A new report by Sophos shows a surprising trend: Ransomware attacks on Australian organisations are down, but the cost to recover from them has exploded.
The average ransom payment jumped a staggering 297% to a whopping US$6 million, even though only 54% of businesses were hit compared to 70% in 2023.
Australian organisations that paid the ransom reported an average payment of US$6 million, up from $1.51 million in 2023, and more than $2 million above the global average ($3.96 million). However, ransoms are just one part of the cost. Excluding ransoms, the survey found the average cost of recovery for Australian organisations reached US$2.37 million, an increase of more than $500,000 from the $1.72 million recovery cost Sophos reported in 2023.
Despite the soaring ransoms, this year’s survey indicates a considerable reduction in the rate of ransomware attacks with 54% of Australian organisations being hit (59% globally), compared with 70% of Australian organisations in 2023, and 80% in 2022. While the propensity to be hit by ransomware increases with revenue, globally, even the smallest organisations (less than US$10 million in revenue) are still regularly targeted, with just under half (47%) hit by ransomware in the last year.
The 2024 report also found that 76% of ransom demands made towards Australian organisations were for US$1 million or more, with the average ransom demand being $6.8 million, suggesting ransomware operators are seeking huge payoffs. Unfortunately, these increased ransom amounts are not just for the highest-revenue organisations surveyed. Nearly half (46%) of global organisations with revenue of less US$50 million received a seven-figure ransom demand in the last year.
“We must not let the slight dip in attack rates give us a sense of complacency. Ransomware attacks are still the most dominant threat today and are fueling the cybercrime economy. Without ransomware we would not see the same variety and volume of precursor threats and services that feed into these attacks. The skyrocketing costs of ransomware attacks belie the fact that this is an equal opportunity crime. The ransomware landscape offers something for every cybercriminal, regardless of skill. While some groups are focused on multi-million-dollar ransoms, there are others that settle for lower sums by making it up in volume,” said John Shier, field CTO, Sophos.
Compromised credentials were the most common roost cause of an attack for Australian organisations, used in 37% of incidents. This was followed by exploited vulnerabilities, used in 32% of attacks. This is in line with in-the-field incident response findings from Sophos’ most recent Active Adversary report. With 49% of attacks leading to data encryption, it is worrying that 66% of Australian organisations that had data encrypted paid the ransom – the second highest rate reported by any country surveyed. This an increase from both last year’s rate of 53% and the 2024 global average of 56%.
Other notable findings from the report include:
· Australian organisations are getting slower at recovering from attacks with 36% fully recovered in up to a week, down from 46% in 2023. 33% took between one and six months, a significant increase on the 17% last year.
· The average ransom payment for Australian organisations came in at 101% of the initial ransom demand received.
· 58% of Australian organisations that had data encrypted used multiple recovery methods to get data back, above the global average of 47%.
· Eighty-four percent of Australian organisations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack. In 66% of instances, backup compromise attempts were successful, the highest rate of any country.
· In 20% of incidents where data was encrypted, data was also stolen – a slight increase from last year’s 17%, but still below the global average of 32%.
“Managing risk is at the core of what we do as defenders. The two most common root causes of ransomware attacks, exploited vulnerabilities and compromised credentials, are preventable, yet still plague too many organisations. Businesses need to critically assess their levels of exposure to these root causes and address them immediately. In a defensive environment where resources are scarce, its time organisations impose costs on the attackers, as well. Only by raising the bar on what’s required to breach networks can organisations hope to maximise their defensive spend,” said Shier.
Sophos recommends the following best practices to help organisations defend against ransomware and other cyberattacks:
· Understand your risk profile, with tools such as Sophos Managed Risk which can assess an organisation’s external attack surface, prioritise the riskiest exposures and provide tailored remediation guidance
· Implement endpoint protection that is designed to stop a range of evergreen and constantly changing ransomware techniques, such as Sophos Intercept X
· Bolster your defenses with round-the-clock threat detection, investigation and response, either through an in-house team or with the support of a Managed Detection and Response (MDR) provider
· Build and maintain an incident response plan, as well as making regular back-ups and practicing recovering data from backups
Data for the State of Ransomware 2024 report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. 330 Australian respondents feature in the report. Organisations surveyed had between 100 and 5,000 employees, and revenue ranged from less than US$10 million to more than $5 billion.
Read the State of Ransomware 2024 report for global findings and data by sector on Sophos.com.
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.