As the White House floats the possibility of a ban on ransom payments, the number of organizations hit by ransomware that ultimately pay a ransom remains high.
Nearly half, 46%, of organizations hit by ransomware during the past year paid a ransom to recover data, according to research Sophos released Wednesday.
Averages and figures attributed to ransomware payments vary between research firms and studies.
Sophos’ survey of 3,000 IT and cybersecurity leaders across 14 countries pinned the median ransom payment at $400,000 during the past year.
Palo Alto Networks’ Unit 42 observed a median ransom payment of $350,000 in a ransomware report it released in March. A study BakerHostetler released earlier this month pinned the average ransom payment at $600,000, a 15% increase from the previous year.
Despite data discrepancies, the persistent scale of ransomware activity and money ultimately landing in the hands of criminals is a resounding negative in the fight against ransomware. It might be fueling cyber authorities to consider other means to counter financially motivated threat actors.
Between 2020 and 2022 there were 6,516 ransomware attacks around the world, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said Friday during a presentation at the Institute for Security And Technology’s Ransomware Task Force event.
That’s just the attacks the government knows about.
An in-depth peer review released last week on the Conti ransomware group’s operations underscores the extent to which many ransom payments go unreported.
Researchers, including Jack Cable, senior technical advisor at the Cybersecurity and Infrastructure Security Agency, traced more than $80 million in ransom payments to Conti and its predecessor – a five-fold increase from previously known figures.
Sophos’ survey found organizations with the largest revenue were most likely to pay the highest ransoms with median ransom payments of $1 million for organizations reporting at least $1 billion in annual revenue. That number rises to $3 million for organizations with more than $5 billion in annual revenue.
The proportion of organizations paying seven-figure ransoms jumped from 11% in 2022 to 40% in 2023, according to Sophos.
The survey also found that cybersecurity insurance plays a direct role in the likelihood of an organization making a ransom payment. Nearly 3 in 5 organizations with a standalone cyber insurance policy paid the ransom, compared to the 15% of uninsured organizations that paid the ransom.
The revived debate over the viability of a ransomware payment ban comes down to the cost and pain ransomware is causing organizations globally.
Unit 42 researchers have observed ransom payments as low as $3,000 and as high as $7 million.
“I’m not necessarily in favor of a ransom ban because I don’t think it’ll work,” said Chester Wisniewski, field CTO for applied research at Sophos.
The collateral damage would be enormous and it would require support and buy-in from every country, which is unlikely, Wisniewski said. “It if was done perfectly, it would put an end to ransomware but I don’t think that’s practical.”