That does not mean corporations should just pay up rather than save on the costs of response, restoration and legal protection.

In an analysis of two data sets—a cyber incidents database (Kovrr’s) and information on Conti group data leaks—one cybersecurity firm has concluded that in the ransomware economy, the collateral cost of ransomware for victims was 7 times more than the amounts of ransoms paid.

Collateral costs consist of response and restoration costs, legal fees, monitoring costs.

The data used in the study showed other trends:

  • The amount of ransom demanded depended on the annual revenue of the corporate victim and ranged between 0.7% and 5% of annual revenue.
  • The duration of ransomware attacks had declined significantly in 2021, from 15 days to nine days.
  • Ransomware groups in the data had clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics:
    • Accurate estimation of the victim’s financial posture
    • Quality of exfiltrated data from the victim
    • The reputation of the ransomware group
    • Existence of a cyber-insurance
    • The approach and the interests of victims’ negotiators

Global ransomware trends

Globally, the weekly average of impacted organizations was 1 out of 53—a 24% increase YoY (1 out of 66 organizations in Q1 2021). Similarly:

RegionWeekly average of number of impacted organizationsDelta (vs Q1 2021)
EMEA1 out of every 4537% increase YoY
(1 out of 62 organizations)
APAC1 out of every 4437% increase YoY
(1 out of 62 organizations)
Africa1 out of every 4423% increase YoY
(1 out of 54 organizations)
ANZ1 out of every 8881% increase YoY
(1 out of 160 organizations)
Asia1 out of every 2454% increase YoY
(1 out of 37 organizations)
Europe1 out of every 6816% increase YoY
(1 out of 80 organizations)
N. America1 out of every 1200% increase YoY
Latin America1 out of every 5225% increase YoY
(1 out of 64 organizations)
South-east Asia  
Indonesia1 out of every 16-18% between Q1 2022 vs Q1 2002
Malaysia1 out of every 74134% between Q1 2022 vs Q1 2002
the Philippines1 out of every 7544% between Q1 2022 vs Q1 2002
Singapore1 out of every 4863% between Q1 2022 vs Q1 2002
Thailand1 out of every 4329% between Q1 2022 vs Q1 2002
Vietnam1 out of every 2739% between Q1 2022 vs Q1 2002

According to Sergey Shykevich, Threat Intelligence Group Manager, Check Point Software, which performed the analysis: “The key learning (point) is that the paid ransom, which is the number most researches deal with, is not a key number in the ransomware ecosystem. Both cybercriminals and victims have many other financial aspects and considerations around the attack. It’s remarkable just how systematic these cybercriminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors described.”

Therefore, by having a well-defined response plan to ransomware attacks, organizations can avert higher revenue losses in the longer term, implied Shykevich.