top of page
  • Petr Pospíšil

Ransomware - what you need to know from a study of 1500 cases.

Recently I attended SANS Ransomware Summit 2023 - Let's look quick view at the one of the presentations focused on outputs of data analysis out of 1500 ransomware events collected over period of last 3 years.

Following post is based on presentation of John Sturgis, his team and all credits belong to him.

Ransomware Analysis Data

Executive Summary - TLDR: Too Long, Did Not Read

  • Double extortion is BAU, expect your data to be exfiltrated.

  • It is rare to pay, and do not get data decrypted. Why? Business reputation. But sometimes you pay, and they ask for more.

  • Likelihood of victim paying a ransom for any industry is higher than 55%.

  • Typical demand without exfiltration is $107k, while $530k if data exfiltrated. Don't allow exfiltration. However, it really depends on industry - see below insight into industries.

  • User awareness training is simply the most effective mitigation preventing infection, relevant to more than 53% of incidents.

  • It's critical to understand market - average payment is not typical payment. See thru marketing.

What data were analyzed?

~ 1,500 ransomware events globally ~ 3 years (mid-2019 to mid-2022) 8+ industries $1b+ in demands ~ $290m in payments 100+ ransomware families

Table of Contant

In the following post we will answer several questions based on data-science, in other words via good old statistical analysis.


Disclaimer: The graphs bellow uses geometric mean - much closer to median, rather than 'normal' average, so the results reflect the reality better.

Let's start with the most interesting insight into tactics of ransomware gangs fueled by data analysis.

Re-extortion, Double extortion, or Ghosting. Is it really a thing?

Double extortion, no surprise if Business-as-usual, and should not be surprising for anyone in the field. Contrary, what I find interesting that it's rare of not getting data back after payment, even though, threat actor might sometimes require second round of ransom after initial payment.





Every 20th case.

​Victim pays, but threat actor asks for more money.

​Double extortion

Every second case.

​Victim is extorted even though backups work due to sensitive data exfiltration.


Every 100th case.

​Threat actor takes money but does not recover encrypted data.


What influences demand amounts?

In other words, how much threat actors request to be paid. That is rarely a random number, as the gangs do their due diligence and research impacted company through and through.

Expect demands to be precisely based on your published financial records. Threat actors try to fit just all right between tight gap of being well priced, considering recovery costs, loss of profits and other factors.

Victim Industry

A complicated graph, log scale X line, and verticals on the side. But bear with me.

There is an important note to understand the graph. If the industry range touches the overall $195k value, we can say, that's the statistically typical demand for the industry - this applies to all industries beside other three:

  • Manufacturing with geometric mean: $304k

  • Healthcare: $113l

  • Critical infrastructure: $77k

Demand amount per victim industry
Demand amount per victim industry


Ransomware Family

Theer are differences in demands and payments based on ransomware family. An overall demand/payment you can read from the intersection of dashed lines.

What is then encircled area? Encircled area means, that if you get impacted by the ransomware family in given period, there is 50% chance, which ransom they ask you will be within the area.

Demand amount per ransomware family

For example, if you got hacked by the most active family in previous years, REvil, they would ask you for something between $10k and $2m - yes, extremely broad range, that's statistics. :]


What influences payment likelihood?

Initial Demand

In the following graph, where light blue means paid demands, and dark blue unpaid ones, we can see that it's especially important to scope financial capabilities of victim properly.

Typical payment depends on initial demand

Ransom, which is just too high, is often not paid. Period. Victims prioritize other plan how to continue in the operations.


Victim Industry

Although many threat actors claim not to target critical industries, like healthcare, there are still money grabbing spineless threat actors having no boundaries.

What I find interesting, healthcare is not the least attacked vertical. There are still fintech, and critical infrastructure. That might be a data distortion though, due to natural sensitivity of topic and stats can be less often available.

Highlight we should also notice is payment likelihood which is still above 56%. Secondly typical demand does not meet typical payment. Negotiation is the key like at Moroccan market, start at one-third of demand, end up at half. Or invest into security to avoid such situation. :)


Privilege Escalation

Easy graph, if a threat actor is unable to escalate privileges and seize the infrastructure, payments are less common.

