Global survey shows average cost of recovery is $1.4 million if organizations pay ransom, $730,000 if they don’t SophosLabs reports on Maze ransomware techniques that increase pressure to pay

OXFORD, U.K. — 五月 12, 2020 —

Sophos, a global leader in next-generation cybersecurity, today announced the findings of its global survey, The State of Ransomware 2020, which reveals that paying cybercriminals to restore data encrypted during a ransomware attack is not an easy and inexpensive path to recovery. In fact, the total cost of recovery almost doubles when organizations pay a ransom. The survey polled 5,000 IT decision makers in organizations in 26 countries across six continents, including Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.

More than half (51%) of organizations had experienced a significant ransomware attack in the previous 12 months, compared to 54% in 2017. Data was encrypted in nearly three quarters (73%) of attacks that successfully breached an organization. The average cost of addressing the impact of such an attack, including business downtime, lost orders, operational costs, and more, but not including the ransom, was more than $730,000. This average cost rose to $1.4 million, almost twice as much, when organizations paid the ransom. More than one quarter (27%) of organizations hit by ransomware admitted paying the ransom.

“Organizations may feel intense pressure to pay the ransom to avoid damaging downtime. On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it is unlikely that a single magical decryption key is all that’s needed to recover. Often, the attackers may share several keys and using them to restore data may be a complex and time-consuming affair,” said Chester Wisniewski, principal research scientist, Sophos.

More than half (56%) the IT managers surveyed were able to recover their data from backups without paying the ransom. In a very small minority of cases (1%), paying the ransom did not lead to the recovery of data. This figure rose to 5% for public sector organizations. In fact, 13% of the public sector organizations surveyed never managed to restore their encrypted data, compared to 6% overall.

However, contrary to popular belief, the public sector was least affected by ransomware, with just 45% of the organizations surveyed in this category saying they were hit by a significant attack in the previous year. At a global level, media, leisure and entertainment businesses in the private sector were most affected by ransomware, with 60% of respondents reporting attacks.

Attackers increase pressure to pay 
SophosLabs researchers have published a new report, Maze Ransomware: Extorting Victims for 1 Year and Counting, which looks at the tools, techniques and procedures used by this advanced threat that combines data encryption with information theft and the threat of exposure. This approach, which Sophos researchers have also observed being adopted by other ransomware families, like LockBit, is designed to increase pressure on the victim to pay the ransom. The new Sophos report will help security professionals better understand and anticipate the evolving behaviors of ransomware attackers and protect their organizations.

“An effective backup system that enables organizations to restore encrypted data without paying the attackers is business critical, but there are other important elements to consider if a company is to be truly resilient to ransomware,” added Wisniewski. “Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. We’ve recently reported on LockBit using this tactic. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious maneuvers is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.”

Further information is available on SophosLabs Uncut and Naked Security.

The State of Ransomware 2020 survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2020. The survey interviewed 5,000 IT decision makers in 26 countries, in the US, Canada, Brazil, Colombia, Mexico, France, Germany, the UK, Italy, the Netherlands, Belgium, Spain, Sweden, Poland, the Czech Republic, Turkey, India, Nigeria, South Africa, Australia, China, Japan, Singapore, Malaysia, Philippines and UAE. All respondents were from organizations with between 100 and 5,000 employees.

关于 Sophos

Sophos 是全球领先的网络安全公司,凭借其人工智能驱动的平台和专家主导的服务,保护着全球 60 万家组织的安全。Sophos 根据各组织在不同安全成熟度的各式各样的需求提供支持,并与其共同成长,携手应对日益严峻的网络攻击。其解决方案结合机器学习、自动化、实时威胁情报以及来自 Sophos X-Ops 的前线真人专家的专业知识,提供 24/7 全天候高级威胁监控、侦测与响应服务。
Sophos 提供行业领先的托管式侦测与响应 (MDR) 服务,同时配备一整套全面的网络安全技术组合,包括端点、网络、电子邮件和云安全、扩展式侦测与响应 (XDR)、身份辨识威胁侦测与响应 (ITDR),以及下一代 SIEM。结合专家咨询服务,这些能力帮助组织主动降低风险,并更迅速地响应,提供力求在不断变化的威胁面前保持领先所需的可见性和可扩展性。
Sophos 通过全球合作伙伴生态系统进入市场,包括托管式服务提供商 (MSPs)、托管式安全服务提供商 (MSSPs)、经销商、分销商、市场集成商以及网络风险合作伙伴,为组织提供灵活的选择,使其能够在保护业务安全的同时建立值得信赖的合作关系。  Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.cn。