Sophos Study Suggests: Cost Ransomware Attack Recovery Doubles When Ransom is Paid

by | May 29, 2020

Groups that are hit by a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey conducted by Sophos suggests organizations that pay the ransom actually end up spending a lot more that groups who can rescue files from well-established backups.

The FBI does not advise meeting a ransom demand as giving hackers money allows them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be handed over to decrypt data. The higher cost can now be added to the list of reasons not to pay a hacking group’s ransom demand.

The survey was carried out by market research firm Vanson Bourne between January and February 2020 on around 5,000 IT decision makers at firms with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom.

51% of the people questioned said they had experienced a ransomware attack in the previous year, 73% of whom said the attack resulted in the encryption of data. 26% of attacked groups paid the ransom and 73% did not. 56% of firms said they were able to rescue their files from backups. Out of the firms that paid the ransom, 95% said they were able to rescue their data. 1% of firms that paid the ransom said they were unable to rescue their data.

84% of groups said they had a cyber insurance policy, but only 64% said that policy covered ransomware attacks. Out of the 64% that did have insurance cover for ransomware attacks, 94% said the ransom was paid by their insurance firm.

Victims of ransomware attacks were asked to supply an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated expenses. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around double that amount at groups that paid the ransom -$1,448,458.

The ransom payment must be covered, which is often large, and many of the expenses linked with an attack have to be covered even if the ransom is paid. It may seem like an easy option to pay the ransom to recover more quickly, but the reality is recovery may not be shortened considerably even if the ransom demand is met. In most cases a separate decryption key is required for each endpoint so recovery will still be an incredibly time-consuming process, which may not be simple It is also not unusual for data to be corrupted during encryption and decryption.

The take home message is to ensure that you have the option of rescuing files from backups, which means ensuring a number of different backups are made with one copy stored on an air-gapped device. Backups must also be audited to ensure data hasn’t been corrupted and file recovery is possible. You should then respect the FBI’s recommendations and not pay the ransom unless you have no other option.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy