The median cost of ransomware per incident more than doubled over the past two years to $26,000, with 95% of incidents that experienced a loss costing between $1 and $2.25 million, according to Verizon’s 2023 Data Breach Investigations Report.
In some cases, threat actors are demanding higher ransom payments from companies “just because they believe they can get it,” according to Chris Novak, managing director of cybersecurity consulting at Verizon Business.
“If they believe they’ve hacked into a very large organization and gained access to very sensitive systems, they may ask for a sizable ransom because they know the organization can likely afford it,” he said in an interview.
With ransomware attacks, criminals use malicious software to prevent companies from accessing their own computer files, systems or networks and demand a ransom payment to have such access restored. Such attacks can also involve threats to leak sensitive data to the public internet.
In 2021, CNA Financial, one of the largest insurance companies in the U.S., reportedly paid $40 million to regain control of its network after a ransomware attack. In the same year, meatpacking giant JBS USA confirmed that it paid the equivalent of $11 million in Bitcoin to hackers.
Besides potential hefty payments to criminals, ransomware costs can also include “clean-up” expenses in the wake of an incident, such as investigatory work and remediation steps performed by outside cybersecurity service providers, according to Novak.
Costs can quickly add up in cases where a company’s computer system was significantly damaged by a cyberattack, for example. Compounding the problem, talent shortages across the cybersecurity industry are creating a supply and demand gap that is driving up prices for companies in need of emergency breach response services, Novak said.
“The cost of everything in cyber is going up,” he said.
The annual Verizon report analyzed 16,312 security incidents between November 2021 and October 2022, of which 5,199 were confirmed data breaches. Ransomware held steady as a top cyberattack method. While its share of total breaches didn’t grow, it was flat year-over-year at 24%. “Ransomware is ubiquitous among organizations of all sizes and in all industries,” the report said.
Meanwhile, Verizon found an uptick in cybercriminals’ use of social engineering, which refers to manipulating an organization's sensitive information through tactics like phishing, in which a hacker convinces the user into clicking on a malicious link or attachment.
Business email compromise attacks, a form of pretexting, nearly doubled across Verizon’s entire incident dataset and now represents more than 50% of incidents within the social engineering category, according to the report. The median amount stolen through these attacks also increased over the last couple of years to $50,000, it said.
“A lot of organizations don’t have sufficient controls in place to prevent this kind of attack,” Novak said. “If you can just get somebody to wire you money, that’s far easier than having to go in and try to steal it.”