We’re focused on…
How much money threat actors are asking for when they execute ransomware attacks.
Ransom sums can vary wildly
At time of writing, the attackers who used breached credentials to target customers of Snowflake cloud storage system are demanding payments from those victims (totalling at least 10 companies) of between USD $300,000 and $5 million.
According to the State of Ransomware 2024 report from Sophos, the average ransom payment has increased by 500% over the last year. Organisations surveyed for this report disclosed average payments of $2 million (up from $400,000 in 2023). And that’s before the cost of recovery after an attack – which reached $2.73 million.
Attackers are seeking large payoffs – but that doesn’t mean they’re only targeting companies with the highest annual revenues. While 63% of ransom demands from 2023-24 were for $1 million or more, and 30% were for more than $5 million, nearly half (46%) of organisations with revenue of under $50 million received a ransom demand of seven figures.
Not all ransomware groups are making such expensive demands, though. The Phobos strain, for example, yielded median ransom payments of under $1,000 in 2023 – with a strategy of high frequency attacks against smaller entities, and leveraging a ransomware-as-a-service (RaaS) model to support the volume of attacks.
So how does an attacker decide how much to demand?
2023 was a record-breaking year for ransomware attackers, exceeding $1 billion in extorted cryptocurrency payments from victims.
Ransomware groups increasingly operate very much like legitimate businesses – and like a legitimate business, they take into account a range of different factors when they’re deciding what they need their ROI-per-attack to be.
Those factors might include:
Location. Demand sums may be adapted to geographical locations and local economies – with higher demands in country’s with robust economies, for example.
Industry trends. Just like legitimate industries, there are trends in ransomware attacks – and attackers may choose ransom sums that fit with current trends.
The financial capacity of their targets. Ransomware groups focused on high-revenue targets will demand higher sums, while those (like Phobos) with lower-revenue targets will demand smaller sums – but from a larger number of victims.
The perceived value of the stolen data. When attackers are able to steal highly critical or sensitive data, they’re more likely to demand a larger ransom sum.
The potential impact of the breach, and the urgency of that impact. When an attack causes significant disruption to business operations, threatens to expose highly sensitive data, or could destroy the target’s reputation very quickly, then the attacker might demand a higher ransom – knowing that the victim is more likely to concede.
The attacker’s negotiation strategy. Some attackers start high and expect to engage in negotiations. Others set their rate and leave it at that – so they might go in a little lower.
Whether or not the victim has cyber insurance. If the attacker believes the victim is insured, they might aim to match their ransom sum with the amount they believe the insurance will cover.
The attacker’s profit margins. Because yes – just like a legitimate business, ransomware groups have profit margins. They’ll take into account operational costs to make sure their ransom demands will drive profit.
The attack group’s goal is to maximise profits
They want to make money. And they have to balance this with a touch of reality – keeping ransom sums within a range that they have reason to believe a victim can or will pay.
Ransom sums can vary wildly. But broadly speaking, they’re on an upward trajectory.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!