The more visible and sophisticated attackers were demanding US$1m or more, while returning less data than in previous years

In a Jan–Feb 2022 survey of 5,600 IT professionals in mid-sized organizations across 31 countries, respondents from the media, leisure, and entertainment industry reported the highest rate of ransomware attacks in 2021, followed by those in the retail sector (comprising 422 respondents).

In 2021, the average ransom payment was US$226,044, a 53% increase compared to that of a similar study in 2020 (US$147,811). However, this was less than one-third the cross-sector average (US$812K).

Globally, the cross-sector average attack rate was 66%, with respondents in retail indicating an above-average 77%.

Additional findings

    • Some low-skill ransomware groups demanded US$50,000–$200,000 in ransom payments, whereas the larger, more sophisticated attackers demanded US$1 million or more
    • With Initial Access Brokers and Ransomware-as-a-Service operations readily available in the Dark Web, bottom-rung cybercriminals could buy network access and a ransomware kit to launch an attack without much effort. Individual retail stores and small chains were more likely to be targeted by these smaller opportunistic attackers
    • It is likely that different threat groups are hitting different industries
    • 92% of retail organizations hit by ransomware indicated that the attack had impacted their ability to operate; 89% indicated the attack had caused their organization to lose business/revenue
    • In 2021, the overall cost to retail organizations in the survey to remediate a ransomware attack was US$1.27m, down from $1.97M in a 2020 survey
    • When compared to 2020, the amount of data recovered after paying the ransom had decreased (from 67% to 62%), as had the percentage of retail organizations that got all their data back (from 9% to 5%)
    • 28% of retail organizations surveyed were able to stop their data from being encrypted

According to Chester Wisniewski, Principal Research Scientist, Sophos, which commissioned the survey: “The organizations that are successfully defending against these attacks are not just using layered defenses, they are augmenting security with humans trained to monitor for breaches and actively hunting down threats that bypass the perimeter before they can detonate into even bigger problems.”