During the past 12 months, the average cost of remediating a ransomware attack in South Africa was $447 097 (R6.4 million).
This is according to cyber security firm Sophos, which announced the findings of its global survey: “The State of Ransomware 2021”, which reveals the global average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761 106 (R11 million) in 2020 to $1.85 million (R26.5 million) in 2021.
The firm says the average ransom paid is $170 404. The global findings also show that only 8% of organisations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.
The survey polled 5 400 ICT decision-makers in mid-sized organisations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.
Sophos notes that while the number of organisations that experienced a ransomware attack fell from 51% of respondents surveyed in 2020 to 37% in 2021, and fewer organisations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020), the new survey results reveal worrying upward trends, particularly in terms of the impact of a ransomware attack.
Highest amounts paid
Globally, the average ransom paid was $170 404, while $3.2 million was the highest payment and the most common payment was $10 000. Ten organisations paid ransoms of $1 million or more, the survey found.
The number of organisations that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to get back all of their data.
“The apparent decline in the number of organisations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect, at least in part, changes in attacker behaviours,” says Chester Wisniewski, principal research scientist at Sophos.
“We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking. While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher. Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs.”
In SA, Sophos says 24% of respondents from the country had experienced a ransomware attack in the last 12 months – the same proportion as the year before.
However, it says fewer organisations in SA had data encrypted as the result of a significant ransomware attack – 44% in 2021, compared to 56% in 2020.
The firm adds that 42% of respondents from SA that were not hit by ransomware in the last 12 months but expect to be hit in the future believe that ransomware attacks are getting increasingly hard to stop due to their sophistication.
Some 31% of respondents from SA that weren’t hit by ransomware in the last 12 months but expect to be hit in the future say it is hard to stop their users from compromising the organisation’s security, Sophos notes.
Another cyber security firm Kaspersky this week issued a statement saying the ransomware threat became mainstream news in the 2010s following large-scale outbreaks, such as WannaCry and Cryptolocker.
According to Kaspersky, SA ranks third in the highest number of users encountering targeted ransomware attacks.
It notes that targeted ransomware attacks – attacks against a chosen victim with the goal of extorting money – are often aimed at high-profile targets, such as corporations, government and municipal agencies, and healthcare organisations.
The attacks involve significantly more sophistication (network compromise, reconnaissance and persistence, or lateral movement) and a much larger payout.
It doesn’t pay to pay
Sophos’s Wisniewski comments: “The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay. Despite more organisations opting to pay a ransom, only a tiny minority of those who paid got back all their data.
“This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.”
He adds that recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data.
“Whole systems need to be rebuilt from the ground up and then there is the operational downtime and customer impact to consider, and much more. Further, the definition of what constitutes a ‘ransomware’ attack is evolving.
“For a small, but significant minority of respondents, the attacks involved payment demands without data encryption.”
He explains this could be because they had anti-ransomware technologies in place to block the encryption stage, or because the attackers simply chose not to encrypt the data.
“It is likely the attackers were demanding payment in return for not leaking stolen information online. A recent example of this approach involved the Clop ransomware gang and a known financially-motivated threat actor hitting around a dozen alleged victims with extortion-only attacks.”