2023 Data Security Incident Response Report Get the Full Report

Deeper Dive
Into the Data

Share this chapter

$90+ Million

Largest Ransom Demand in 2022 ($60+ million in 2021)

$8+ Million

Largest Ransom Paid in 2022 ($5.5 million in 2021)


Average Ransom Paid in 2022 ($511,957 in 2021)

Ransomware Timeline

Demand to Payment
Demand to Payment for Payments <$1M
Demand to Payment for Payments >$1M
Encryption to Restoration
2020 Average
8 Days
7.4 Days
9.2 Days
13 Days
2021 Average
11.1 Days
13 Days
9.8 Days
12.2 Days
2022 Average
14.2 Days
14 Days
14.9 Days
12.7 Days
2022 Median
11 Days
11 Days
15 Days
8 Days

Ransomware Core Insights

[title here]

of organizations paid a ransom

[title here]

paid even though the organization was able to fully restore from backups

[title here]

of the time an organization was able to partially or fully restore from backup without paying ransom

[title here]

found evidence of data exfiltration when there was a claim of data theft in the ransom note

[title here]

paid even though the organization was able to partially restore from backups

[title here]

involved theft of data resulting in notice to individuals

Forensic Trends

The multi-year trend of improvement on key incident response metrics continued. In network intrusion matters, dwell time dropped from 66 days to 39 days due to enhanced network visibility (EDR, MDR, SIEM) and ransomware groups completing their mission in less than a day (the time from first access to awareness when encryption occurs is short). The reduction in average time to contain (down from four days to three) may be attributed to companies using the “kill switch” (containment by shutting the system off) more often. Greater prevalence of EDR usage pre-incident, as well as forensic firms being “tool agnostic” and using triage collection scripts, enables quicker investigations (36 days to completion, down from 41 days).

The news is not all positive – the average time to recover from a ransomware incident increased in almost every industry. One reason may be that companies suffering ransomware attacks now are less mature than prior victims.



Take Action: Be Resilient.

To be more resilient, companies can:

Segment their networks

Use widely deployed and properly configured security tools

that are monitored 24/7 by internal or external security operations centers and that have the anti-uninstall feature enabled

Ensure that all critical systems are backed up using immutable backups

Identify a list of critical applications and the order of precedence for restoration

Ensure their business continuity plans identify manual workarounds

that companies can use in the event key systems are encrypted

Conduct cross-functional training and testing exercises

that involve activation of all teams in the Business Continuity/Disaster Recovery Plan

Ransomware Is Back in Full Force

After several years of threat actors using an attack method, you expect herd immunity to develop after enough companies enact effective measures. The implementation of P2PE mostly ended card present payment card attacks. We thought MFA might do the same for email account access incidents (not yet). Ransomware began to emerge in 2018 (our average ransom paid was $28,000 then). After five years, widespread immunity is not in sight. Wide deployment of an effective EDR tool that is set to high enforcement mode with active monitoring and the anti-uninstall feature enabled is the primary differentiator between companies that get encrypted and those that do not. Even if you do not stop the data theft/encryption combo from occurring, having available backups to restore from reduces the overall impact.

As the number of vulnerable companies in the herd thins (because they improved on their own, they improved after suffering a ransomware attack, or they improved to get through underwriting for cyber insurance), the remaining may be even more vulnerable. In 2022, we saw increases in average ransom demands, average ransom payments, and average recovery times in most industries. The lull in ransomware that marked the start of the year is over. Ransomware groups have resumed attacks, and organizations must redouble their efforts to defend themselves against increasing attacks.

A Slow Start but a Strong Finish

Ransomware matters slowed in the first half of 2022, with many attributing the slowdown to the war between Russia and Ukraine. Ransomware returned with a vengeance near the end of the year, however, and is only continuing to increase in pace in 2023.

Recovery Times Increase Significantly

The average time to recover from a ransomware incident extended in almost every industry and, in most cases, significantly. Average recovery times in some industries were over a week longer than in 2021. The retail, restaurant and hospitality industry was particularly hard hit, with average recovery times increasing from 7.8 days in 2021 to 14.9 days in 2022 – a 91% increase. However, they weren’t alone: the healthcare; energy and technology; and government industry segments also saw notable increases, at 69%, 54%, and 46%, respectively.

Ransom Demands and Payments Increase

Average ransom demands and payments increased in 2022. The average ransom demand increased in six of the eight industries we tracked.

Average Ransom Payment:


Forensic Investigation Costs Showed More Variation

Three industries — finance and insurance; business and professional services; and retail, restaurant, and hospitality — showed decreases in both the average and median costs as compared to 2021. Two industries — government and energy and technology — saw higher averages but lower medians, reflecting a general decrease in costs for most clients but offset by some significant ransomware matters for certain clients. Two other industries — healthcare and manufacturing — saw increases in both the average and median amounts spent on forensic investigations in 2022. The average forensic investigation costs for the 20 largest network intrusion incidents increased 24% over 2021, growing from $445,926 to $550,987.

Successful Fraudulent Fund Transfers Continue to Decrease

We spent an entire page covering fraudulent transfers in our report last year due to their prevalence. In 2022, every metric we track for fraudulent fund transfers showed a decrease. We saw fewer transfers. The total amount of transfers and average transfer amount were down:

All of these figures are moving in the right direction. A discouraging development, however, is that the percentage of matters in which funds were recovered and the amounts recovered decreased.