Cyberattacks are a constant threat to organizations of all sizes. To better understand how the current attack environment and track how ransomware trends have changed over time, Sophos commissioned an independent, vendor-agnostic survey of 5,600 IT professional in mid-sized organizations across 31 countries. This survey was conducted in January and early February 2022. The results highlighted the increasing threat that ransomware poses, and the increased role cyber insurance is playing in driving organizations to improve their cyber defenses.

Cyberattacks are up from last year

Ransomware attacks have increased significantly over the past year—66% of organizations surveyed were hit by an attack in 2021, up 78% from the previous year. This is due in part to the ease at which bad actors are able to deploy attacks. The Ransomware-as-a-service mode has reduced the skill level needed to attack.

Not only are attacks more prevalent, but the attacks themselves are becoming more successful and more complex. In 2021, 65% of attacks resulted in data being encrypted, up from 54% in 2020. Fifty-nine percent of organizations who experienced cyberattacks saw the complexity of the attacks increase, while 57% saw an increase in the volume of cyberattacks overall.

Prevalence of attacks
Data recovery rates are improving
Data recovery after the attack

Despite the increase in attacks within the past year, there is some good news. Almost every organization surveyed (99%) were able to get some encrypted data back—up from 96% in 2020. The top method used to restore data was backups, which was used by 73% of organization whose data was encrypted in an attack. In addition to backups, a large portion—forty-six percent—paid a ransom to have their data restored.

Unfortunately, while paying a ransom typically allows organizations to get some data back, it is less effective than in years past at restoring data. On average, organizations that paid a ransom only got back 61% of their data, down from 65% the previous year, while only 4% of those that paid the ransom got ALL their data back in 2021, down from 8% in 2020. This highlights the importance of employing multiple methods to restore data—utilizing backups in particular can improve the speed of recovery and increase the amount of data that can be recovered.

Ransom payments have increased
Ransom payouts

Not only are ransoms less effective at restoring data than in previous years, but the amount of the payments themselves have increased considerably. Between 2020 and 2021 there was a threefold increase in the proportion of victims paying ransoms totaling US$1 million or more. The percentage paying the lowest ransom amounts decreased over that same time—from one in three (34%) to one in five (21%).

Ransom payouts by industry

The average ransom payout increased 4.8X from 2020 data, from an average of US$170K to US$812,360 in 2021. However, the average ransom amount varies greatly across industries, with manufacturing and utilities coming in at the top of this survey with an average of US$2.04M and US$2.03M, respectively, while healthcare and local/state government had the lowest average ransom payments at US$197K and US$214K, respectively.

Ransomware greatly impacts companies, both economically and operationally
The business impact of ransomware

Even when some of all data is able to be restored after a cyber attack, the costs of loss productivity or inability to operate at all can be substantial. Of those hit by ransomware last year, 90% said their most significant attack impacted their ability to operate, while 86% said it caused them to lose business and/or revenue. The average cost to remediate an attack in 2021 was US$1.4M, which, thankfully was down from US$1.85M in 2020. This was due in part to cyber insurance providers being better able to guide victims through an effective response more rapidly.

Although there have been improvements in total recovery time over the years, it still took, on average, one month for organizations to fully recover from the most significant attacks. Those in higher education and central/federal government had the slowest average response times, at around 2-5 months, while manufacturing and financial services were the quickest, with the majority being  able to recover in one month or less.

Despite the huge economic costs of ransomware attacks, many organizations are putting their faith in defense that don’t actually prevent ransomware—only more quickly mitigate its effects. Seventy-two percent of organizations in the survey who weren’t hit by ransomware in the past year and didn’t expect to be hit in the future cited backups and cyber insurance as reasons why they don’t anticipate an attack. Neither of these elements actually prevent attacks in the first place.

Simply having security resources in place does not necessary mean that they are effective. Of those surveyed who were hit by ransomware in the last year, 64% said they had more cybersecurity budget than they need, and 24% said they had the right amount of budget. Many of these organization also said they had more headcount or the right amount of headcount (65% and 23%, respectively. This reveals that despite having ample  resources—both personnel and technology—organizations will not achieve a high return on investment without a combination of the right technology and expertise to use the technology effectively.

Cyber insurance drives changes to cyber defenses
Cyber insurance take-up

Thankfully, organizations do not have the shoulder the burden of ransomware costs all on their own. The survey found that four in five mid-sized organizations had insurance against ransomware attacks. However, 34% said there were exclusions/exceptions in their polices. Organizations that had been previous hit by ransomware attacks in the past were much more likely to have cyber insurance coverage against ransomware. However, many respondents indicated that securing coverage has changed in the past year, or gotten more difficult to obtain:

  • 54% said the level of cybersecurity they need to qualify is now higher
  • 47% said policies are now more complex
  • 40% said fewer companies offer cyber insurance
  • 37% said the process takes longer
  • 34% said it is more expensive

As a result, 97% of organizations that have cyber insurance have made changes to their cyber defense to improve their cyber insurance position. 64% have implemented new technologies/services, 56% have increased staff training/education activities, and 52% have changed processes/behaviors.


The survey has revealed that ransomware continues to be an imminent threat for organizations of all sizes across industries. For many, choosing an experienced partner with expertise in cybersecurity not only improve their chances of getting approved for the right amount of cyber insurance coverage, but can ensure that they see an higher return on investment and improved ability to prevent and mitigate attacks in the future.