Why ransomware attacks can cost companies up to seven-times more than the ransom

ransomware attacks cost seven times the ransom amount

Share this content

New research by protection software manufacturer Check Point also reveals how ransomware gangs are becoming ‘more professional’ employing advanced financial analysis and ensuring their reputation is preserved

The real cost of a ransomware attack is up to seven times more than the initial ransom demand, according to new research by Check Point.

Check Point is an American-Israeli multinational provider of software and combined hardware and software products for  the whole range of IT security, including network endpoint, mobile and data protection.

Researchers analyzed data from several thousand cyberattacks to calculate the cost of system restorations and overall business disruption contributed.

It also revealed the new ‘professionalism’ of ransomeware gangs, such as the notorious Russian Conti organization. Gangs apply levels of financial analysis compared to legitimate companies before making the demands and look to ensure their reputation is preserved by ensuring unlock keys are supplied once ransoms are paid, to ensure future success. 

Check Point Research identified five steps in the ransomware negotiation process:

  • Finding leverage. Ransomware gangs are interested in completing transactions quickly. They will analyze the stolen data to find the “most sensitive files” for use as leverage. 
  • Discounts for quick payments. Ransomware gangs may give organizations a discount if they pay in the first couple of days after the attack hit the organization’s infrastructure. The Conti group has offered discounts of up to 25%.
  • Negotiations. Some organizations hire third-party negotiations to act on their behalf often in an attempt to reduce the payment.
  • More threats and last chance to come to an agreement. Attackers will leak more data the longer negotiations take.
  • Agreement or the dumping of data. The final stage of the negotiations has one of two outcomes: both parties agree on a ransom, which is then paid, or without agreement, data will be leaked.

Ransomware is one of the fastest growing cyber security threats facing businesses across the world. As most business now recognize, it is a malware that denies users access to their data until they pay the ransom payment.

In the US, the average ransomware payment for victims totals more than $6 million, according to this new research from Check Point, this figure is only scraping the surface.

The report says: “Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not. The year 2020 showed that the average total cost of a ransomware attack was more than seven times higher than the average ransom paid.”   

According to separate research by Coveware (link HERE) the average ransom payment in Q4 2021 stood at $322,168. Meanwhile research by IBM concluded the average ransomware attack now costs $4.6m, higher than the average for regular breaches ($4.2m) (link HERE).

The study was carried out in a partnership between Check Point Research and Kovrr. Kovrr offers companies and insurers software to model the affects and finial cost of cyber attacks.

The report explains in simple language that most ransomware attacks are designed to encrypt data on organization’s devices after successful breaches.

Attackers are then able to use the encrypted data as a bargaining chip, which could be data leaks or refusal to reinstate systems.

The Check Point report also gave an insight into the way gangs operate, calculating that one in 53 companies around the world suffered some sort of ransomware breach during 2020.

It said: “Ransomware gangs and operations have evolved, and gangs are establishing structures and policies that resemble those of legitimate organizations.” That ‘professionalism’ of gangs had actually resulted in attacks lasting for shorter timelines: from 15 days at its peak to 9.9 days in 2021.”

Ransomware gangs use research that is comparable to the research of financial analysts, before deciding the ransom size. Their research looks at the annual revenue of organizations, the industry, and other parameters to come up with a number. 

Established ransomware gangs depend on their reputation too, said the report. Not handing out the decryption keys after ransom has been paid could impact future negotiations severely. So, if a company pays, it gets the decryption code to restore data so future victims know the benefit of payment.

Analysis of the notorious Conti Group activity – a ransomware group that has been in operation since 2020 at the least – revealed an average demand of 2.82% of an organization’s annual revenue. Individual percentages of revenue ranged from 0.71% to 5% in the analyzed data set.

The Conti Group is based in Russia and operated a site from which it can leak documents copied by the ransomware since 2020. The same gang has operated the Ryuk ransomware. The group is also known as Wizard Spider and following the Russian invasion of Ukraine, Conti pledged its support to the Russian state. 

It is widely believed in the West that while these groups may not be directly linked to the Russian Federation government, President Putin allows operation provided there is no damage to Russian interests. 

Check Point Research suggests that the peak in 2020 was caused by a rise in double-extortion attacks in 2020, which “caught organizations off guard and resulted in long negotiations between attackers and victims”. Organizations “established better response plans to mitigate ransomware events” to better react to double-extortion attacks, and this resulted in decreased attack durations.

Negotiations may reduce the actual ransom payment significantly. In 2021, the ratio of average extortion payments to extortion demands was 0.486. Victims paid less than half of the requested ransom on average in 2021.

The number was higher in 2019, when it was 0.889, and lower in 2020, when it was at 0.273. Explanations for the dropping since 2019 include the implementation of effective ransomware response plans in many organizations, which often include professional payment negotiations.

The researchers suggest that the ratio increase between 2020 and 2021 is a direct result of professionalization of ransomware groups. Groups “have become more efficient at calculating their extortion demands”.

The researchers did not include data from 2021, as it was not complete at this point. They explain that there are delays between when ransomware attacks occur and the reporting of the attacks. Additionally, it may take time to calculate costs caused by the attack, as factors such as long-term reputational damage or legal costs may take time to be factored in.

About Check Point

The company has more than 6,000 employees worldwide. Headquartered in Tel Aviv, Israel and San Carlos, California. The company has offices in over 70 locations worldwide including main offices in North America, 10 in the United States, Canada, Europe and Asia. Discover more HERE

Return to Security Journal Americas NEWS pages

Receive the latest breaking news straight to your inbox