This week, Charlie provides some interesting statistics around the payment of ransomware and gives an insight into the amount of money that organisations pay to these criminal gangs.
This week and last week I have been umpiring cyber exercises. Both exercises involved a ransomware attack demanding a ransom. When I teach cyber incident management, one of the points I make is that usually the ransomware gangs do their homework, and that the ransom demanded is affordable, but painful to pay. Last week, I wrote about the Royal Mail attack and the demand was for $80m. As the negotiator from Royal Mail said, ‘we are Royal Mail international parcels, and the ransom demand is ridiculous, there is no way we would even contemplate paying that amount of money.’ I thought for this bulletin, I would do some research on who is paying ransoms and how much they have paid, as well as those who didn’t pay and how much was demanded. As organisations often don’t want to provide much information about this, I will see how much I can actually find out!
A few statistics
This is the best I can find in terms of organisations that have paid ransoms:
- CWT Global – the US travel services company paid $4.5 million in bitcoin to the Ragnar Locker ransomware gang in July 2020. It was believed that the gang first demanded $10m.
- University of California at San Francisco – paying a reported $1.14 million in bitcoin to free its systems in June 2020. The initial ransom demand is thought to have been $3 million.
- Travelex – the travel money firm paid $2.3 million on New Year’s Eve 2019.
- Brenntag – a chemical distribution company paid $4.4 million in May 2021.
- Colonial Pipeline – the fuel supplier paid $4.4 million May 2021. Most of the money was later recovered by the USA Justice Department.
- United Health Services (UHS) – paid $67 million in the September 2020 attack. In further articles, I read this was a loss rather than the actual ransom amount paid, so this isn’t the largest ransom payment ever.
- CNA Financial – one of the largest insurance companies in the USA, paid $40 Million in ransom after the March 2021 cyberattack. This is the largest ransomware payment I have been able to find.
- Acer – had a $50 million ransom demand in March 2021, but it is not believed that they paid the ransom.
- JBS – a global food company, paid a total of $11m in May 2021.
- Delaware County officials – paid a ransom of $25,000 in Nov 2020. 
- The Judson Independent School District – paid a $547,000 ransomware payment in August 2021.
- USA Joplin City – paid $320,00 in August 2021.
- Glenn County Office of Education – paid a ransom of $400,000 in May 2022.
- Blackbaud, a cloud software provider – paid a ransom in May 2020. The amount is unknown.
- The city of Riviera Beach in Florida – paid a $600,000 ransom in June 2019. 
- Smartwatch maker Garmin – paid a multi-million dollar ransom in 2020. It is believed they paid $10m. 
- Hensoldt, a multinational defense contractor – confirmed on 12 January 2022 that some of its UK subsidiaries had fallen prey to a ransomware attack. Although the company has not revealed the details of the security breach, the ransomware group Lorenz claimed credit for it and listed the ransom as “paid”.
- Colorado-based NEO Urology – paid a $75,000 ransom in 2019.
A few bits of good news to follow on
- In 2021, 46% paid to restore their data, on average getting back only 61% of their data. 
- Over the last 4 years, the propensity for victims of ransomware to pay a ransom has fallen dramatically, from 85% of victims in Q1 of 2019, to 37% of victims in Q4 of 2022. On an annual basis, 41% of victims paid in 2022 vs. 76% in 2019.
For me these are the high profile ones which have paid, but how many lower level organisations have paid and have managed to keep it quiet? The good news is that less organisations are paying, and the less the criminals get paid, the less likely they see this as a source of easy money.