Check Point Research (CPR) shares new insights into the ransomware economy after further analyzing Conti group leaks and different ransomware victims related data sets. Paid ransom is a small component of the actual cost of a ransomware attack to the victim, as CPR estimates the total cost to be 7x higher. Cybercriminals are demanding a sum congruent with annual revenue of the victim, ranging between 0.7% to 5%. Duration of a ransomware attack declined significantly, from 15 days to 9 days in 2021. CPR also sees that ransomware groups have clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics.
- CPR analyzes two data sets to explore both sides of ransomware attack: victims and cybercriminals
- CPR shares ransomware numbers by region for Q1 2022, compared to Q1 2021
- CPR shares four ransomware prevention tips for organizations everywhere
Check Point Research (CPR) analyzed two data sets to get new insights into the ransomware economy, estimating that the collateral cost of ransomware for victims is 7 times more than ransom paid. The first data set was Kovrr’s cyber incidents database, which contains up-to-date information on cyber events and their financial impact. The second data set used was Conti group leaks. CPR’s research aimed to explore both sides of a ransomware attack: victims and cybercriminals.
Key Findings
- Collateral cost. The paid ransom is a small component of the cost of ransomware attack to the victim. CPR estimates the total cost of the attack to the victim is 7 times higher than what they pay to the cybercriminals, and it consists of response and restoration costs, legal fees, monitoring costs.
- Demand sum. Ransom demand sum depends on the annual revenue of the victim and ranges between 0.7% to 5% of the annual revenue. While the higher the annual revenue of the victim, the lower the percentage of the revenue that will be demanded, as that percentage represents a higher number value in dollars.
- Attack duration. Duration of a ransomware attack declined significantly in 2021, from 15 days to 9 days.
- Negotiation ground-rules. Ransomware groups have clear ground rules for successful negotiation with victims, influencing the negotiation process and dynamics:
- Accurate estimation of the victim’s financial posture
- Quality of exfiltrated data from the victim
- The reputation of the ransomware group
- Existence of a cyber-insurance
- The approach and the interests of victims’ negotiators
Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, said, “In this research, we have provided an in-depth look into both the attackers’ and victims’ perspectives of a ransomware attack. The key learning is that the paid ransom, which is the number most researches deal with, is not a key number in the ransomware ecosystem. Both cybercriminals and victims have many other financial aspects and considerations around the attack. It’s remarkable just how systematic these cybercriminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors that we’ve described. Noteworthy is the fact that for victims, the ‘collateral cost’ of ransomware is 7 times more than the ransom they pay. Our message to the public is that building in advance proper cyber defenses, especially a well-defined response plan to ransomware attacks, can save a lot of money for organizations.”
