The State of Security: Ransomware

The State of Security: Ransomware

Sophos Labs recently published its annual global study, Ransomware Status 2022covering real-world ransomware experiences in 2021, its financial and operational impact on organizations, as well as the role of cyber insurance in cyber defense.

The report, which surveyed 5,600 IT professionals at midsize organizations in 31 countries, shows that ransomware attacks are increasing and becoming more sophisticated. In 2021, 66% of organizations were affected by ransomware, an increase of 29% compared to 2020.

Cybercriminals are finding more complex ways to launch ransomware attacks. An average of 57% of companies surveyed reported an increase in attack volume, and 59% said attack complexity had increased. With the everything-as-a-service model, even criminals without the skills and funding to implement a single ransomware attack can use out-of-the-box packages.

What’s worse is that cybercriminals are more successful at encrypting data in ransomware attacks. In 2021, data was encrypted in 65% of attacks, an 11% increase compared to the 54% success rate in 2020. However, extortion-only attacks saw a drop from 7% to 4% , attacks in which attackers do not encrypt data, but exfiltrate it and threaten to post it publicly as a ransom method.

The cost of ransom payments is rising

Ransom payments are being inflated. The number of organizations that paid a ransom of $1 million or more increased to 11%, up from 4% in 2020. While the percentage of organizations that paid less than $10,000 decreased from 34% in 2020 to 21% in 2021.

More organizations choose to pay the ransom to get their data back. 46% of respondents paid the ransom to decrypt data affected by ransomware. 26% of organizations that had other options to recover their data, such as backups, chose to pay the ransom. As a result, the total ransom paid in 2021 increased by a factor of 4.8, from $170,000 in 2020 to $812,360.

The percentage of data restored after paying the ransom has decreased. Forty-six percent of organizations that paid the ransom only got 61% of their data back, up from 65% in 2020. Only 4% of organizations got all of their data back after paying the ransom, up from 8% in 2020.

Major operational impacts of ransomware

Ransomware attacks have a significant impact on the operations of affected companies. In the study, 53% of organizations said the impact of attacks had increased. And a full 90% of victims said the attack had affected their operations. 86% of private sector companies reported that the attack had resulted in loss of business and/or revenue.

On average, organizations that suffered a ransomware attack took a month to recover from the damage and disruption. The average cost of remediating ransomware attacks fell to $1.4 million in 2021. The average cost of recovering from attacks was $1.85 million in 2020.

According to the report, some factors that may have influenced the cost decline in 2021 include:

  • Ransomware attacks have become more frequent.
  • Remediation costs have been reduced because insurance providers can help their clients rectify threats quickly and effectively.
  • Reputational damage from ransomware attacks has been reduced.

Companies are getting better at data restoration

The report notes that organizations are better prepared to restore data in the event of a ransomware attack. Nearly all organizations affected by ransomware in 2021 (99%) managed to recover some of their encrypted data, up from 96% in 2020.

About half of the companies surveyed (44%) reported that they use multiple approaches to maximize the speed of restoring their data. More than 73% used backup to restore data, 46% said they paid a ransom to restore it, while 30% used other means to restore their data, including using decryption tools.

Industries that had the highest use of backups included media, leisure and entertainment, followed by energy, oil/gas and utilities.

The role of cyber insurance

Many businesses rely on insurance to help them recover from a ransomware attack. Organizations reported that insurance paid 77% of cleanup costs and 40% of salvage costs in 98% of incidents. However, while 83% of organizations had cyber insurance, 34% had policy exclusions and exceptions.

Organizations affected by ransomware attacks in the last year are more likely to have insurance coverage compared to those that did not experience an attack. Among those affected, 89% had cyber insurance compared to 70% who were not affected. Sophos highlights three possible reasons:

  • Organizations affected by a ransomware attack can seek cover to help mitigate the impact of future attacks.
  • Cybercriminals target companies protected by insurance coverage to maximize their chances of paying a ransom.
  • Companies seek coverage to balance known weaknesses in their defenses.

Organizations with a large number of employees are also more likely to have insurance coverage. On average, 83% of companies with 3,001 to 5,000 employees had insurance, compared to 73% of companies with 100 to 250 employees.

It is getting harder and harder to get cyber insurance coverage. The majority of businesses (94%) said their experience of obtaining cyber insurance has changed in the last 12 months in the following ways:

  • The process is longer.
  • Organizations that offer insurance protection are very few.
  • There is an increased demand for cybersecurity measures.
  • Policies are complex or expensive.

This is understandable, as insurers will not write a policy for an organization that does not take steps to prevent an attack.


This latest report sheds new light on the ransomware problem. The percentage of organizations directly affected by ransomware has increased significantly over the last year. As a result, companies have had to take different approaches to help combat the impact of attacks. Nearly all of those affected (99%) recovered some of their encrypted data, and two-thirds restored affected data from backups.

More organizations are buying cyber insurance to help with the financial risks of an attack. However, it is becoming more difficult to obtain coverage and, although insurance pays part of the ransom on almost all claims, the proportion of encrypted data returned has decreased.

The report’s findings can be used as a model for organizations that need to increase their security against ransomware attacks. Organizations must not only invest in the right technology, but also have the skills and knowledge to implement it effectively. They should also look to partner with experts who can help them get the most out of their cybersecurity investments and raise their defenses.

About the Author: Mary Manzi is a Hubspot Certified Cybersecurity Marketing Professional. His work has been featured on various cybersecurity websites such as Geekflare and Silentbreach.

Publisher’s note: The views expressed in this guest post are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.

Leave a Comment