Paying the Price: Ransomware Costs Explode for UK Critical Infrastructure
Ransomware attacks on the United Kingdom’s critical national infrastructure (CNI) have led to an unprecedented surge in associated costs. According to recent data from Sophos, the median ransom paid to cybercriminals in the past year reached a record $2.54 million. This figure is 41 times higher than the previous year’s median of $62,500.
The study involved 275 CNI organizations, of which 86 disclosed financial details of the incidents. The average ransom payments in 2024 rose to $3.225 million, a sixfold increase from the previous year.
It is noteworthy that different industries respond to threats in varied ways. Companies in the IT, technology, and telecommunications sectors were less likely to yield to ransom demands, paying an average of $330,000. In contrast, primary education institutions and federal government organizations bore the highest costs, with average payments of $6.6 million.
Recovery expenses post-cyberattacks have also surged significantly. In certain CNI sectors, these costs have quadrupled, averaging $3 million per incident.
The energy and water supply sectors have suffered the most. Recovery expenses in these sectors exceeded the global average of $750,000 by four times. Moreover, energy and water supply were among the most vulnerable, with 67% of organizations in these sectors affected by cyberattacks, substantially higher than the 59% average across other sectors.
The situation is exacerbated by the prolonged recovery process in the energy and water sectors. Only one in five organizations managed to resume normal operations within a week or sooner, compared to 41% the previous year and 50% two years earlier. Furthermore, the proportion of victims requiring more than a month for recovery increased to 55% from 36% the previous year.
Sophos experts believe that recovery times may lengthen due to the growing complexity of attacks, necessitating more meticulous work by IT specialists. However, Chester Wisniewski, the global technical director of the company, urges a reevaluation of the policy on engaging with extortionists. He emphasizes that capitulating to cybercriminals not only contradicts the long-term interests of organizations but also incites further incidents.
Discussions on a legislative ban on ransom payments have been ongoing for some time. However, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), considers a complete ban impractical. Instead, she advocates attention to the CIRCIA initiative, a program akin to a bill being developed by UK Prime Minister Keir Starmer. His Cybersecurity and Resilience Act will mandate that operators of critical national infrastructure report every ransomware attack incident.
