As many as 92% of organisations who paid a ransom in the past 12 months did not get all of their data back, with the average organisation getting back just 65% of its data, Sophos' State of Ransomware 2021 report has revealed.
In 2020, there was a major rise in the number of ransomware attacks targeting organisations, with security firm SonicWall recording a 40% surge in global ransomware attacks in the third quarter of 2020 compared to the corresponding quarter in 2019. The surge was attributed mainly to the global shift towards remote work as organisations acted quickly to keep their operations running amidst severe lockdowns.
The Ryuk ransomware was, according to the firm, the most favoured ransomware variant among cybercriminals in 2020, accounting for a third of all ransomware attacks in Q3 2020. In the period, Ryuk detections increased from a mere 5,123 in Q3 2019 to 67.3 million in Q3 2020 with the overall number of ransomware detections peaking at 200 million worldwide.
According to Sophos' State of Ransomware 2021 report, the total number of ransomware attacks, fortunately, declined in the past 12 months, targeting 37% of organisations compared to 51% in 2020. The number of organisations whose data was encrypted by hackers following a cyber attack also declined from 73% in 2020 to 51% in the past 12 months.
However, these figures did not indicate in any manner that hackers had lost interest in using ransomware to target organisations. In fact, hackers got much smarter in the past 12 months, forcing a larger percentage of targeted organisations to pay a ransom and also bagging much higher ransom amounts than earlier.
The State of Ransomware 2021 report, based on responses from 5,400 IT managers in mid-sized organisations in 30 countries, revealed that the average ransom amount rose from $761,106 in 2020 to $1.85 million in 2021, even though fewer organisations were targeted in the period. Sophos says this is because hackers attempted more advanced and complex targeted attacks that were harder to recover from.
The report also revealed that the percentage of organisations paying a ransom to recover encrypted data rose from 26% in 2020 to 32% in 2021. However, this didn't ensure that they fully recovered from such attacks. An alarming 92% of organisations that paid a ransom did not get all of their data back. On average, organisations that paid a ransom recovered only 65% of their data that had been stolen and encrypted by hackers.
These numbers only point to one thing- that hackers can never be completely trusted even if they claim to honour their promises if their demands are met in full. Organisations have to incur huge costs in the aftermath of a ransomware attack to recover lost data and restore operations. Paying millions to hackers and getting little in return would only makes things worse financially.
"What adversaries fail to mention in their ransom notes is that your likelihood of getting all your data back after paying up is very slim: fewer than one in ten (8%) got back all their encrypted files. In fact, on average, organizations that paid the ransom got back only 65% of their data, with 29% getting back no more than half their data. When it comes to ransomware, it doesn’t pay to pay," Sophos said.
This is not the first time that security researchers have highlighted the ineffectiveness of paying a ransom to hackers. Late last year, security firm Coveware revealed that paying a ransom is not bringing any benefit to organisations anymore as hackers are not honouring promises of deleting stolen data, are reselling them to other hackers or are coming back to demand ransom again.
According to Coveware, hackers who use the threat of releasing sensitive data can return at a later date to demand a ransom again or may sell the data to third parties who may again contact the victim company to demand a ransom.
Therefore, even if an organisation chooses to pay a ransom, there is no guarantee that hackers will honour the agreement and any company that chooses to pay a ransom should expect the following:
- The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second/future extortion attempt.
- Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future.
- The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt.
According to Coveware, hackers behind the Netwalker and Mespinoza ransomware posted corporate data online even after victim companies had paid for it not to be leaked, hackers behind the Conti ransomware showed fake files to victim companies as proof of deletion, and hackers behind the Sodinokibi ransomware re-extorted victims that paid with threats to post the same data set again.
"We strongly advise all victims of data exfiltration to take the hard, but responsible steps. Those include getting the advice of competent privacy attorneys, performing an investigation into what data was taken, and performing the necessary notifications that result from that investigation and counsel.
"Paying a threat actor does not discharge any of the above, and given the outcomes that we have recently seen, paying a threat actor not to leak stolen data provides almost no benefit to the victim. There may be other reasons to consider, such as brand damage or long-term liability, and all considerations should be made before a strategy is set," the firm said.