The average cost for a South African organisation to recover from ransomware is $104 million, with local companies facing prolonged recovery periods. Cyber criminals are also targeting back-up systems to derail efforts by companies to recover and then increase the ransom amount.
This is according to the State of Ransomware in South Africa in 2024 report released today by cyber security solutions provider Sophos.
The company commissioned an independent, vendor-agnostic survey of 5 000 IT/cyber security leaders in mid-sized organisations across 14 countries, including 330 respondents in South Africa.
The survey was conducted between January and February 2024, and participants were asked to respond based on their experiences in the previous 12 months.
In South Africa, 69% of organisations were hit by ransomware in the last year. This is a decrease on the 78% reported in Sophos' 2023 survey but a substantial increase on the 51% reported in 2022. By comparison, globally, 59% of respondents said their organisation had experienced a ransomware attack in the last twelve months.
Sophos noted that malicious e-mail was the most common root cause of attack. Furthermore, in 97% of ransomware attacks, cyber criminals tried to compromise the organisation’s backups, slightly above the global average of 94%.
Additionally, 44% of backup compromise attempts were successful, below the global average of 57%. All South African organisations whose data was encrypted got thier data back, above the global average of 98% but in line with last year’s figure.
Backups remain the most common method used for restoring data, with 72% of South African respondents whose data was encrypted using this approach.
Recovery cost
Ransoms are just one part of the cost. Sophos stated: “Excluding any ransom payments, the average (mean) bill incurred by South African organisations to recover from a ransomware attack was reported at $1.04 million. This is an increase on the $0.75 million reported in 2023. This includes costs of downtime, people time, device cost, network cost, lost opportunity, etc.
"South African organisations are getting slower at recovering from attacks with 41% fully recovered in up to a week, down from 53% in 2023. 26% took between one and six months, an increase from 19% last year.”
While the propensity to be hit by ransomware increases with revenue, even the smallest organisations (less than $10 million in revenue) are still regularly targeted, with just under half (47%) hit by ransomware in the last year.
The 2024 report also found that 63% of ransom demands were for $1 million or more, with 30% of demands for over $5 million, suggesting ransomware operators are seeking huge payoffs.
Sophos said these increased ransom amounts are not just for the highest-revenue organisations surveyed. Nearly half (46%) of organisations with revenue of less $50 million received a seven-figure ransom demand in the last year.
John Shier, field CTO, Sophos, said, “When they were successful in compromising backups, the ransomware demands doubled. Organisations were also twice as likely to pay if their backups were compromised, and the recovery costs were higher as well.We must not let the slight dip in attack rates give us a sense of complacency. The ransomware landscape offers something for every cyber criminal, regardless of skill. While some groups are focused on multi-million-dollar ransoms, there are others that settle for lower sums by making it up in volume.”
“Managing risk is at the core of what we do as defenders. The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable, yet still plague too many organisations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately. In a defensive environment where resources are scarce, it's time organisations impose costs on the attackers, as well. Only by raising the bar on what's required to breach networks can organizations hope to maximize their defensive spend.”
Sophos added that with the prevalence of ransomware attacks, there is increasing interest in cyber insurance. However, business leaders need to be aware that criminals have access to financial systems and know whether a company has the money to pay ransoms.
The cyber security company acknowledged that while AI can-and will play a greater role in defence but must be carefully applied – with the knowledge that the technology can just as easily be used by cyber criminals.
Shier said, “AI can help detect malware by recognising patterns in large amounts of data, allowing human analysts to focus on more relevant signals.”
Share