The average ransomware payment by South African companies is in the order of $950 000 (R18-million), new research by information security firm Sophos has found.
Cybercriminals are becoming increasingly sophisticated in how they execute ransomware attacks as they try to maximise the amount of money they can extort from their victims.
According to John Shier, field chief technology officer at Sophos, a UK-headquartered software and hardware security company, cybercriminals are segmented in their approach to the market, using data to profile their marks and determine who to target and what ransom amount to demand from them.
Shier said the level of this profiling is apparent when analysing the differences in median and average rates for ransoms demanded (and those paid for) between different countries.
The Sophos State of Ransomware 2024 report (PDF) shows that the average ransom demand in South Africa is $975 675, lower than the global average of $2-million. Similarly, the average ransomware payment in South Africa is $958 110, with the global average at $3.96-million. The median amounted demanded locally, however, is $152 000, showing just how wide ranging the amounts asked for are.
“The ransomware landscape offers something for every cybercriminal, regardless of skill. While some groups are focused on multimillion-dollar ransoms, there are others that settle for lower sums by making it up in volume,” said Shier. “There are different groups out there that go after different markets.”
Priced to the market
“Pricing is something that these criminals have worked on a lot. They are pricing their demands at levels that are sensitive to the local environment and they shift their pricing according to the size of the company and the country of the attack,” said Shier.
Cybercriminals are enjoying unprecedented successes in their attacks. Sophos data shows that the global average for ransom payments has increased fivefold, from $400 000 in 2022 to $2-million in 2023.
Among South African companies surveyed, 69% reported having experienced a ransomware attack, with 43% eventually paying the ransom to have their data decrypted.
Read: CIPC hack: customers urged to change passwords
But the costs of recovering from a ransomware attack stretch beyond payment of the ransom itself. There is an opportunity cost associated with downtime, losses to brand value and reputation, and additional IT spend to ensure that a secondary attack does not occur.
The Sophos report shows that South African companies spend an additional $1.04-million to recover from a ransomware attack, over and above the ransom paid. The cost was about $750 000 in 2023, showing that ransomware attacks are getting more expensive.
The time it takes to recover from an attack is also increasing. According to the report, South African organisations are getting slower at recovering from attacks, with 41% fully recovered in up to a week, down from 53% in 2023. Some 26% took between one and six months, an increase from 19% last year. Longer downtimes imply additional costs, too.
Many organisations turn to cyber insurance to mitigate the financial risk that comes with a ransomware attack, but it is not a foolproof solution. According to Sophos, cyber insurance providers contributed to the ransom payment in 87% of incidents locally, but they never paid over the full amount. The cost of cyber insurance, on the other hand, is rising sharply, with many organisations questioning if they can even afford it.
“The ransomware insurance industry is relatively young, unlike vehicle or home insurance where actuaries have many decades of data to go on. It is going to take time for the pricing to be accurate because there are too many unknowns for insurance companies to give a proper premium,” said Shier.
| Metric | South Africa | International |
|---|---|---|
| % of organisations hit by ransomwhare attack | 69 | 59 |
| % of company computers affected in attack | 46 | 49 |
| % of attacks leading to data being encrypted | 76 | 70 |
| % of attacks where backups were also targeted | 97 | 94 |
| % of organisations with encrypted data who paid the ransom | 43 | 56 |
| % of ransoms funded from multiple sources | 87 | 82 |
For South Africans, cybersecurity is a growing concern for individuals, businesses and the public sector, which has seen a number of its institutions breached in the first quarter of 2024. The latest on the list of hacked public institutions is the International Trade Administration Commission, which waited three months to alert stakeholders of the breach due to a lack of information surrounding the matter.
Read: Itac withheld news of security breach to avoid ‘panic’
“Ransomware remains a major threat to South African organisations of all sizes. While the overall attack rate has dropped over the last year, the impact of an attack on those that fall victim has increased. As adversaries continue to iterate and evolve their attacks, it’s essential that defenders and their cyber defences keep pace,” said Shier. – © 2024 NewsCentral Media
