That does not mean corporations should just pay up rather than save on the costs of response, restoration and legal protection.
In an analysis of two data sets—a cyber incidents database (Kovrr’s) and information on Conti group data leaks—one cybersecurity firm has concluded that in the ransomware economy, the collateral cost of ransomware for victims was 7 times more than the amounts of ransoms paid.
Collateral costs consist of response and restoration costs, legal fees, monitoring costs.
The data used in the study showed other trends:
- The amount of ransom demanded depended on the annual revenue of the corporate victim and ranged between 0.7% and 5% of annual revenue.
- The duration of ransomware attacks had declined significantly in 2021, from 15 days to nine days.
- Ransomware groups in the data had clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics:
- Accurate estimation of the victim’s financial posture
- Quality of exfiltrated data from the victim
- The reputation of the ransomware group
- Existence of a cyber-insurance
- The approach and the interests of victims’ negotiators
Global ransomware trends
Globally, the weekly average of impacted organizations was 1 out of 53—a 24% increase YoY (1 out of 66 organizations in Q1 2021). Similarly:
| Region | Weekly average of number of impacted organizations | Delta (vs Q1 2021) |
| EMEA | 1 out of every 45 | 37% increase YoY (1 out of 62 organizations) |
| APAC | 1 out of every 44 | 37% increase YoY (1 out of 62 organizations) |
| Africa | 1 out of every 44 | 23% increase YoY (1 out of 54 organizations) |
| ANZ | 1 out of every 88 | 81% increase YoY (1 out of 160 organizations) |
| Asia | 1 out of every 24 | 54% increase YoY (1 out of 37 organizations) |
| Europe | 1 out of every 68 | 16% increase YoY (1 out of 80 organizations) |
| N. America | 1 out of every 120 | 0% increase YoY |
| Latin America | 1 out of every 52 | 25% increase YoY (1 out of 64 organizations) |
| South-east Asia | ||
| Indonesia | 1 out of every 16 | -18% between Q1 2022 vs Q1 2002 |
| Malaysia | 1 out of every 74 | 134% between Q1 2022 vs Q1 2002 |
| the Philippines | 1 out of every 75 | 44% between Q1 2022 vs Q1 2002 |
| Singapore | 1 out of every 48 | 63% between Q1 2022 vs Q1 2002 |
| Thailand | 1 out of every 43 | 29% between Q1 2022 vs Q1 2002 |
| Vietnam | 1 out of every 27 | 39% between Q1 2022 vs Q1 2002 |
According to Sergey Shykevich, Threat Intelligence Group Manager, Check Point Software, which performed the analysis: “The key learning (point) is that the paid ransom, which is the number most researches deal with, is not a key number in the ransomware ecosystem. Both cybercriminals and victims have many other financial aspects and considerations around the attack. It’s remarkable just how systematic these cybercriminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors described.”
Therefore, by having a well-defined response plan to ransomware attacks, organizations can avert higher revenue losses in the longer term, implied Shykevich.
