Sophos “State of Ransomware 2021” Reveals That Only 8% of Businesses That Pay a Ransom Get Back All of Their Data.

54% Say Cyberattacks Are Too Advanced for Their IT Team to Handle on Their Own

OXFORD, U.K.  — 四月 27, 2021 —

Sophos, a global leader in next-generation cybersecurity, today announced the findings of its global survey, “The State of Ransomware 2021,” which reveals that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021. The average ransom paid is $170,404. The global findings also show that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.

The survey polled 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.

While the number of organizations that experienced a ransomware attack fell from 51% of respondents surveyed in 2020 to 37% in 2021, and fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020), the new survey results reveal worrying upward trends, particularly in terms of the impact of a ransomware attack.

“The apparent decline in the number of organizations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect, at least in part, changes in attacker behaviors,” said Chester Wisniewski, principal research scientist, Sophos. “We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking. While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher. Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs.”

The main findings of the State of Ransomware 2021 global survey include:

  • The average cost of remediating a ransomware attack more than doubled in the last 12 months. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021. This means that the average cost of recovering from a ransomware attack is now 10 times the size of the ransom payment, on average
  • The average ransom paid was $170,404. While $3.2 million was the highest payment out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more
  • The number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to get back all of their data

“The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay. Despite more organizations opting to pay a ransom, only a tiny minority of those who paid got back all their data,” said Wisniewski. “This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.”

  • More than half (54%) of respondents believe cyberattacks are now too advanced for their IT team to handle on their own
  • Extortion without encryption is on the rise. A small, but important 7% said that their data was not encrypted, but they were held to ransom anyway, possibly because the attackers had managed to steal their information. In 2020, this figure was 3%

“Recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data,” said Wisniewski. “Whole systems need to be rebuilt from the ground up and then there is the operational downtime and customer impact to consider, and much more. Further, the definition of what constitutes a ‘ransomware’ attack is evolving. For a small, but significant minority of respondents, the attacks involved payment demands without data encryption. This could be because they had anti-ransomware technologies in place to block the encryption stage or because the attackers simply chose not to encrypt the data. It is likely that the attackers were demanding payment in return for not leaking stolen information online. A recent example of this approach involved the Clop ransomware gang and a known financially-motivated threat actor hitting around a dozen alleged victims with extortion-only attacks.

“In short, it is more important than ever to protect against adversaries at the door, before they get a chance to take hold and unfold their increasingly multi-faceted attacks. Fortunately, if organizations are attacked, they don’t have to face this challenge alone. Support is available 24/7 in the form of external security operations centers, human-led threat hunting and incident response services.”

Sophos recommends the following six best practices to help defend against ransomware and related cyberattacks:

  1. Assume you will be hit. Ransomware remains highly prevalent. No sector, country or organization size is immune from the risk. It’s better to be prepared, but not hit, rather than the other way round
  2. Make backups and keep a copy offline. Backups are the main method organizations surveyed used to recover their data after an attack. Opt for the industry standard approach of 3:2:1 (three sets of backups, using two different media, one of which is kept offline)
  3. Deploy layered protection. As more ransomware attacks also involve extortion, it is more important than ever to keep adversaries out in the first place. Use layered protection to block attackers at as many points as possible across an estate
  4. Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If you don’t have the skills in house, look at enlisting the support of a specialist cybersecurity company – Security Operation Centers (SOCs) are now realistic options for organizations of all sizes
  5. Don’t pay the ransom. Easy to say, but far less easy to do when an organization has ground to a halt due to a ransomware attack. Independent of any ethical considerations, paying the ransom is an ineffective way to get data back. If you do decide to pay, bear in mind that the adversaries will restore, on average, only two-thirds of your files
  6. Have a malware recovery plan. The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Organizations that fall victim to an attack often realize they could have avoided significant financial loss and disruption, if they had an incident response plan in place

The State of Ransomware 2021 survey report is available in full on Sophos.com.

The State of Ransomware 2021 survey was conducted by Vanson Bourne, an independent specialist in market research, in January and February 2021. The survey interviewed 5,400 IT decision makers in 30 countries, in the US, Canada, Brazil, Chile, Colombia, Mexico, Austria, France, Germany, the UK, Italy, the Netherlands, Belgium, Spain, Sweden, Switzerland, Poland, the Czech Republic, Turkey, Israel, UAE, Saudi Arabia, India, Nigeria, South Africa, Australia, Japan, Singapore, Malaysia, and the Philippines. All respondents were from organizations with between 100 and 5,000 employees.

Sophos Intercept X protects users by detecting the actions and behaviors of ransomware and other attacks.

关于 Sophos

Sophos 是全球领先的网络安全公司,凭借其人工智能驱动的平台和专家主导的服务,保护着全球 60 万家组织的安全。Sophos 根据各组织在不同安全成熟度的各式各样的需求提供支持,并与其共同成长,携手应对日益严峻的网络攻击。其解决方案结合机器学习、自动化、实时威胁情报以及来自 Sophos X-Ops 的前线真人专家的专业知识,提供 24/7 全天候高级威胁监控、侦测与响应服务。
Sophos 提供行业领先的托管式侦测与响应 (MDR) 服务,同时配备一整套全面的网络安全技术组合,包括端点、网络、电子邮件和云安全、扩展式侦测与响应 (XDR)、身份辨识威胁侦测与响应 (ITDR),以及下一代 SIEM。结合专家咨询服务,这些能力帮助组织主动降低风险,并更迅速地响应,提供力求在不断变化的威胁面前保持领先所需的可见性和可扩展性。
Sophos 通过全球合作伙伴生态系统进入市场,包括托管式服务提供商 (MSPs)、托管式安全服务提供商 (MSSPs)、经销商、分销商、市场集成商以及网络风险合作伙伴,为组织提供灵活的选择,使其能够在保护业务安全的同时建立值得信赖的合作关系。  Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.cn。