Ransomware continues to pile on costs for critical infrastructure victims

Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year.

According to Sophos' latest figures, released today, the median ransom payments rose to $2.54 million – a whopping 41 times last year's sum of $62,500. The mean payment for 2024 is even higher at $3.225 million, although this represents a less dramatic 6x increase.

IT, tech, and telecoms were the least likely to pay mega bucks to cybercriminals with an average payment of $330,000, while lower education and federal government orgs reported the highest average payments at $6.6 million.

The numbers are based only on ransomware victims that were willing to disclose the details of their blunders, so do not present the complete picture.

On the topic of ransom payments, only 86 CNI organizations of the total 275 involved in the survey offered data. There's a good chance that the numbers would be skewed if 100 percent of the total CNI ransomware victims polled were entirely transparent with their figures.

Costs to recover from ransomware attacks are also significantly up compared to the researchers' report last year, with some CNI sectors' costs quadrupling to a median average of $3 million per incident.

While the mean cost across oil, gas, energy, and utilities dropped slightly to $3.12 million from $3.17 million last year, the energy and water sectors saw the sharpest increase in recovery costs. The new average for just these two sectors is now four times greater than the global median cross-sector average of $750k, Sophos said.

The two sectors were also the second most targeted of all, with 67 percent of organizations reporting disruption as a result of an attack, compared to the global average of 59 percent.

So, attacks are becoming more costly and are increasingly successful too. It may come as no surprise, then, that the energy and water sectors are also getting slower at recovering from these attacks.

Just one in five were able to recover in a week or less according to the survey, compared to 41 percent the year before and 50 percent the year before that. Matters are worse at the other end of the scale too – the number of victims taking longer than a month to recover also rose to 55 percent from 36 percent last year. 

Sophos mentioned in its report that this may be due to attacks becoming more sophisticated and more complex, thus requiring more work from the IT crew to fully remediate all the damage caused by the crims. However, the vendor's global field CTO Chester Wisniewski said perhaps the sectors should be reconsidering their willingness to pay ransoms.

"This once again shows that paying ransom payments almost always works against our best interests. An increasing number (61 percent) paid the ransom as part of their recovery, yet the amount of time it took to recover was extended. Not only do these high rates and amounts of ransoms encourage more attacks on the sector, but they are not achieving the claimed goal of shorter recovery times."

The debate around introducing laws to ban ransom payments continues to polarize members of the infosec industry. The US leads the Counter Ransomware Initiative (CRI), members of which have pledged to stop paying ransoms, although this isn't legally binding and appears to be having little effect in the real world.

Jen Easterly, director at the Cybersecurity and Infrastructure Security Agency (CISA), said at a recent event that she doesn't forsee a total ban on payments coming into force, and that it wasn't a practical move.

• London council accuses watchdog of 'exaggerating' danger of 2020 raid on residents' data
• Cyber-crime super-crew Scattered Spider falls in love with RansomHub and Qilin
• Rite Aid admits 2.2 million people’s data stolen by criminals
• DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed

Instead, she mentioned CIRCIA, which mirrors what UK Prime Minister Kier Starmer plans to introduce with the UK's Cyber Security and Resilience Bill, imposing requirements on CNI operators to disclose ransomware attacks.

The bill will also aim to improve the cybersecurity posture of the UK's critical sectors and the wider supply chain – a focus of CISA's Secure by Design pledge which aims to pressure vendors into keeping their software more secure than it is currently.

And the changes can't come soon enough, if Sophos' figures are anything to go by. Exploited vulnerabilities topped the list of root causes for CNI ransomware attacks once again this year. They accounted for half (49 percent) of all incidents, compared to 35 percent last year. ®