Sophos study reveals 80% of Aussie firms hit with ransomware in 2021

Chester Wisniewski, principal research scientist at Sophos

Sophos, a global company in cybersecurity, released its annual survey and review of real-world ransomware experiences in the State of Ransomware 2022. The report shows that 80% of Australian firms surveyed were hit with ransomware in 2021, up from 45% in 2020.

The average ransom paid by firms that had data encrypted in their most significant ransomware attack, was $226,863, with 43% paying between $100,000 – $499,999. Forty-three per cent of the organisations that had data encrypted paid the ransom to get their data back, even if they had other means of data recovery, such as backups.

The report details the impact on 5,600 firms in 31 countries across Europe, the Americas, APAC and Central Asia, the Middle East, and Africa, with 965 sharing details of ransomware payments. This included 250 in Australia, of whom 65 shared details of said payments.

What were Sophos’ thoughts on the research?

“Alongside the escalating payments, the survey shows that the proportion of victims paying up also continues to increase, even when they have other options available. There could be reasons for this, including incomplete backups or the desire to prevent stolen data from appearing on a public leak site,” said Chester Wisniewski, principal research scientist, Sophos

“In the aftermath of a ransomware attack there is often intense pressure to get back up and running as soon as possible. Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk,” Wisniewski said.

“Firms don’t know what the attackers might have done, like adding backdoors, copying passwords or more. If firms don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack.”

What were the findings of Sophos’ study?

The findings of the State of Ransomware 2022 survey for Australia, which covers incidents experienced during 2021, as well as related cyber insurance issues, include:

Organisations are fighting back

99% have made changes to their defences over the last year to improve their insurance position. Globally, 97% made changes with 64% implementing new tech, 56% increasing staff training and education activities, and 52% changing their processes and behaviours.

Backups were the #1 method used for restoring data

70% of Aussie respondents whose data was encrypted used this approach, 43% paid the ransom. Globally 73% used backups and 46% paid the ransom to restore data.

Seventy-nine per cent of attacks resulted in data being encrypted

Higher than the global average of 65%, and an increase from the 74% reported by Aussie respondents in 2020. 99% of those whose data was encrypted got some of their data back. This aligns with the global results where 99% getting at least some of their data back.

The impact of a ransomware attack can be immense

The average cost to recover from a ransomware attack in 2021 was $1.01 million. Australian organisations took on average one month to recover from the attack. Eighty-eight per cent of organisations said the attack had impacted their ability to operate, while 86% reported the ransomware attack caused their organisation to lose business/revenue.

Many organisations rely on cyber insurance to help them recover

91% of respondents in Australia said their organisation has cyber insurance that covers them if they are hit by ransomware, however 53% said the level of cybersecurity needed to qualify for insurance is higher, 50% said cybersecurity policies are now more complex, 39% said the process takes longer, and 36% reported that it is more expensive.

“The study suggests we have reached a peak in ransomware journey, where attackers’ greed for higher payments is colliding head on with a hardening of the cyber insurance market as insurers seek to reduce their ransomware risk and exposure,” said Wisniewski.

“It has become easy for cybercriminals to deploy ransomware, with almost everything available as-a-service. Second, many cyber insurers have covered a wide range of recovery costs, including the ransom, likely contributing to ever higher ransom demands.”

“However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky high ransoms.”

“This is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource intensive as some other, more hand-crafted cyberattacks, so any return is a return worth grabbing and cybercriminals will continue to go after the low hanging fruit.”

What practices can help firms defend against attacks?

Follow these practices to help defend against ransomware and related cyberattacks;

  • Install and maintain high-quality defenses across all points in the firm’s environment. Review security controls regularly and make sure they continue to meet the firm’s needs.
  • Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in house, outsource to a Managed Detection and Response (MDR) specialist.
  • Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended Detection and Response (XDR) solutions are ideal for this purpose.
  • Prepare for the worst. Know what to do if an incident occurs and keep the plan updated.
  • Make backups, and practice restoring from them so that the organisation can get back up and running as soon as possible, with minimum disruption.

Read The State of Ransomware 2022 report for the full global findings and data by sector.