Ransomware payments: Here's how much falling victim will now cost you

The average ransom demand is growing as cyber criminals become bolder - and many victims are paying up.
Written by Danny Palmer, Senior Writer

The average ransom demand made following a ransomware attack has risen to $2.2 million as cyber criminals are becoming bolder and have a bigger impact on the businesses they're targeting. 

The amount ransomware attackers are demanding has more than doubled since 2020, when the average ransom demand for a decryption key stood at $900,000.

The figures comes from cybersecurity researchers at Palo Alto Networks, who analyzed ransomware incident response cases they were involved in during 2021. 

SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the web

While the final ransom payments are often much less than the initial ransom demands, they've also risen significantly in recent years. During 2020, the average ransom paid was just over $300,000, which rose to $541,000 in 2021.  

Analysis of incidents suggests that for those businesses that paid a ransom when the attackers initially demanded over $3 million, the average amount paid was 43% of the ransom demand – but some cyber criminals managed to blackmail victims into paying almost the full amount they first asked for. 

For example, researchers cite an incident by the BlackCat ransomware gang that saw cyber criminals demand a payment of $9 million for a decryption key and walking away with $8.5 million. 

Sometimes ransomware attackers get much less than they demand; in one case, cyber criminals behind a Suncrypt ransomware attack made a ransom demand of $12 million, only to get paid just $200,000 –1.67% of their ransom demand. 

The overall trend of the rise in ransom demands and rise in ransom payments shows that ransomware is working, as cyber criminals can make millions of dollars from a single victim who gives into the extortion demands.  

Despite warnings not to pay because it only encourages further ransomware attacks, the Unit 42 report suggests that 58% of organisations hit by a ransomware attack opt to pay the ransom. But even if the ransom is paid, that isn't necessarily the end of their troubles – researchers say 14% of organisations paid cyber criminals more than once.  

The network being down because of encrypted files and servers is disruptive enough, but one of the reasons so many victims are giving into ransom demands is because of the rise of double extortion attacks

In order to carry out a ransomware attack, hackers enter the network, providing them with access to sensitive files and data. Many cyber criminals use this as extra leverage, copying the data before it's encrypted and threatening to publish it if the ransom isn't paid – and in many cases, it's working. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)   

"Cyber criminals are doubling down by finding additional ways to extort victims in conjunction with ransomware," said Ryan Olson VP of threat intelligence at Unit 42 for Palo Alto Networks. 

"In 2021, ransomware gangs took these tactics to a new level, popularizing multi-extortion techniques designed to heighten the cost and immediacy of the threat," he added. 

But this tactic hasn't just involved threats to publish stolen data – in some cases, cyber criminals are adding other extortion tactics, including the threat of DDoS attacks or even harassing employees of the victim organisation over the phone

Ransomware continues to be one of the most significant cybersecurity threats facing businesses and the wider world today, but there are ways in which businesses can help protect themselves from falling victim to attacks. 

Many ransomware attacks begin with hackers exploiting unpatched cybersecurity vulnerabilities or remote desktop protocol logins.  

Information security teams should, therefore, ensure that security patches for known vulnerabilities are applied as quickly as possible and that login credentials are protected with multi-factor authentication to help defend against attacks. Any passwords that are suspected of being leaked or stolen should be changed. 

It's also vital for IT departments to understand and monitor the network, as this can help them identify potentially malicious behaviour before cyber criminals trigger a full-blown ransomware attack. 


Editorial standards