As Apple gets caught up in an apparent $50 million ransomware extortion attempt by a significant cybercriminal gang, new research reveals just how unlikely it is that organizations will get all their data back if they pay up.
On April 23, I reported how the notorious cybercriminal gang behind the REvil ransomware operation had attempted to get Apple to pay the ransom for another business that it had targeted. That business, REvil said, was Apple original design manufacturer Quanta Computer and the gang said it had stolen the schematics for a number of new Apple products. Several blueprints were published to the REvil dark web site, including one that 9to5Mac determined was related to the 2021 MacBook Pro.
The story has progressed since then, with Bleeping Computer reporting that REvil had now deleted those Apple blueprints from the dark web ransomware leak site. A private chat channel created by REvil and Quanta, the reporter said, included a promise by the gang to stop talking to reporters so that negotiations could take place. The ransom, it was also noted, had dropped from $50 million to $20 million if paid by May 7.
That said, even if a payment was forthcoming, new research reveals the shocking reality of ransomware today: 92% of organizations don’t get all their data back.
Paying a ransom doesn’t guarantee data recovery
According to the Sophos State of Ransomware 2021 report, the number of organizations deciding to pay a ransom has risen to 32% in 2021 compared to 26% last year. Here’s the thing though, that same global survey discovered that only 8% of them got all their data back despite doing so. Nearly a third, 29%, couldn’t recover more than half the encrypted data.
Even what appears to be some good news in the report, that the number of organizations whose data was encrypted by ransomware dropped from 73% in 2020 to 54% in 2021, is tempered by the new reality of ransom attack behavior.
“We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking,” Chester Wisniewski, principal research scientist at Sophos, said. The potential for damage is, therefore, higher from these complex and highly targeted attacks. Attacks that include data exfiltration as the norm and publication or sale of that data as leverage. “Such attacks are harder to recover from,” Wisniewski continued, “and we see this reflected in the survey in the doubling of overall remediation costs.”
Cost of ransomware recovery has doubled across 12 months
The Sophos research suggests that average ransomware recovery costs are now $1.85 million compared to $761,106 a year ago. While the ransoms themselves vary tremendously, based on the size of the victim organization and the value of the data stolen, Sophos found the average paid to be $170,404. This isn’t altogether surprising given that even those big numbers that we see reported, such as the $50 million demanded from Quanta and Apple, or the $10 million from Garmin, would not be the amount actually paid if they decided to take that option. Ransom negotiators are now a standard part of ransomware incident response, and final ransoms paid tend to be a fraction of the original demand.
Ransomware is a business, a dirty, criminal business but one nonetheless. The gangs behind the attacks are well organized and used to the negotiation process, amenable to talking numbers. Of course, the value of that stolen data increasingly comes into play, and it may be that the auction price exceeds what an organization is prepared to pay. Still, that Sophos concludes the average total cost of ransomware attack recovery is ten times the average ransom payment is food for thought. The cybercriminals know this, and it’s yet another piece of the extortion leverage picture.
The brutal truth: it doesn’t pay to pay
“The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay,” Wisniewski said. “The definition of what constitutes a ransomware attack is evolving,” he continued, “for a small but significant minority of respondents, the attacks involved payment demands without data encryption. It is likely that the attackers were demanding payment in return for not leaking stolen information online.”