The price of ransomware attacks is skyrocketing and government agencies are paying the most

• Ransomware attacks cost local governments and public colleges the most money, a new study found.
• Lower education and central and federal governments reported an average of $6.6 million in payouts.

Ransomware attacks are getting expensive. And it's local governments and public colleges that are handing over the most cash.

Sophos, a UK-based software security company, released its annual ransomware report this week. It details a steep increase in payouts for ransomware attacks in recent years.

Ransomware attacks typically come from criminals who hack into companies to steal data, which they hold until the victim agrees to pay a fee. The attacks leave the victims unable to access the stolen data, which can cripple the institution until the ransom is paid.

Almost 60% of respondents told Sophos that ransomware attackers had targeted their organization this year. That's a slight decrease from 66% for the same period in 2023. But the companies that do fall victim to ransomware attacks are paying out more money than ever, the study found.

More than 1,000 of the surveyed organizations said they paid the ransom after hackers compromised their data.

IT and telecom companies reported the lowest median ransom payment at $300,000, while lower education and government agencies posted the highest with a median of $6.6 million.

Professional business and financial services were the most likely to successfully reduce ransom demands through negotiation. Higher education institutions, on the other hand, were the most likely to pay more than the original demand.

"It may be that these industries are less able to access professional ransom negotiators to help reduce their costs," the study's authors said. "They may also have a greater need to recover the data 'at any cost' due to their public remit."

Researchers say advancements in AI will likely increase the scale of ransomware attacks. In April, researchers from the Institute for Security and Technology told the House Financial Services subcommittee that they have "tremendous concern" about the role AI could play in future attacks, according to The Hill.

Typically, ransomware groups target large companies with revenue greater than $5 billion, but smaller organizations are starting to become more likely targets, according to the study. In the last year, organizations with less than $10 million in revenue made up about 47% of those hit by ransomware attacks, Sophos found.

"While many ransomware attacks are executed by sophisticated, well-funded gangs, the use of crude, cheap ransomware by lower-skilled threat actors is on the rise," Sophos says.