Ransomware attacks have become increasingly common in recent years, with criminals encrypting company data and demanding payment to decrypt it. Many businesses feel they have no choice but to pay the ransom, especially if they lack backups of their data. But how much are companies actually paying to recover from ransomware attacks?
Summary of Key Points
- Average ransom payment was over $100,000 in 2020
- Total ransom payments exceeded $350 million in 2020
- Highest individual ransom topped $30 million
- Small and medium businesses are frequent targets
- Paying the ransom doesn’t guarantee data recovery
- Having backups is the best defense against ransomware
Average Ransom Payments
According to research by cybersecurity firm Coveware, the average ransom payment among their clients in 2020 was $233,817. This represented a 171% increase from 2019, when the average payment was $84,116. The median ransom payment was $110,532 in 2020. This data only reflects known payments that were facilitated by Coveware, so the overall average across all ransomware attacks could potentially be lower. However, the steep increase illustrates how ransom demands are skyrocketing.
Total Ransom Payments
By aggregating known payments across the industry, Coveware estimates that total ransomware payments exceeded $350 million in 2020, a 311% increase from 2019. Recorded Future, another cybersecurity firm, puts the total even higher at $400 million. The FBI estimates that only one out of four ransomware attacks are reported, so the true cost is likely over $1 billion annually. As more companies pay ransoms each year, criminals are motivated to conduct even more attacks.
Highest Individual Ransoms
While the average payment is in the six figures, some ransom demands have reached eight figures. The highest known single ransom was $30 million paid by Garmin in 2020 to recover from the WastedLocker attack. CNA Financial is reported to have paid $40 million following a Phoenix Locker attack in 2021. Even higher ransoms may have been paid by other companies but kept confidential.
Ransomware Targets by Company Size
Cybercriminals cast a wide net with ransomware, impacting organizations of all sizes. According to Coveware, small and medium sized businesses with less than $50 million in annual revenue accounted for nearly 60% of ransomware attacks. Small businesses are frequent targets because they often lack resources for cybersecurity defenses. However, larger enterprises store more valuable data and can afford larger ransom payments, making them lucrative targets as well.
| Company Size | Share of Attacks |
|---|---|
| Small (<$10M revenue) | 39% |
| Medium ($10M – $50M revenue) | 19% |
| Large (>$50M revenue) | 42% |
Likelihood of Data Recovery
Paying the ransom demand does not guarantee a company will recover its data. Coveware estimates that around 5% of organizations that pay ransoms are not able to recover their data. Reasons include:
- Criminals intentionally holding data hostage for additional payments
- Data being corrupted or deleted by criminals
- Mistakes in the decryption process
For the 95% of cases where decryption is successful, it takes an average of about two weeks for companies to fully restore access to their data after paying the ransom. The downtime can severely disrupt business operations.
Backups – The Best Defense
Having recent backups of data can enable companies to recover without paying ransoms. While backups require an investment of time and money, they pay off by providing an alternative to paying ransoms that fund criminal operations. According to Coveware, organizations with comprehensive backups ended up paying 73% less in ransom payments compared to organizations without backups.
Cost of Backups vs. Ransom Payments
Backups come with operating and storage costs. But these ongoing costs are usually far less than a single ransom payment. Organizations should weigh the cost of maintaining and testing backups compared to the potential cost of a ransom payment, business disruption, remediation, legal liabilities, and reputational damage.
Factors for Data Backup Costs
- Storage space for backups
- Technician time to configure backups
- Cycles for incremental vs. full backups
- Cloud storage fees for offsite backups
- Testing and auditing backups
Main Backup Approaches
There are various software, hardware and cloud options for implementing a backup strategy appropriate for each company’s needs:
- Cloud backups – Back up data to a managed cloud provider
- Local backups – Use on-premises storage devices like disks and tape drives
- Hybrid backups – Combine local and cloud backup destinations
- Full vs incremental backups – Full backups capture everything while incremental only capture changes
- Point-in-time snapshots – Capture state of data at multiple instances
- Continuous data replication – Constantly copy data to secondary location
Negotiating with Ransomware Criminals
If faced with a ransomware attack without backups, negotiating with the attackers could result in a lower ransom demand. Skilled cybersecurity firms may assist with the negotiations. Key negotiation tactics include:
- Establish a line of communication through a chat or payment portal
- Designate a lead negotiator from the incident response team
- Delay initial response to signal you are assessing options
- Refuse initial demands but maintain dialogue
- Request proof of data decryption capability
- Leverage competition among criminal groups
- Don’t reveal maximum payment ability
- Alert law enforcement to criminal activities
However, paying ransoms should only be an absolute last resort. Even if an agreement is reached, you are funding criminal organizations and encouraging further attacks.
