How much ransom are cybercriminals asking for?

by Black Hat Middle East and Africa
How much ransom are cybercriminals asking for?

Welcome to the new 118 cyber warriors who joined us last week. Each week, we'll be sharing insights from the Black Hat MEA community. Read exclusive interviews with industry experts and key findings from the #BHMEA stages.

Keep up with our weekly newsletters on LinkedIn — subscribe here.

Our weekly delivery of insights from the cybersecurity sector – including exclusive interviews with experts from the global Black Hat MEA community.

This week we’re focused on…

How much money threat actors are asking for when they execute ransomware attacks. 

Ransom sums can vary wildly 

At time of writing, the attackers who used breached credentials to target customers of Snowflake cloud storage system are demanding payments from those victims (totalling at least 10 companies) of between USD $300,000 and $5 million. 

According to the State of Ransomware 2024 report from Sophos, the average ransom payment has increased by 500% over the last year. Organisations surveyed for this report disclosed average payments of $2 million (up from $400,000 in 2023). And that’s before the cost of recovery after an attack – which reached $2.73 million. 

Attackers are seeking large payoffs – but that doesn’t mean they’re only targeting companies with the highest annual revenues. While 63% of ransom demands from 2023-24 were for $1 million or more, and 30% were for more than $5 million, nearly half (46%) of organisations with revenue of under $50 million received a ransom demand of seven figures. 

Not all ransomware groups are making such expensive demands, though. The Phobos strain, for example, yielded median ransom payments of under $1,000 in 2023 – with a strategy of high frequency attacks against smaller entities, and leveraging a ransomware-as-a-service (RaaS) model to support the volume of attacks. 

So how does an attacker decide how much to demand?

2023 was a record-breaking year for ransomware attackers, exceeding $1 billion in extorted cryptocurrency payments from victims. 

Ransomware groups increasingly operate very much like legitimate businesses – and like a legitimate business, they take into account a range of different factors when they’re deciding what they need their ROI-per-attack to be. 

Those factors might include: 

  • Location. Demand sums may be adapted to geographical locations and local economies – with higher demands in country’s with robust economies, for example.
  • Industry trends. Just like legitimate industries, there are trends in ransomware attacks – and attackers may choose ransom sums that fit with current trends.
  • The financial capacity of their targets. Ransomware groups focused on high-revenue targets will demand higher sums, while those (like Phobos) with lower-revenue targets will demand smaller sums – but from a larger number of victims.
  • The perceived value of the stolen data. When attackers are able to steal highly critical or sensitive data, they’re more likely to demand a larger ransom sum.
  • The potential impact of the breach, and the urgency of that impact. When an attack causes significant disruption to business operations, threatens to expose highly sensitive data, or could destroy the target’s reputation very quickly, then the attacker might demand a higher ransom – knowing that the victim is more likely to concede.
  • The attacker’s negotiation strategy. Some attackers start high and expect to engage in negotiations. Others set their rate and leave it at that – so they might go in a little lower.
  • Whether or not the victim has cyber insurance. If the attacker believes the victim is insured, they might aim to match their ransom sum with the amount they believe the insurance will cover.
  • The attacker’s profit margins. Because yes – just like a legitimate business, ransomware groups have profit margins. They’ll take into account operational costs to make sure their ransom demands will drive profit. 

The attack group’s goal is to maximise profits 

They want to make money. And they have to balance this with a touch of reality – keeping ransom sums within a range that they have reason to believe a victim can or will pay. 

Ransom sums can vary wildly. But broadly speaking, they’re on an upward trajectory. 

What are the factors you think are affecting ransom sums in 2024? We want your perspective. Open this newsletter on LinkedIn and tell us in the comment section. 

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 17 July 2024.

Catch you next week,
Steve Durning
Exhibition Director

Join us at Black Hat MEA 2024 to grow your network, expand your knowledge, and build your business.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.

Follow us


Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles