Ransomware, that dirty corporate word. Why do we focus so much on it and why do we spend so much money to avoid it? Lets start with the big numbers and then talk about the small organizations.
In 2023 an unknown company paid out $75 million USD to the Dark Angels Ransomware group, and it is just now causing headlines. Discovered last month, this payout is the largest ever public ransomware payment, eclipsing the previous largest ransom of $40 million paid by an insurance company in 2021.
The positive is that although these figures make the news, they are far from normal numbers. According to Sophos the average payment in 2023 was just $400,000 USD.
But that number looks to be going up – in 2024 so far the average payment has been $2 million USD.
Here in Canada the average is thankfully much lower, at $1.13 million CAD, according to Shing Digital partner Palo Alto Networks, although when you figure in the entire cost of recovery the average increases to $5.13 million CAD.
But this raises the question of how much a small or medium business is likely to pay. As majority of small businesses do not report their incidents, nor make the news, it is difficult to put a hard number to the ransomware average in Canada. Based on multiple consultants we were able to identify that small businesses pay between $30,000 to $650,000 on average. That is quite the spread, which makes it difficult to talk about the real “average”. However, here are more statistics which may be helpful:
46% of all cyber breaches impact businesses with fewer than 1,000 employees.
At 18%, malware is the most common type of cyberattack aimed at small businesses.
37% of companies hit by ransomware had fewer than 100 employees.
Small businesses receive the highest rate of targeted malicious emails at one in 323.
Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
87% of small businesses have customer data that could be compromised in an attack.
What we do know for sure is that paying the ransom is just the beginning. Criminals, by their nature are not trustworthy, and there is no guarantee that if you pay the money that they’ll unlock your data, or delete any data they stole.
According to Veeam, 33% of organizations which paid their ransom were still unable to recover their data.
Even after the data is recovered there is still a need to remediate the situation that allowed the attackers to get in.
It is also important to ensure the attacker didn’t leave a backdoor for themselves to re-enter the environment. According to some estimates, 78% of ransomware victims suffer repeat attacks.
Remediation is costly, and often requires significant downtime to core company systems. This leads to a situation in which the recovery costs can eclipse the cost of any actual ransom payout, with some estimates putting the cost of recovery at 10 times that of the ransom.
Depending on the industry reputational damage can also come along with the fallout from a ransomware attack, as can fines and sanctions for breaking regulatory requirements or allowing data to be leaked.
Additionally, it is estimated that in 94% of all ransomware cases in 2023 there was an attempt to compromise the company’s backups. Worse, in 57% of these cases, the attackers were successful!
So what can you do to protect yourself?
In addition to having a robust and secure environment kept up to date with the appropriate patches, keeping recent offsite backups which are not connected to any other systems will give you a baseline to which you can securely restore.
Cyber Insurance is also important, however it is not protection, rather it is a mitigation method.
Although insurance companies contributed in an estimated 83% of all cases, they only paid out 23% of total ransoms. This leaves a significant portion of the liability on the victim company itself, and doesn’t cover costs such as downtime, or other costs required to recovery.
Ultimately ransomware is a fact of life for businesses, and while there are no guarantees, the best way for any business to protect itself is to prepare itself and be ready.
Not sure where you stack up within the Cybersecurity risk level? Check out the following Cybersecurity Maturity Pyramid to identify where you are at and what you may still need to consider.
Author: Adam Macpherson
CS Controls Analyst