83% of organizations paid up in ransomware attacks 

Today, cloud network detection and response provider ExtraHop released the 2023 Global Cyber Confidence Index, which found that not only did the average number of ransomware attacks increase from four to five from 2021 to 2022, but also that 83% of victim organizations paid a ransom at least once. 

The report found that while entities like the FBI and CISA argue against paying ransoms, many organizations decide to eat the upfront cost of paying a ransom, costing an average of $925,162, rather than enduring the further operational disruption and data loss. 

Organizations “are paying ransoms because they believe it’s the quickest and easiest route to get their business back up and running,” said Jamie Moles, senior technical manager at ExtraHop.

At the same time, the popular double extortion modus operandi of many cyber gangs “incorporates stealing data before encrypting it and threatening to publish it on the internet if you don’t pay the ransom,” said Moles, thus placing extra pressure on organizations to pay up. 

The cost of cybersecurity debt 

The research comes just after KFC, Taco Bell and Pizza Hut parent company Yum! Brands announced it had experienced a ransomware breach. 

One of the underlying themes of ExtraHop’s report released today is that organizations are giving ransomware attackers leverage over their data by failing to address vulnerabilities created by unpatched software, unmanaged devices and shadow IT. 

For instance, 77% of IT decision makers argue that outdated cybersecurity practices have contributed to at least half of security incidents. 

Over time, these unaddressed vulnerabilities multiply, giving threat actors more potential entry points to exploit and greater leverage to force companies into paying up. 

“The probability of a ransomware attack is inversely proportional to the amount of unmitigated surface attack area, which is one example of cybersecurity debt,” said Mark Bowling, chief risk, security and information security officer at ExtraHop. “The liabilities, and, ultimately, financial damages that result from this de-prioritization compounds cybersecurity debt and opens organizations up to even more risk.”