Cyber Insurers May Want To Rethink Ransom Payments Based On This New Data

Findings from Sophos show that paying an attacker can significantly increase the recovery cost after a ransomware incident, offering another reason why paying ransoms ‘is not the answer,’ Sophos Field CTO Chester Wisniewski tells CRN.

Ransom payments have long been controversial on the grounds that they enrich and embolden cybercriminals. But recent findings suggest that the payments may not make sense for cyber insurers from a financial standpoint.

In Sophos’ State of Ransomware 2023 report, researchers at the cybersecurity vendor found that by two separate measures, making a ransom payment to retrieve encrypted data significantly increases the total recovery cost after a ransomware attack. Ransom payments are frequently covered by cyber insurance providers.

[Related: ScanSource Ransomware Attack: 5 Big Things To Know]

Given the findings, Sophos Field CTO Chester Wisniewski believes that cyber insurers should be asking themselves the question: “Should we be paying ransoms at all if, in fact, your incident cost is higher when you’re paying the ransom than it is when you’re not?”

Ultimately, “I’m hoping that this data—combined with data they’re collecting—convinces them that rushing to pay ransoms is not the answer,” Wisniewski said.

For the report, researchers asked 3,000 IT and cybersecurity leaders at organizations that have between 100 and 5,000 employees to share the cost that their organization incurred to recover from their most recent ransomware attack.

For organizations that did pay a ransom to recover their data, the median recovery cost was $750,000 and the mean recovery cost was $2.6 million, according to the Sophos report.

By contrast, for organizations that skipped the ransom payment and just used backups to restore their data, the median recovery cost was half as much—$375,000. And the mean recovery cost was $1 million lower, at $1.6 million.

“The whole idea of paying the ransom for most insurance providers is the hope that they can get you on your feet faster— which saves them money—for making you whole as part of your policy,” Wisniewski said. But if this is not true, that should probably “discourage more organizations from paying ransoms,” he said.

Cyber insurers, of course, “don’t want to waste their money,” Wisniewski said. “I just think that they believe they’re saving money so they’re [paying] the ransom on a hunch, rather than data.”

All in all, the percentage of respondents saying their organization had been hit with ransomware in the past year stayed flat in Sophos’ State of Ransomware 2023 report at 66 percent, identical to the previous year’s report.

Every Case Is Different

At GuidePoint Security, the incident response team has seen that a variety of factors goes into a victim organization’s calculus about whether to pay a ransom, said Mark Lance, vice president for digital forensics and incident response and threat intelligence at the Herndon, Va.-based cybersecurity specialist.

“There’s so many potential reasons or justifications for certain clients on why they might need to consider that payment,” Lance said. “I could see it go in either direction where it costs more if you pay [the ransom], or costs less if you pay it.”

For instance, in one case of a hospital that was hit by ransomware, the hospital was losing millions of dollars a day, and paying the ransom seemed to be a faster way to get systems online than restoring from backups, which would have taken weeks, he said.

“They paid the ransom because they were able to get the decryption keys and initiate the decryption quicker than waiting for their offline backups to be able to recover and restore from,” Lance said. As a result, “it ended up saving them money.”

In other cases, however, clients have decided to pay a ransom even when they had readily available backups, simply to be able to control the timing around disclosure of an incident, he noted. And in those cases it can end up costing more.

For clients that are paying the ransom strictly to prevent the release of data by attackers, they may end up paying both for restoration from backups as well as the ransom, which can lead to an inflated total recovery cost, Lance said.

Indeed, findings in Sophos’ report suggest that it’s not uncommon for victim organizations to restore data from backups and also pay a ransom: While 70 percent of respondents used backups to restore data, 46 percent paid a ransom, indicating an overlap between the two approaches. According to the report, 21 percent of organizations used “multiple methods” to recover data.

Ultimately, “when you look at [ransom payments] more from a micro level versus the macro level, there are just so many different reasons and considerations,” Lance said.

Focus On Data Extortion

According to a number of criteria, 2022 saw a slowdown in ransomware compared with the previous year.

And notably, some findings by researchers pointed to a shift away from ransomware attacks that encrypted data in 2022 in favor of attacks that just involve data theft and extortion.

In many cases, these “extortion-only” attacks are a more lucrative and easier alternative to the process of encryption and negotiation that’s involved in a typical ransomware attack, CrowdStrike’s threat intelligence head told CRN recently. SonicWall, meanwhile, has cited extortion-only groups including Lapsus$ and Karakurt as further evidence of the trend.

However, the organizations surveyed in Sophos’ ransomware report did not experience that dynamic.

In fact, the percentage of extortion-only incidents, which did not include encryption of the data, dropped to a three-year low in the Sophos report. Just 3 percent of respondents said they experienced extortion without encryption, down from 4 percent in the previous year’s report and 7 percent two years ago.

The scant appearance of extortion-only attacks might be attributable to the size of the organizations surveyed in Sophos’ report, Wisniewski said, since respondents included organizations with as few as 100 employees.

For smaller victim organizations, cybercriminals probably are not bothering to do the work of stealing data and running a leak site, he said. Most of the companies that end up on leak sites are “bigger companies with a lot on the line, and it’s well worth the extra step of the extortion for the criminals,” Wisniewski said.

Insurers Won’t Cover It

There might be another factor that explains why, even for some larger organizations, cybercriminals might still be content to stick with traditional ransomware approaches, according to Wisniewski. And again, it comes back to cyber insurance.

While an insurance company may pay a ransom to get encryption keys, “they won’t pay an extortion fee,” he said. “The conventional wisdom of insurers has been, ‘I’m buying encryption keys that are going to let me get this customer online faster, and that reduces my cost of the incident.’ They think they’re getting value.”

But if an attacker demands a payment from a victim solely in exchange for not releasing its data online, that’s likely not something an insurer is going to cover, Wisniewski said.

“They’re not paying for hiding [a breach] from the GDPR regulators,” he said.