When it comes to ransomware, more companies are seeing attacks and have had data encrypted, according to research out this week. And even though more companies are backing up or paying ransom demands, less data was recovered in 2021 compared with the previous year.

For instance, in its "State of Ransomware 2022" report, cybersecurity firm Sophos found that 66% of surveyed companies had encountered ransomware in 2021, with two-thirds of those firms — or 43% overall — suffering from an actual attack that encrypted data. In its previous report covering 2020, the frequency of successful attacks was much smaller, with about 20% overall resulting in encryption. 

The deteriorating cyberthreat landscape is largely due to the evolution of ransomware groups and their techniques, says Sean Gallagher, senior threat researcher with Sophos.

"Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service," he says. "There are very well-established [groups] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up."

Ransomware continues to plague companies with business-disrupting attacks and defy efforts by cybersecurity experts to rein in the operators behind the criminals campaigns. Not only did the portion of companies affected by ransomware more than double last year, but the mean ransomware payment more than quadrupled to $812,000, according to the Sophos report. 

Companies in the energy and manufacturing sectors each saw average ransoms of more than $2 million.

Two-thirds of companies saw ransomware attempts in 2021. Source: Sophos

The research team at Check Point Software Technologies saw an increase in ransomware attacks as well, noting that attempted attacks climbed 24% in 2021 compared with 2020. In an analysis of chat logs leaked from the Conti ransomware group, Check Point Research noted that the operators discussed how to set ransoms in some detail, but also stressed that ransoms often are not the most significant cost to businesses.

"[T]he extortion cost is marginal compared to other losses suffered by the victim," the researchers stated. "Most other losses, including response and restoration costs, legal fees, monitoring costs, etc., are applied whether the extortion demand was paid or not."

In 2021, the mean ransom paid to cybercriminals rose to $812,000, from $170,000 in 2020, but that still fell far short of the average $1.4 million bill for remediating an attack, according to Sophos. Recovery also took time, with the average company needing about a month to recover from a ransomware attack, according to the report.

Don't Expect Your Data Back
In addition, while ransom demands have risen dramatically, increases that other surveys have seen hints of as well, paying them does not mean full data recovery. In fact, data-recovery statistics from Sophos highlight the fact that that paying ransoms has a terrible return on investment. 

While 99% of companies recovered some of their data, they could only recover 61% of encrypted data on average, according to Sophos. And while 46% of companies paid a ransom, only 4% of those that did got all their data back, down from 8% in 2020. Such statistics have caused some cybersecurity experts to question whether companies should ever pay the ransom.

While healthcare organizations and state and local governments were among top ransomware targets before and during the pandemic, they also earned ransomware groups some of the lowest payouts. The average infected healthcare organization paid $197,000, while the average compromised state or local government agency paid a ransom of $214,000, the Sophos survey found.

Cyber insurance Doesn't Solve Ransomware, but It Helps
Cyber insurance has changed along with the ransomware landscape. In 2021, insurance companies already had experienced problems with the expense of cybersecurity policies as companies sought to recover damages from ransomware incidents. The vast majority of companies (94%) have found it harder in the past year to qualify for cyber insurance, while almost all (97%) have had to make changes to their defenses to improve their ability to garner coverage, according to Sophos' survey.

While 98% of companies affected by ransomware received a payout under their cyber-insurance policies, only 77% collected for clean-up costs, and only 40% of the policies paid the ransoms, the survey found.

"It’s interesting to note that the sectors with the lowest rate of ransom payment are also the ones able to recover fastest from an incident, emphasizing the importance of disaster-recovery planning and preparation," the report stated. "It's worth remembering that while cyber insurance will help get you back to your previous state, it doesn’t cover 'betterment' — when you need to invest in better technologies and services to address weaknesses that led to the attack."