Ransomware costs are 7x higher than ransom paid: Check Point Research

0

Check Point Research (CPR) shares new insights into the ransomware economy after further analyzing Conti group leaks and different ransomware victims related data sets. Paid ransom is a small component of the actual cost of a ransomware attack to the victim, as CPR estimates the total cost to be 7x higher. Cybercriminals are demanding a sum congruent with annual revenue of the victim, ranging between 0.7% to 5%. Duration of a ransomware attack declined significantly, from 15 days to 9 days in 2021. CPR also sees that ransomware groups have clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics.

  • CPR analyzes two data sets to explore both sides of ransomware attack: victims and cybercriminals
  • CPR shares ransomware numbers by region for Q1 2022, compared to Q1 2021
  • CPR shares four ransomware prevention tips for organizations everywhere

Check Point Research (CPR) analyzed two data sets to get new insights into the ransomware economy, estimating that the collateral cost of ransomware for victims is 7 times more than ransom paid.  The first data set was Kovrr’s cyber incidents database, which contains up-to-date information on cyber events and their financial impact. The second data set used was Conti group leaks. CPR’s research aimed to explore both sides of a ransomware attack: victims and cybercriminals.

Key Findings

  1. Collateral cost. The paid ransom is a small component of the cost of ransomware attack to the victim. CPR estimates the total cost of the attack to the victim is 7 times higher than what they pay to the cybercriminals, and it consists of response and restoration costs, legal fees, monitoring costs.
  2. Demand sum. Ransom demand sum depends on the annual revenue of the victim and ranges between 0.7% to 5% of the annual revenue. While the higher the annual revenue of the victim, the lower the percentage of the revenue that will be demanded, as that percentage represents a higher number value in dollars.
  3. Attack duration. Duration of a ransomware attack declined significantly in 2021, from 15 days to 9 days.
  4. Negotiation ground-rules. Ransomware groups have clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics:
  1. Accurate estimation of the victim’s financial posture
  2. Quality of exfiltrated data from the victim
  3. The reputation of the ransomware group
  4. Existence of a cyber-insurance
  5. The approach and the interests of victims’ negotiators

Quote: Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:

“In this research, we have provided an in-depth look into both the attackers’ and victims’ perspectives of a ransomware attack. The key learning is that the paid ransom, which is the number most researches deal with, is not a key number in the ransomware ecosystem. Both cybercriminals and victims have many other financial aspects and considerations around the attack. It’s remarkable just how systematic these cybercriminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors that we’ve described. Noteworthy is the fact that for victims, the ‘collateral cost’ of ransomware is 7 times more than the ransom they pay. Our message to the public is that building in advance proper cyber defenses, especially a well-defined response plan to ransomware attacks, can save a lot of money for organizations.”

Ransomware by the Numbers

In the first quarter of 2022, CPR is sharing the following numbers:

  • Globally, the weekly average of impacted organizations is 1 out of 53 – a 24% increase YoY (1 out of 66 organizations in Q1 2021)
  • In EMEA, the weekly average of impacted organizations is 1 out of 45 – a 37% increase YoY (1 out of 62 organizations in Q1 2021)
  • In APAC, the weekly average of impacted organizations is 1 out of 44 – a 37% increase YoY  (1 out of 60 organizations in Q1 2021)
  • In Africa, the weekly average of impacted organizations is 1 out of 44 – a 23% increase YoY (1 out of 54 organizations in Q1 2021)
  • In ANZ, the weekly average of impacted organizations is 1 out of 88 – a 81% increase YoY (1 out of 160 organizations in Q1 2021)
  • In Asia, the weekly average of impacted organizations is 1 out of 24 – a 54% increase YoY (1 out of 37 organizations in Q1 2021)
  • In Europe, the weekly average of impacted organizations is 1 out of 68 – a 16% increase YoY (1 out of 80 organizations in Q1 2021)
  • In North America, the weekly average of impacted organizations is 1 out of 120 – no change YoY
  • In Latin America, the weekly average of impacted organizations is 1 out of 52 – a 25% increase YoY (1 out of 64 organizations in Q1 2021)

 How to Protect yourself from Ransomware

  1. Robust Data Backup. The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack.
  2. Cyber Awareness Training. Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cybercriminals can gain access to the employee’s computer and begin the process of installing and executing the ransomware program on it. Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware.
  3. Strong, Secure User Authentication. Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about phishing attacks designed to steal login credentials are all critical components of an organization’s cybersecurity strategy.
  4. Up-to-Date Patches. Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.

LEAVE A REPLY

Please enter your comment!
Please enter your name here