Sophos: 66% of organizations hit by ransomware in 2021

In 2021, 66% of organizations were hit by ransomware, according to a new Sophos survey of more than 5,000 IT professionals at midsize organizations.

Sophos released its "The State of Ransomware 2022" report Wednesday, the latest in a series of annual studies covering emerging insights in the world of ransomware. Sophos said it surveyed 5,600 IT professionals in organizations that have between 100 and 5,000 employees. The data represents insights from 31 countries, and surveying was conducted in January and February.

According to Sophos' report, ransomware attacks are getting more frequent, more impactful and more complex. Last year, 66% of surveyed organizations were hit by ransomware -- an increase from 37% in 2020. In 2021, attackers were successful in encrypting data in 65% of attacks, and there was a decrease in attacks that did not encrypt data, but threatened to leak the victim's data.

Among surveyed organizations, 57% experienced an increase in cyber attack volume, 59% saw the complexity of attacks increase, and 53% reported that attacks had greater impact. With greater impact comes greater attack consequences, and, on average, the most significant attacks last year required one month to recover.

One positive change came in the form of average remediation costs, which saw a drop from $1.85 million to $1.4 million. Sophos offered two possible reasons for this.

"This welcome drop from US$1.85M in 2020 likely reflects that, as ransomware has become more prevalent, the reputational damage of an attack has lessened," the report read. "In parallel, insurance providers are better able to guide victims swiftly and effectively through the incident response process, reducing the remediation cost."

Another positive change is that 99% of organizations recovered data following a ransomware attack, an increase from 96% the previous year. The reason for this, according to Sophos, appears to be the use of multiple recovery methods.

Seventy-three percent of organizations used backups to recover data, while 46% paid the ransom to restore data. Sophos said this overlap "[reflects] the fact that many organizations use multiple restoration approaches to maximize the speed and efficacy with which they can get back up and running." Forty-four percent of organizations used multiple recovery methods.

Christopher Budd, senior manager of threat research at Sophos, told SearchSecurity in an email that there are two aspects explaining why an organization might both use backups and pay a ransom. The first is incident response; organizations will look at all viable options to restore business operations as soon as possible.

"On average, organizations only got 61% of their data back after paying a ransom," he said. "This means that relying solely on paying the ransom likely won't give an organization all their data back, and thus be able to restore full operations. By pursuing both a backup restoration and a ransom-paying tactic simultaneously, organizations are clearly looking to cover all bases to get as much information back as quickly as possible."

The second aspect involves cyber insurance.

"Cyber insurance covers much of the ransom payment, according to respondents," Budd said. "We note that '98% that were hit by ransomware and had cyber insurance that covered ransomware said the policy paid out in the most significant attack.' This is a classic example of 'transferring risk': organizations have transferred the risks around payment to their cyber insurers. This makes paying the ransom a viable recovery tactic."

Though still in its infancy, cyber insurance has changed the incident response process. The merits of cyber insurance are in perpetual debate. On one hand, it provides protections to organizations that can help them recover operations faster. On the other, professionals have argued it has given rise to more attacks.

While a majority of organizations surveyed are insured against ransomware (83%), and cyber insurance usually pays out respondents' ransomware claims (98% of the time), Sophos' report also makes the case that cyber insurance has made cyber defenses stronger.

This is because, according to respondents, the standards for ransomware coverage have gone up. Ninety-four percent of organizations found it more difficult to secure cyber insurance in 2021, and 97% made changes to their cyber defenses in order to better position themselves for insurance coverage. Sixty-four percent implemented new technology or services, 56% have increased staff education, and 52% have made process changes.

Sophos recommends all organizations proactively search for threats, harden their environments by closing gaps like unpatched devices and open Remote Desktop Protocol ports, and develop an incident response plan.

Alexander Culafi is a writer, journalist and podcaster based in Boston.