The cost of ransomware is 7 times higher than the ransom

Check Point Research (CPR) is sharing new information on the ransomware economy after further analyzing Conti Group leaks and the various data sets associated with ransomware victims.

The ransom is a small fraction of the actual cost to a ransomware attack victim, as CPR estimates the total cost is 7 times higher. Cybercriminals demand an amount corresponding to the victim's annual income, which ranges between 0,7% and 5%.

The duration of a ransomware attack was significantly reduced in 2021, from 15 days to 9. CPR also noted that ransomware teams have clear basic rules for successful dealings with victims, which affect the negotiation process and dynamics.

CPR analyzes two sets of data to explore both sides of ransomware attack: that of victims and that of cybercriminals

CPR distributes ransomware numbers by region for the first quarter of 1, compared to the first quarter of 2022.

Check Point Research (CPR) analyzed two sets of data to obtain new information on the ransomware economy, estimating that the ransomware's side cost to victims is 7 times greater than the ransom paid.

The first set of data was the Kovrr Cyber ​​Incident Database, which contains the latest information on cyber incidents and their financial implications.

The second set of data used was the Conti group leaks. The CPR investigation aimed to investigate both sides of a ransomware attack: both victims and cybercriminals.

Key Findings

Side costs. Ransom is a small part of the cost to the victim of a ransomware attack. CPR estimates that the total cost of the attack is 7 times higher than what the victim pays to cybercriminals and relates to response and rehabilitation costs, court fees and surveillance costs.
Final sum. The final ransom amount depends on the victim's annual income and ranges between 0,7% and 5% of it. While the higher the annual income of the victim, the lower the percentage of income that will be claimed, as this percentage represents a higher numerical value in dollars.
Duration of the attack. The duration of a ransomware attack was significantly reduced in 2021, from 15 days to 9 days.
Basic trading rules. Ransomware groups have clear basic rules (as follows) for successful trading with their victims, which affect both the trading process and the dynamics of trading:

a. Accurate assessment of the financial situation of the victim

b. Quality of data filtered by the victim

c. The ransomware team reputation

d. The existence of cyber insurance

e. The approach and interests of the victims' negotiators

Comment:  Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:

"In this research, we provide an in-depth look at the prospects of both attackers and victims of a ransomware attack. What we are actually learning is that ransom, which is the number that most surveys deal with, is not the basic number in the ransomware ecosystem. Both cybercriminals and victims have many other financial issues and concerns regarding the attack. It is remarkable how systematic these cybercriminals are in determining the amount of ransom and in negotiating. Nothing is accidental and everything is defined and designed according to factors. It is noteworthy that for the victims, the "collateral cost" of ransomware is 7 times higher than the ransom they pay. "Our message to the public is that building a proper cyber defense in advance, and in particular a well-defined ransomware response plan, can save organizations a lot of money."

Ransomware through Numbers

For the first quarter of 2022, CPR divides the following numbers:

• Globally, the weekly average of affected organizations is 1 in 53 - an increase of 24% on an annual basis (1 in 66 organizations in the first quarter of 1)
• In the EMEA, the weekly average of affected organizations is 1 in 45 - an increase of 37% per year (1 in 62 organizations in the first quarter of 1)
• In APAC, the weekly average of affected organizations is 1 in 44 - an increase of 37% per year (1 in 60 organizations in the first quarter of 1)
• In Africa, the weekly average of affected organizations is 1 in 44 - an increase of 23% on an annual basis (1 in 54 organizations in the first quarter of 1)
• In ANZ, the weekly average of affected organizations is 1 in 88 - an increase of 81% on an annual basis (1 in 160 organizations in the first quarter of 1)
• In Asia, the weekly average of affected organizations is 1 in 24 - an increase of 54% on an annual basis (1 in 37 organizations in the first quarter of 1)
• In Europe, the weekly average of affected organizations is 1 in 68 - an increase of 16% per year (1 in 80 organizations in the first quarter of 1)
• In North America, the weekly average of affected organisms is 1 in 120 - no change per year
• In Latin America, the weekly average of affected organizations is 1 in 52 - a 25% increase on an annual basis (1 in 64 organizations in the first quarter of 1)

How to protect yourself from Ransomware

Powerful data backup. The purpose of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to its data. A powerful, secure data backup solution is an effective way to mitigate the impact of a ransomware attack.

Cyber ​​awareness training. Fishing emails are one of the most popular ways of spreading ransomware. By tricking a user into clicking a link or opening a malicious attachment, cybercriminals can gain access to the employee's computer and begin the process of installing and running ransomware on it. Frequent cyber security awareness training is vital to protecting the body from ransomware.

Powerful, secure user authentication. Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about phishing attacks designed to steal login credentials are all critical elements of an organization's cyber security strategy.

Patch updates. Keeping computers up-to-date and implementing security patches, especially critical ones, can help reduce an organization's vulnerability to ransomware attacks.