In 70% of cases, where escalation was achieved, payment was done in 70% of cases.

In 50% of cases, where escalation was not achieved, payment was done in 40-60% of cases.

Lesson learned? It's cheaper without escalation. No surprise. Just confirmation based on data.


Victim Recovery

Approximately 81% businesses (both without backups and claiming having backups) do pay ransom at the end.

What does it mean? The companies, which claim to have backups, are often not able to use them at the moment of need. They are either broken, encrypted as well, or simply not present.

So, statistically, it does not matter whether you do not have backups, or just 'claim' you have them. In both cases, statistically 81% companies pay at the end.

However, the companies, which are practically able to recover do really pay less often.

Likelihood of payment depends on backups availability.

What previous lines really say that many companies are confidently claiming they are ready but are not. Only way how to prove backups works are periodic exercises.


What influences payment amounts?

Initial Demand

If a victim is asked for $10k, they pay 117% of the 10k. Well, that's the example of re-extortion. More than asked. If a victim is asked for $100k, they will pay 73-83% of it.

However, if we keep it simple, there is down pressure trend. More the victim asks, the bigger is discount. Morrocco market!

Ransom demand compared with payment.

Victim Recovery

No rocket science.

Recovery == lower % demand

Ability to recover lowers demand paid.

Data Exfiltration

Typical demands with exfiltration - $530k is much higher than typical demand without exfiltration - $107k. Great leverage pays.

What’s changing over time?

Demands != Payments, count on that!

While threat actors' demands are raising, payments remain the similar.


Ransomware families come and go.

Although experts often talk about ransomware gang rebranding, just changing logo on the Name-and-Shame pages, it's seeming it's not as common as it might sounds like.

Major ransomware actors from recent years seems to be constantly falling in their activity and only the most professional ones like Lockbit RaaS are rising.

Besides that, we see plenty of new ransomware gangs. Of course, over time, it's possible that newcomers get aligned with previous groups however, that the beauty of cybercrime - you never really know for sure until it's late.

Do not focus on particular group - aggregate techniques the most common ones.


How should organizations defend themselves?

For simplicity, the whole ransomware attack kill chain is simplified into three phases:

  1. Initial Access

  2. Post-Compromise

  3. Impact

Each phase/graph bellow then presents a list of mitigations, which gives an organization the most value out of all mitigation, considering data analyzed.

Mitigation Reference:


The best mitigations for Initial Access phase

As we can see, user training is simply the most effective mitigation at the beginning of the attack.

On the second place, there are just usual IT best practice - follow software security baselines, have fundamental security tools like AV, EDR, NIDPS set up, and working as expected. Work on your vulnerability/patch management as priority.

Tactic Reference:


The best mitigations for Post-Compromise phase

Once the network is compromised, it should be already obvious the backups are essential and working. Therefore air-gapped and their recovery periodically exercised.

In the next points, we are again getting to get-basics-done, like deployed EDR, proper OS security baselines or account/password management.

Tactic Reference:


The best mitigations for Impact phase

Once the impact is happening - in our case, data exfiltration, it's important to prevent it, so we can just recover operations from the backups, and as no data leaked, ransom demands yield no results.

Beside obvious DLP deployment, which might be pricy, there are also detections within SIEM, which can be set to detect exfiltration attempts.

Remember defense-in-depth principle - one systems always get bypassed therefore build network like a fortress with multiple security controls set.



How should organization prepare for negotiations?

Set expectations.

Have answers to the fundamental questions.

  • Are we willing to pay? How much?

  • Who will handle the incident? External party or internal team?

  • What we do if we are not going to pay.

Understand and track market.

Average payment IS NOT Typical payment IS NOT Median payment

Read between the lines, each party - ransomware parties, security firms and other stakeholders want to share a different message to maximize profit.

Typical vs Median vs Average Demand
Typical vs Median vs Average Demand

Difference between Ransom Paid and Ransom Demant
Difference between Ransom Paid and Ransom Demant

Are you looking for summary? You can find one at the beginning of the article.

Do you need help with any practical cyber security controls, audits or have any other question? Let me know.

Have a great day. Petr.




  • John Sturgis - Cyentia Institute

  • Ashton Rodenhiser - Mind's Eye Creative

bottom of page