Mitigating Ransomware’s Impact, Vol. 1

Victims of ransomware often find themselves in a high-stakes negotiation with no knowledge of their alternatives or the attacker’s actual “bottom line”. This foundational report analyzes nearly 1,300 completed investigations to provide transparency into ransom demands and payments. By examining the gap between what is asked for and what is eventually paid, we seek to chip away at the attacker’s profitability.

The good news is that 1 in 5 victims successfully opts not to pay the ransom at all. Of those who do pay, 70% end up paying significantly less than the original demand. This report rewards the click by proving that the ability to successfully recover from backups is the single most important factor in reducing pay likelihood, dropping it by 20%.

We observe a surprising trend: while ransom demands have risen over the last two years, the actual typical payment has remained relatively stable or even declined. This suggests that experienced negotiators and better recovery strategies are having a measurable impact on the ground. This study serves as an essential benchmark for organizations to understand the real financial exposure of an attack.

Key Findings

• The 1-in-5 Refusal: 20% of ransomware victims choose not to pay, with 80% of those individuals recovering through internal effort.
• Negotiation Potential: 7 out of 10 times a ransom is paid, the final amount is less than the original demand.
• Typical Cost Difference: The median ransom demand sits at $195K, while the typical payment is actually $97K.
• MFA Reduction: Implementing multi-factor authentication (MFA) on even just a subset of accounts correlates with a 12.5% reduction in likelihood to pay.
• Recovery Efficacy: Victims with a demonstrated capability to recover were 19.7% less likely to pay than those who simply “had backups”.
• Re-Extortion Risk: Less than 5% of cases involve “re-extortion,” where criminals demand more money after an initial payment has been made.