Threat Intelligence

The State of Ransomware 2020: Key findings from Sophos & Malwarebytes

Dan Virgillito
October 8, 2020 by
Dan Virgillito


Ransomware has become one of the most common and well-known threats to cybersecurity. 2020 saw a notable increase in ransomware attacks specifically on enterprise entities, as many organizations found themselves in the crosshairs of malicious actors. These attacks are becoming increasingly complex, as cybercriminals leverage new and sophisticated techniques to exploit computers and systems. The questions now are how successful the file-locking malware is in achieving its goals and how paying the ransom impacts the overall remediation cost. 

This article will detail some key findings from Sophos’ “The State of Ransomware 2020” and Malwarebytes’ 2020 “State of Malware” reports, which offer brand-new insight into recent ransomware attacks and uncover the impact of fulfilling threat actors’ demands on overall recovery costs. But before we look at the findings, let’s quickly explore the definition of a ransomware attack to ensure you’re aware of the different attack vectors. 

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

What is a ransomware attack?

Ransomware is a type of malware that seizes control of your computer by encrypting its files in a way that you’re unable to access them normally. It typically spreads through malicious emails that ask you to download an attachment. When you do, the download launches a program that infects your system. Besides ransomware email, you can also get infected via malicious ads on compromised websites and drive-by downloads that exploit endpoints to infect entire networks. Advanced infection via remote desktop services is also possible. 

After infecting a system, the ransomware locks every data file it can find, using strong encryption. It then displays a note demanding a ransom (typically payable in cryptocurrency) to decrypt the files and restore access to the affected system. Security experts, however, warn that paying the ransom does not guarantee that you will get the unlock tool or decryption key needed to regain access to your system. Some ransomware keeps files encrypted after the initial payment, demanding even more money and threatening to delete the data. That is why making regular data backups and investing in ransomware protection are becoming crucial.

Now that you know how ransomware attacks work, let’s look at how they’ve been affecting organizations and what has been the overall response to the threat. 

Ransomware: 4 key findings from Malwarebytes and Sophos

1. Increase in new ransomware activity against organizations

Malwarebytes analyzed the year-over-year change in business cyberthreat categories from 2018 to 2019. Even though ransomware was overshadowed by other threat categories in volume, Windows detections in 2019 were both observable and concerning.

Many of the high-profile cyberattacks of last year consisted of ransomware, with advanced families like Ryuk and Sodinokibi wreaking havoc on enterprise systems. In fact, detections of Ryuk and Sodinokibi increased by 543 percent and 820 percent respectively over Q4 2018. 

Based on the trend, we expect these ransomware families to remain hot-button threats in 2020 and beyond. Ryuk has already managed to infect and bring down branches of the steel manufacturer EVRAZ, while Sodinokibi hijacked data files of two large food distributors. 

2. Ransomware prevalent in EMEA and APAC regions

The 2020 State of Malware Report also explored malware types in the four global regions: NORAM (North America), EMEA (Europe, the Middle East and Africa), APAC (Asia Pacific) and LATAM (Latin America), ransomware was most prevalent in EMEA and APAC. European victims of the malicious software included the Norwegian aluminum and renewable energy giant Norsk Hydro ASA, Belgian metal producer Nyrstar and the universities of Maastricht and Freiburg. In APAC, WannaCry ransomware continued to affect businesses. More broadly, ransomware injected via remote desktop applications was most prevalent in the region. 

The report stated that the ASEAN region could suffer a $19 billion loss in a hypothetical global ransomware campaign because of loss in productivity, ransom payments and costs related to incident response.

3. Most ransomware victims got their data back via backups

According to Sophos’ commissioned survey of 5,000 IT managers, more than twice as many firms whose data was encrypted by ransomware restored it through backups. Almost 56% of the 94% organizations affected used this measure for remediating the ransomware attack. Of the remaining firms, 26% got their data back by paying the ransom while 12% stated that they regained access to their data through other means. 

It’s also worth mentioning that besides the 26% of organizations who made the payment and got their data back, a further 1% of firms whose data was encrypted paid the ransom but didn’t regain access to their data. Overall, 473 of the 496 organizations that settled the ransom had their data restored.

4. Paying the ransom doubled the cost

Sophos also found that paying the ransom resulted in twice the remediation costs, compared to not paying at all or restoring data from backups. Not only do you gain peace of mind from not transferring money to cybercriminals, but the best part is that you save money in the long run. 

But why does the cleanup cost more if you’ve already fulfilled a threat actor’s demand? Because even after paying the ransom, an organization still has to do a lot of work to get back their data. In fact, the costs of data restoration and bringing things back to the normal state are likely to be the same whether data is restored by criminals or via your own backups. Now that is something worth thinking about.


The four findings indicate that ransomware is a very real threat in 2020 and is expected to remain so in the foreseeable future. As such, it is important to invest in ransomware removal and detection technology to prevent unauthorized file encryption. Making regular backups and storing data offline and offsite also helps as restoring data from backups costs considerably less than paying the ransom. 

Finally, organizations should consider implementing a layered defense consisting of secure email gateway technologies, employee training, network patching, system updates and application whitelisting to defend against all vectors of ransomware attacks.



What Is Ransomware?, CompTIA

2020 State of Malware Report, Malwarebytes

The State of Ransomware 2020, Sophos

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.