Reporting Ransomware Attacks
If your organization suffers a ransomware attack, promptly report it to law enforcement authorities like the FBI or Secret Service Electronic Crimes Task Force. Reporting attacks can help authorities track ransomware groups, analyze malware, and warn potential future targets. Be prepared to provide:
- Known attack vectors like phishing email methods
- Copies of ransom notes or messages
- Bitcoin wallet addresses used for payment
- Damage/disruption assessment
- Names of suspected ransomware variants
- Any other relevant indicators of compromise
You can also report attacks to cyber threat sharing organizations like the Cybersecurity & Infrastructure Security Agency (CISA) to help inform defenses across industries.
Should Ransomware Payments Be Illegal?
Some policymakers argue that ransomware payments should be made illegal to discourage the criminal business model. However, opponents counter that outlawing payments could force desperate companies out of business if they cannot recover their data. Banning payments may also discourage organizations from reporting attacks. Increased investment in cyber defense and law enforcement may be more effective strategies for decreasing the ransomware threat.
Arguments For Banning Ransom Payments
- Removes incentive for criminals to conduct ransomware campaigns
- Avoids funding for criminal/terrorist endeavors
- Forces businesses to invest more in security
- Encourages companies to maintain backups
- Increases focus on cyber criminal prosecution
Arguments Against Banning Payments
- Companies may go bankrupt if unable to pay
- Discourages ransomware attack reporting
- Criminals still have leverage to extort victims
- Hard to enforce across global payments
- Forces victims into a passive position
Cyber Insurance
Cyber insurance policies offered by some insurance companies may cover ransomware attack damages and payments up to policy limits. Policies can offset costs associated with:
- Incident response
- Data decryption
- Business interruption
- Remediation
- Negotiation
- PR crisis management
However, insurance premiums are rising with the ransomware surge. Insurers may require policyholders to implement security controls like multi-factor authentication and endpoint detection. Some insurers are reducing maximum payouts for cyber policies.
Average Cyber Insurance Ransomware Payout
| Year | Average Payout |
|---|---|
| 2019 | $761,106 |
| 2020 | $1,400,000 |
Source: Coalition Insurance
Examples of Major Ransomware Payments
Some of the largest known ransomware payments include:
- CNA Financial – $40 million, 2021
- Acer – $50 million, 2021
- JBS – $11 million, 2021
- Colonial Pipeline – $4.4 million, 2021
- University of California – $1.14 million, 2020
- Garmin – $10 million, 2020
Colonial Pipeline
Colonial Pipeline paid $4.4 million in Bitcoin to the DarkSide hacking group after a 2021 attack forced a shutdown of a major U.S. fuel pipeline. The FBI was able to recover about $2.3 million of the ransom by accessing the group’s cryptocurrency wallet.
JBS
The world’s largest meat processing company JBS paid an $11 million ransom in 2021 to resume operations after a cyberattack forced plants to shut down. The Russia-linked REvil hacking group claimed responsibility.
Acer
Taiwanese computer maker Acer paid one of the largest known ransoms to date, approximately $50 million, following a REvil attack in March 2021 impacting its operations in multiple countries.
Trends and Future Outlook
As long as ransomware continues to be highly profitable for criminals, attacks are likely to increase in frequency and scale. Cybercriminals are professionalizing and even offering ransomware-as-a-service programs to expand their operations. Some concerning trends include:
- Ransom demands skyrocketing into millions of dollars
- Shift from opportunistic to targeted “big game hunting”
- Increasing automation using artificial intelligence
- Extended extortion tactics
- Ransomware variants constantly evolving
Government policy may aim to discourage ransom payments, but ultimately the private sector drives ransomware economics through security postures and response strategies. Companies can retain leverage by diligently backing up critical data, partnering across industries, and investing in cyber resilience.
Conclusion
Ransomware payments are rising quickly as cybercriminals find lucrative opportunities. While averages may be in the six-figures, million-dollar ransoms are increasingly frequent for larger enterprises. Small businesses are also highly vulnerable. Backups provide the best defense, but they require ongoing investment. Negotiations and insurance can help manage ransomware incidents, but companies should avoid viewing payments as routine. Cyber defenders and policymakers are challenged to change ransomware incentives as threats evolve. Ultimately, companies must prepare for the inevitability of an attack and have robust response plans in place.
