Report: Ransomware payouts and recovery costs went way up in 2023

For every ransomware attack that makes the headline news, there’s likely hundreds more that never see the light of day. 

Whether that’s because the victims agree to pay ransoms or use alternative measures to restore their systems and data, ransomware attacks are often resolved quietly and confidentially — depriving researchers of data that shows which companies are most vulnerable, which companies are most likely to pay, and how much it costs them to recover from an attack.  

But thanks to new data collected and released by cybersecurity vendor Sophos, we now have answers to these long-standing questions. 

Between January and March 2023, Sophos commissioned an independent survey of 3,000 IT/cybersecurity leaders employed by organizations operating across 14 countries. Respondents were asked to comment on how ransomware had impacted their organizations within the last year — in cost, business operations, personnel, and IT downtime — and to share what (if any) recovery measures were taken to get encrypted data back online.

Here’s what the study found. 

Key Takeaways

Takeaway #1: Ransomware actors know they can net the biggest payday by targeting companies with the largest purses. 

Like sharks drawn to blood in water, bad guys are more likely to hit victims that pull in the most annual revenue. Whereas 56% of organizations with revenue between $10-50 million were hit by a ransomware attack, that number increased to 72% among companies making $5 billion or more per year. The scheme is paying off, as it turns out. According to the Sophos report, the more revenue that a company accrued, the more likely it was to recover data by paying its attackers a ransom. The bigger fish, as we call them, were also most likely to pay the highest ransoms since they could afford to do so. What this tells us is that adversaries are deliberately adjusting the amount they will set for a ransom based on their victim’s ability to pay.

Source: The State of Ransomware 2023 (Sophos)

Takeaway #2: Headcount doesn’t appear to play a major factor in how the black hats choose their victims. 

Unlike with annual revenue, ransomware attack rates are not necessarily tied to the total number of employees in a given organization. Companies employing between 250 and 500 employees, for example, are just as likely to suffer a ransomware attack as companies with 3,000 to 5,000 employees. While companies with greater revenue also have the financial means to employ more workers, it’s worth noting that total revenue – not employee headcount – is a far stronger indicator of where a ransomware attack might land. 

Takeaway #3: Ransomware attack rates remained steady, while ransomware payments went way up.   

In a repeat of 2022, 66% of respondents in Sophos’s 2023 survey claimed their organization had been hit by a ransomware attack. While that number remained steady, the average payout increased dramatically, year to year – from $812,380 in 2022 to $1,542,333 in 2023. The proportion of organizations paying higher ransoms also increased since 2022, with 40% reporting payments of $1 million or more compared to just 11% last year. Conversely, just 34% paid less than $100,000, down from 54% last year. Translation: the bad guys aren’t necessarily busier, but they’re quite a bit greedier — willing to push their victims’ limits (and wallets) to their breaking points. 

Takeaway #4: The cost of a ransomware attack goes far beyond just the ransom payout

Ransom payments have gone up, but ransomware damage goes much deeper than having to pay a ransom. Ransomware attacks can shut down access to critical systems and data, preventing businesses from operating and serving their customers. The publicity of an attack can hurt a company’s reputation, scaring investors and tanking deals that are in the works. And even though companies might be forced to pause production lines until systems are recovered, the costs of running a business don’t stop – like paying employees, utilities, and contracted services. According to the Sophos data, it cost companies on average $1.82 million to recover from a ransomware attack in 2023 — and that doesn’t even include paying a ransom. For companies with annual revenue of less than $10 million, the average cost of recovery was $165,520. For companies with annual revenue greater than $5 billion, the average cost of recovery approached $5 million. On top of all this, 84% of private sector organizations hit by ransomware said the attack had caused them to lose revenue as a result of lost business opportunities. 

Takeaway #5: Backups are super effective and more commonly practiced by lower-revenue organizations

Companies that practiced backing up data proved to be much more resilient in responding to and recovering from ransomware attacks than companies that shunned backups. On average, companies that used backups saved $1 million in recovery fees versus their non-backup peers. Consider also that companies who paid the ransom still spent an average of $750,000 in recovery costs, twice the amount of what companies who used backups ($375,000) ended up paying. The data also tell us that organizations with smaller purses are more likely to use backups to restore data (80%) compared to other companies in the highest revenue bracket (63%). One possible explanation for this is that larger revenue organizations typically have complex IT infrastructures which could make it harder for them to use backups to recover data in a timely fashion. That being said, they are also the businesses most able to buy their way out of such situations, whereas companies with less revenue ($5 million or below) don’t have that same luxury — making backups the sensible and far more affordable alternative. And the icing on the cake? 45% of those that used backups recovered within a week, compared with 39% of those that paid the ransom.

Source: The State of Ransomware 2023 (Sophos)
Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.