Data loss due to cyber attacks has become increasingly expensive for organizations, not only in terms of paying the ransom to cyber criminals but also for investigating attacks and facing legal claims. According to American law firm Bakerhostetler’s annual report on incidents related to data security, the number of ransomware attacks decreased in early 2022 but had a sharp increase by the end of the year and the beginning of 2023. The increase is due to extortionist demands and higher final payments.
Last year, the largest ransom demand by attackers was $90 million, and the largest payment received by the hacked company exceeded $8 million, surpassing the figures from 2021. The average ransom paid increased to approximately $600,000 in 2022 compared to $510,000 in the previous year. However, this is still lower than the peak value of $795,000 that was recorded during the pandemic in 2020.
Bakerhostetler’s lawyers investigated more than 1,160 data security incidents, and according to their statistics, about 40% of victims paid a cash ransom to the extortionists. Although these figures contradict previous data published by Chainalysis, which stated that the total amount of ransom paid to extortion groups decreased in 2022 due to victims refusing to pay. The data from Chainalysis did not include figures for the end of the year when Bakerhostetler recorded an increase in costs for cash ransom.
The UK National Cybersecurity Center and the US Federal Bureau of Investigations have publicly discouraged paying a ransom to extortionists as it may encourage criminals to continue engaging in blackmail. There is also no guarantee that attackers will delete the stolen data even if the ransom is paid. Bakerhostetler researchers recommend organizations to use EDR solutions and backup data to significantly reduce their risks and potential expenses. Companies that do not prioritize security measures are more vulnerable to attacks and may face severe financial losses and legal repercussions.