Ransomware payments are marginal compared to overall costs


Ransomware payments by organizations accounted for about one-seventh of the overall costs of ransomware attacks in 2020 according to new research from Check Point Research and Kovrr. While ransom payments account for about one-seventh of the total costs for attacked organizations, expenses such as response and restoration costs, legal fees, or monitoring fees make up the bulk of organizations’ total expenses.

Most ransomware attacks are designed to encrypt data on organization devices after successful breaches; attackers use the encrypted data as a bargaining chip, but may also threaten to release data that was dumped in the attack to pressure organizations into giving in to ransom demands.

Check Point Research found a 24% year-over-year increase in ransomware attacks globally, with an average of 1 in 53 organizations experiencing a ransomware attack. Gangs and ransomware operations have evolved, and gangs are establishing structures and policies that resemble those of legitimate organizations.

The duration of ransomware attacks has decreased thanks to the professionalization of ransomware gangs and improved response processes on the victim side. At their peak, ransomware attacks lasted an average of 15 days according to Check Point Research. The number of days fell to an average of 9.9 days in 2021, and researchers believe that structural changes in ransomware organizations and process improvements in legitimate organizations play a role in this.

Point: Windows users can enable ransomware protection on Windows 10 and 11.

Ransom demands and how they are calculated

ransom note
via Check Point Research

Ransomware gangs use research, very similar to research by financial analysts, to determine the ransom. The research looks at annual revenues of organizations, industry, and other metrics to come up with a figure.

Analysis of the activity of Conti Group, a ransomware group in operation since at least 2020, revealed an average demand of 2.82% of an organization’s annual revenue. Individual earnings percentages ranged from 0.71% to 5% in the analyzed dataset.

The lower the requested percentage, the higher the annual income of the organization. Check Point Research explains that lower percentages always resulted in higher payouts, due to the organization’s higher annual revenue.

Ransomware negotiations

Check Point Research has identified five main steps in the ransomware negotiation process:

  1. Find leverage. Ransomware gangs want to transact quickly. They will analyze the stolen data to find leverage they could use in negotiations with company representatives. They try to find the “most sensitive files” to use as leverage. Groups can post files to private sites and threaten to make the data public if the ransom is not paid by the organization.
  2. Discounts for quick payments. Ransomware gangs can give organizations a discount if they pay within the first two days after the attack hits the organization’s infrastructure. The Conti group offered discounts between 20% and 25% of the ransom in these cases.
  3. Negotiations. Some organizations use third-party negotiators to act on their behalf. At this point, organizations can attempt to further reduce the ransom demand or explain why payments are taking longer than expected.
  4. No more threats and last chance to reach an agreement. Groups can upload more data they have stolen to private sites at this point to put additional pressure on the organization.
  5. Agreement or dumping of data. The final stage of negotiations has one of two outcomes: both parties agree to a ransom, which is then paid, or the data can be released to the public if both parties fail to reach an agreement.

Established ransomware gangs depend on their reputation. Failure to hand over decryption keys after ransom payment could have serious repercussions on future negotiations.

The financial impact of ransomware attacks

average duration of ransomware
via Check Point Research

Victims of ransomware attacks are often unaware of the costs associated with ransomware attacks. The duration of ransomware attacks can have a serious impact on an organization’s ability to conduct business.

Encrypting key servers, databases or employee terminals can cause operations to slow down or stop. Toyota had to halt production at some of its facilities after a successful ransomware attack in 2022.

The average and median duration of ransomware attacks decreased in 2021 for the first time since 2017. In 2020, average and median attacks lasted 15 and 12 days; the numbers fell to 9.9 and 5 days in 2021.

Check Point Research suggests that the 2020 spike was caused by an increase in double extortion attacks in 2020, which “caught organizations off guard and resulted in lengthy negotiations between attackers and victims.” Organizations “established better response plans to mitigate ransomware events” to better respond to double extortion attacks, which resulted in shorter attack durations.

Negotiations can significantly reduce the actual ransom payment. In 2021, the ratio of average extortion payments to extortion demands was 0.486. Victims paid less than half of the ransom demanded on average in 2021.

The number was highest in 2019, when it was 0.889, and lowest in 2020, when it was 0.273. Explanations for the decline since 2019 include the implementation of effective ransomware response plans in many organizations, which often include professional payment negotiations.

The researchers suggest that the increase in the ratio between 2020 and 2021 is a direct result of the professionalization of ransomware groups. The groups “became more efficient in calculating their extortion demands”.

Cost allocation

Breakdown of ransomware costs
via Check Point Research

The financial impact of ransomware attacks includes several elements. The ransom that is paid, “response and recovery costs, court costs, monitoring and incidental costs”. The majority of costs apply whether or not the ransom is paid by the organization.

Organizations may lose revenue during the attack and after it ends, as core systems and processes may not be accessible. The ratio of total attack costs to extortion payments increased from 3,463 in 2019 to 7,083 in 2020. Ransom demands accounted for just over 15% of all expenses associated with ransomware attacks in 2020 on average; that’s a huge cost increase.

The researchers did not include data from 2021, as it was not complete at that point. They explain that there are delays between when ransomware attacks occur and when attacks are reported. Additionally, calculating the costs caused by the attack may take time, as factors such as long-term reputational damage or legal fees may take time to be considered.

Now you: Have you experienced ransomware attacks on your devices or in your organization?


Ransomware payments are marginal compared to overall costs

Article name

Ransomware payments are marginal compared to overall costs

The description

Ransomware payments by organizations accounted for about one-seventh of the overall costs of ransomware attacks in 2020 according to new research from Check Point Research and Kovrr.


Martin Brinkman


Ghacks Technology News




Comments are closed.