The number of organizations that experienced ransomware attacks over the past year has remained the same, but the average cost of data recovery has increased -- whether it is in ransomware payment or restoring lost data.
About 66% said they were hit by ransomware attacks last year, the same figure as the previous year, according to Sophos' annual State of Ransomware report. Conducted from January to March this year, the survey polled 3,000 IT and cybersecurity leads across 14 markets, including Australia, India, Japan, Germany, and the US.
While the number of respondents that reported ransomware attacks remained the same over the past couple of years, it should be noted that the sample base was a higher 5,600 for the previous 2022 report.
Among those who said they were hit by such attacks, Singapore saw the highest proportion at 84%, followed by South Africa at 78%, and Spain and Switzerland at 75% each. The UK reported the lowest rate of attack at 44%.
In the US, 68% said they were hit by ransomware attacks, as did 70% in Australia, 73% in India, and 58% in Japan. Again, it should be noted that Singapore and Switzerland were among the markets with a smaller sample size of 100 each, compared to 500 respondents in the US and 300 each in India and Japan, and 200 in Australia.
The education sector was the most likely to report a ransomware attack, at 79.5%, while the IT, tech, and telecoms sector was least hit by such attacks, at 50%.
Exploited vulnerabilities were the most common root cause, accounting for 36% of ransomware attacks, followed by compromised credentials at 29%, according to the Sophos report.
Among such attacks, 76% saw hackers succeeding in encrypting data. Just 21% of respondents were able to stop the attack before data was encrypted, while 3% said their data was not encrypted but that they were held for ransom.
Sophos' field CTO Chester Wisniewski noted: "Rates of encryption are very high, which is certainly concerning. Ransomware crews have been refining their methodologies of attack and accelerating their attacks to reduce the time for defenders to disrupt their schemes."
Data also was stolen in 30% of attacks where it was encrypted, according to the report. Describing this as a "double dip" approach, Sophos said hackers increasingly were looking to monetize their attacks with threats to make the stolen data public to extort payments as well as by selling the information.
Across the board, the average ransom amount paid out almost doubled this year, tipping at $1.54 million, compared to $812,380 in the 2022 study. In addition, 40% forked out more than $1 million, up from just 11% last year, with 13% making ransom payments of at least $5 million this year.
Affected organizations with deeper pockets also made higher payments. Companies with revenue between $1 billion and $5 billion reported a mean ransom payment of $2.05 million. For companies with revenue above $5 billion, the mean ransom payment was $2.46 million.
Almost all organizations that paid a ransom were able to retrieve their data, with 5% in the UK and 3% in France failing to do so after forking out the payment.
Ransom payments aside, respondents reported a mean recovery cost of $1.82 million, up from $1.4 million in 2022. Such costs were estimated based on several factors, including downtime, lost productivity, device cost, and network cost.
Of the 97% that were able to recover their encrypted data, 70% did so with backups and 46% through paying the ransom. About one in five used multiple methods to restore their data.
Comparing the mean costs of recovery, Sophos noted that companies forked out $1.62 million to restore their data through backups, compared to the mean ransom amount of $2.6 million companies paid to recover their data.
"Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom," the security vendor said. "If further evidence were needed of the financial benefit of investing in a strong backup strategy, this is it."
In its report, 45% of organizations that used backups to recover their data from ransomware attacks did so within a week, compared to 39% that paid the ransom. A further 32% that paid a ransom took more than a month to recover their data, compared to 23% that used their backups. The figures, however, did not exclude respondents that might have paid a ransom as well as used their data backups.
Wisniewski noted: "Incident costs rise significantly when ransoms are paid. Most victims will not be able to recover all their files by simply buying the encryption keys; they must rebuild and recover from backups as well. Paying ransoms not only enriches criminals, but it also slows incident response and adds cost to an already devastatingly expensive situation."