Digital Transactions Authoritative, insightful and timely information for payments professionals
The average payout for a ransomware attack has increased despite a drop in the number of times an organization is attacked annually, a study by cybersecurity firm ExtraHop Networks Inc. finds.
The average payout per attack the past year was $3.6 million, up from $2.5 million. The number of ransomware attacks an organization incurs, however, dropped to between five and six from eight a year earlier.
The higher payouts are due to criminals launching more targeted ransomware attacks that are harder to detect and yield better results, compared to broader-based attacks. As a result, attackers have “a significant head start”, the study says. In a ransomware attack, criminals will lock up a victim’s online data and demand payment—a ransom—to unlock it.
Overall, 70% of respondents said they paid a ransomware demand, while 30% never paid, up from 9% a year earlier. The average payouts have increased by more than $1 million, the study notes.
The healthcare sector had the highest average payouts at $7.5 million, followed by government at slightly below $7.5 million, and financial organizations at $3.8 million. The average paid by organizations varied by country. Organizations in the United Arab Emirates, for example, paid out $5.4 million per attack, 26% higher than the global average, while organizations in Australia paid an average of $2.5 million per attack, the lowest average payout, the study says.
Seattle-based ExtraHop surveyed 1,800 security and IT decision-makers at the director level or above at organizations with at least 1,000 employees in July in the United States, the United Kingdom, France, Germany, Singapore, Australia, and the United Arab Emirates. Organizations surveyed included businesses, government agencies, and healthcare providers.
“As IT environments grow increasingly complex and attack surfaces expand, threat actors are able to capitalize on blind spots, spending more time inside an organization to cause greater damage and achieve higher payouts,” the report says.
On average, attackers spend two weeks inside a victim’s system before being detected, creating an average downtime of 37 hours. Once an attack is detected, it takes an organization at least two weeks to respond and resolve an attack, the study says. In the U.S., it takes an average of 2.8 weeks to respond to and resolve an attack. Globally, it takes government and transportation organizations an average of more than three weeks to respond to and resolve an attack. Organizations in the transportation industry reported downtime of 74 hours, the highest average of any respondent.
“Two weeks is a long time for an intruder to go unnoticed, and with security teams taking another two weeks to respond, attackers have a full month to cause serious damage,” the study says.
Steps organizations can take to prevent a ransomware attack include understanding the vulnerabilities and weak spots within their systems and cyber defenses, monitoring the movement of internal traffic within their system, and keeping up with the evolving tactics of attackers and the technologies available to detect and fend off an attack.
“Playing defense isn’t enough. [Organizations] must get ahead of these threats by making it harder for attackers to get a foothold and by dramatically shrinking the time they have to operate,” the study says.
