Ransomware Continues To Pile on Costs For Critical Infrastructure Victims

Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year. From a report: According to Sophos' latest figures, released today, the median ransom payments rose to $2.54 million -- a whopping 41 times last year's sum of $62,500. The mean payment for 2024 is even higher at $3.225 million, although this represents a less dramatic 6x increase. IT, tech, and telecoms were the least likely to pay mega bucks to cybercriminals with an average payment of $330,000, while lower education and federal government orgs reported the highest average payments at $6.6 million.

The numbers are based only on ransomware victims that were willing to disclose the details of their blunders, so do not present the complete picture. On the topic of ransom payments, only 86 CNI organizations of the total 275 involved in the survey offered data. There's a good chance that the numbers would be skewed if 100 percent of the total CNI ransomware victims polled were entirely transparent with their figures. Costs to recover from ransomware attacks are also significantly up compared to the researchers' report last year, with some CNI sectors' costs quadrupling to a median average of $3 million per incident. While the mean cost across oil, gas, energy, and utilities dropped slightly to $3.12 million from $3.17 million last year, the energy and water sectors saw the sharpest increase in recovery costs. The new average for just these two sectors is now four times greater than the global median cross-sector average of $750k, Sophos said.

Responding to incentives; how shocking.

[fuzzyfuzzyfungus]

I'm not sure what other result one would expect from a general willingness to pay ransoms; that behavior just tells prospective attackers that it's worth the trouble and that the targets are either completely incapable of doing the restore themselves or sufficiently committed to short-term cost optimization that they'll pay any ransom that's lower than the expected cost of an independent restore even though that sends exactly the wrong message.

One can certainly try to harden one's own environment, so that someone else is slower than the bear on a given day, but as long as ransoms keep getting paid the economic logic of ransomware will remain compelling; probably even more compelling for targets where downtime is critical but at least worth a go across the board.

In absence of effective law enforcement(or effective extralegal perps-turning-up-mysteriously-dead); only ransoms not getting paid is going to restrict malicious activity to more traditional espionage or sabotage targets rather than literally anyone who can cut a check.

Re:

[Luthair]

To me there is an easy solution - western nations make it illegal to pay ransom. While small local businesses may still do it, large corporations, hospitals, etc. wouldn't which would completely remove the incentive to for ransomware.

Re:

[timeOday]

It gets sticky when faced with the prospect of people dying, like when a hospital system is compromised.

"From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients."

https://www.statnews.com/2023/... [statnews.com]

Re:

[Firethorn]

That sounds like tracking down the criminals becomes a point.

I mean, we've engaged other countries for less than that.

Re:

[Local ID10T]

To me there is an easy solution - western nations make it illegal to pay ransom. While small local businesses may still do it, large corporations, hospitals, etc. wouldn't which would completely remove the incentive to for ransomware.

No. This would not work.

It is illegal for western businesses to pay bribes, but they still do. Big businesses just use middleman to handle the transaction -i.e. pay a consulting fee to an expert who resolves the problem using advanced techniques and specialized knowledge and experience.

The same thing would happen.

The PHB does not want to pay the costs needed to u

[Joe_Dragon]

The PHB does not want to pay the costs needed to upgrade software / hardware to be more secure.

We have water systems running on XP with an remote access option of an shared team viewer password.
That says an lot about how low funding is.

Do not pay ransoms.

[TheNameOfNick]

Fix your infrastructure. Mod me Captain Obvious if you like, but you know it needs to be said.

Re:

[mjwx]

Fix your infrastructure. Mod me Captain Obvious if you like, but you know it needs to be said.

That costs money that should have been spent 6 months ago which would have cost some C-Level part of their bonus. Ransoms come from a different bucket of money, some of which can be offloaded to externalities (like insurance).

Cheap crappy infrastructure

[gweihir]

The organizations getting hit are at least half of the problem here. They are not victims. They are perpetrators.

Re:

[RobinH]

I agree, but I also don't understand why it's so hard for police to investigate and press charges. The problem is big enough now that a department inside the FBI could actually start investigating, finding, and charging these people. They charge some 16 year old that hacks his school website, but can't go after real criminals?

Re:

[Firethorn]

Because the real criminals are generally in Russia, China, North Korea, and such. Or at least make it seem like they're from there.

Re:

[gweihir]

Law enforcement always goes after the easy targets, unless forced to do better. They just do not see any profit in arresting CEOs, CTOs and CISOs that do not do their job with regards to IT security. Oh, you mean the attackers? These are hard to identify and harder to get hold of.

Perhaps

[The Cat]

Maybe we're living in a world where the costs of managing ransomware are equal to the "savings" of laying off all the IT workers.

It's almost as if removing all the predators from an ecosystem results in it being overrun by prey.

Life, uh, finds a way?

Let them pay but take it from the executives

[cciechad]

I think we should let them pay but there should be a law that the money has to be taken from the CEO and executives pay. I'll bet with that in place you'd see a lot less stupidity.

Re:

[Osgeld]

yea cause they wont totally put on a smoke and mirrors show to make it look like they paid, and then probably get a tax deduction on top of that

This is the effect, not the cause.

[Kelxin]

In the 90s, computer geeks were computer geeks. We had a high pay for knowing our shit and getting it done correctly. Now every other person says they're in "cyber security". Supply and demand, pay went through the floor. Now no one knows who's good at tech or not as everyone claims to be an expert. This is what the industry has created and deserves. Treat us like the 16 year old kid next door can do better than us and get the knowledge of that 16 year old kid. I say good riddance.

Law enforcement needs to step up

[MpVpRb]

Law enforcement needs to attract competent people to work on computer crimes
They currently have a problem because of low pay, drug tests, dress codes and other silly rules that drive away talented people
They should have one and only one rule, hire the best talent and treat them well

best talent will not help with no budget for the u

[Joe_Dragon]

best talent will not help with no budget for the updates or no downtime allowed to do updates.

fbi needs to drop the fbi academy / age limits for

[Joe_Dragon]

fbi needs to drop the fbi academy / age limits for tech non field roles

this will continue

[argStyopa]

...until the punishment increases to a level of deterrence.

And yes, I mean "a bullet in some heads" sort of punishment.

If you can make $millions with a 0.0001% chance of getting caught, and then a likely chance that you end up in some cushy white collar prison WHY WOULDN'T YOU DO IT?