cost of recovery after a ransomware attack has more than doubled worldwide in the last twelve months (1,5 million euros in 2021). Including, for example, production downtime, lost orders, operating costs. On average, this amount is around ten times the ransom payment itself.
While the average ransom amount worldwide is 140.000 euros, as mentioned, the highest amount was around 2,65 million euros; Payments of just over 8.000 euros were named the most frequently. Ten of the organizations surveyed transferred EUR 800.000 and more.
2020: 32 percent paid - only 8 percent received their data
The number of organizations paying ransom rose worldwide from 26 percent in 2020 to 32 percent in 2021. Only eight percent received their full data back.
"These results confirm the brutal reality of ransomware: numbers are not worth it," says Wisniewski. “Although more organizations pay ransoms, only a minority of payers get the data back in full. This could be partly because using decryption keys for recovery is complicated. And even if the hackers give out the code for the encrypted data after paying the ransom, that's no guarantee for a successful recovery. For example, as we have seen recently with DearCry and Black Kingdom ransomware attacks, attacks launched with poor quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.”
Every second company needs help in an emergency
More than half of the respondents, 54 percent worldwide (51 percent in Germany), believe that the cyberattacks are too advanced for their IT department to be able to handle on their own.
Worrying trend: blackmail without encryption. Seven percent of respondents worldwide said they were asked to pay a ransom even though their data was not encrypted. Perhaps this happened because the attackers managed to steal information. In 2020 that was three percent.
Ransomware attacks have high follow-up costs
“It can take years to recover from a ransomware attack. This involves a lot more than just decrypting and restoring data, ”says Wisniewski. "Complete systems have to be rebuilt and the operational downtimes and effects on customers must not be ignored."
In addition, it has not yet been conclusively defined what a ransomware attack exactly comprises. For a small but significant minority of respondents, the attacks also include requests for payment without data encryption. This could be because they already have anti-ransomware technology in place that is blocking the encryption process. Another reason could be that the attackers simply decided not to encrypt any data. It can be assumed that in such cases the attackers will demand financial compensation for not disclosing data that has been stolen online in advance. “It is more important than ever to deny hackers access to the company as early as possible so that they do not even get the chance to access company data with their increasingly multifaceted attacks. Fortunately, affected organizations are not alone. Support is available around the clock in the form of external security centers that, among other things, offer human-conducted threat hunting and incident response services in order to identify and eliminate such attacks as quickly as possible, ”says Wisniewski.
The background of the study
For the “The State of Ransomware 2021” study, 2021 IT decision-makers in medium-sized organizations (5.400 to 100 employees) in 5.000 countries in Europe, North and South America, the Asia-Pacific region, Central Asia, the Middle East and Africa surveyed. The research was commissioned by Sophos and carried out by Vanson Bourne, an independent market research company. The complete English report is available online as a freely accessible PDF file.
For the study as a PDF at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.