Whichever way you look at the data, it is considerably cheaper to use backups to recover from a ransomware attack than to pay the ransom. The median recovery cost for those that use backups is half the cost incurred by those that paid the ransom, according to a recent study. Similarly, the mean recovery cost is almost $1 million lower for those that used backups. Despite this fact, the use of backups is actually falling.

This was one of the most prominent findings in the recent Sophos State of Ransomware survey. Let’s take a closer look at the report’s conclusions.

The state of ransomware

Sophos recently published an independent, vendor-agnostic report about the impact of ransomware worldwide. The survey included 3,000 IT and cybersecurity leaders in organizations with between 100 and 5,000 employees across 14 countries in the Americas, EMEA and Asia Pacific. The study was conducted between January and March 2023, and the participants responded based on their experiences over the past year.

According to the report, the rate of attacks stayed constant, with 66% of respondents reporting that they were hit by ransomware during the last year. In 2022, respondents reported the exact same percentage. While this might be a good sign, it’s notable that in 2021 the rate was only 37%.

Does size matter?

The Sophos study revealed a distinct correlation between annual revenue and the chances of being a victim of ransomware. For companies with revenue of $10 to $50 million, 56% experienced a ransomware attack in the last year. Meanwhile, 72% of those with revenue of $5 billion or more were victims of ransomware.

Surprisingly, there was no strong relationship between ransomware attacks and company headcount. The rate of ransomware attacks was consistent, with 62-63% of companies of all sizes experiencing ransomware incidents. The only exception was that companies with 1,001 to 3,000 employees had a 73% rate. One might think that larger workforces would lead to more attacks as the attack surface is larger, but this study did not find that to be the case.

Root causes of ransomware attacks

What are the most common causes of ransomware attacks? Exploited vulnerabilities came in at the number one spot. Here’s a breakdown of the most common causes of ransomware found in the Sophos report:

  • Exploited vulnerability: 36%
  • Compromised credentials: 29%
  • Malicious email: 18%
  • Phishing: 13%
  • Brute force attack: 3%
  • Download: 1%.

The media, leisure and entertainment sector saw the highest percentage of attacks due to exploited vulnerability (55%), revealing widespread security gaps in this area. Meanwhile, central and federal government organizations had the highest percentage of attacks attributed to compromised credentials (41%). IT, technology and telecoms reported the lowest attack rates for both exploited vulnerabilities (22%) and compromised credentials (22%).

While tech brands may have a more robust cyber defense, they also reported the highest rates of email-based attacks. For technology companies, over half of the attacks (51%) came from users’ inboxes.

Read the ransomware guide

Rate of data encryption and data theft

Apparently, adversaries are getting better at encrypting data, as per the Sophos survey. Over the last year, 76% of those who faced an attack had their data encrypted by ransomware. This is an 11% increase compared to the previous year. According to Sophos, “This likely reflects the ever-increasing skill level of adversaries who continue to innovate and refine their approaches.”

The rate of data encryption is high across all industries except one. The highest frequency of data encryption (92%) was reported by business and professional services. But in IT, technology and telecoms, adversaries achieved data encryption in only 47% of attacks.

In nearly a third (30%) of attacks where data was encrypted, data was also stolen. This approach enables attackers to increase their chances of cashing in on their efforts. The secondary threat of making stolen data public, called double extortion, is leveraged by the threat of selling data on dark web marketplaces.

Data recovery

According to Sophos’ data, the majority (97%) of organizations that had data encrypted recovered their data. Backups were the most common approach, used in 70% of recovery efforts. However, nearly half of those surveyed (46%) paid a ransom to get their data back. Overall, 21% of ransomware victims used multiple methods to restore their data. And only 1% of organizations paid the ransom and didn’t get data back.

Despite the proven benefit, the use of data backups has dropped in the last year from 73% to 70%. Meanwhile, ransom payment rates have remained steady.

The impact of cyber insurance

The Sophos study also revealed important aspects of cyber insurance beyond the financial aspect. Insured organizations were considerably more likely to recover encrypted data than those without such policies. Essentially, any type of cyber coverage helped. Those with standalone policies (98%) and those with wider insurance coverage (97%) got their data back. Meanwhile, only 84% of those without a cyber policy were able to get encrypted data back.

What explains this difference? As per Sophos, cyber insurers typically require policyholders to have backups and recovery plans as conditions of coverage. Also, insurance companies will guide ransomware victims after an attack to improve outcomes. Lastly, organizations with cyber insurance are more likely to pay a ransom to recover data than those without a policy.

Ransomware recovery costs and business impact

Excluding ransoms paid, organizations reported an estimated mean cost to recover from ransomware attacks of $1.82 million. This total increased from $1.4 million in 2022.

One of the most striking findings in the study was how backups impacted recovery costs. It is significantly cheaper to use backups to recover from an attack than to pay the ransom. The median recovery cost for those that used backups ($375,000) is half the cost incurred by those that paid the ransom ($750,000), as per Sophos. Furthermore, the mean recovery cost is almost $1 million less for those that used backups.

Keep your backups

The Sophos report confirms that ransomware continues to plague nearly every industry in a significant way, and cybersecurity professionals have plenty of work to do. The report’s findings should strongly encourage organizations to use data backups as part of their overall anti-ransomware strategy — or risk the consequences.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today