More organisations hit by ransomware are paying up to get their data back, a recent study shows.

The amount paid has also gone up, according to cyber-security company Sophos’ survey of 5,600 technology professionals across 31 territories.

Nearly half of the companies that had their systems locked by ransomware paid the ransom demanded by hackers last year, according to the survey conducted in January this year.

Comparatively, only one-third paid up in 2020, according to a similar survey Sophos conducted with 5,400 technology professionals a year earlier.

The average ransom paid was about US$812,000 (S$1.14 million) last year, nearly five times what was paid in 2020.

“If this trend continues, it will only lead to more organisations being targeted. The companies paying should remember that the criminals may come back for more,” said Mr Chester Wisniewski, principal research scientist at Sophos.

Similarly, nearly half of ransomware victims in Singapore paid a ransom last year, according to the 150 technology professionals in Singapore polled.

The average amount paid by Singapore companies was US$1.16 million, significantly higher than the global average of US$812,000. This makes Singapore the sixth-highest ransom payee last year, after Japan, the Netherlands, the Philippines, Israel and India.

In its sixth annual Singapore Cyber Landscape report released yesterday, the Cyber Security Agency of Singapore said 137 companies here fell prey to ransomware attacks last year, up from 89 in 2020.

Mr Lim Yihao, cyber-security company Mandiant’s intelligence strategy lead for Asia-Pacific and Japan, suggested that hackers might be aware that Singapore is a wealthy nation and companies here tend to have the ability to pay higher ransoms.

“There could be other paying firms that chose to remain silent, so the actual figure could be even higher than the reported amount,” he said.

Cyber-security company LogRhythm’s vice-president for international markets Joanne Wong said some or all of the costs incurred in a ransomware attack – including ransom payments – may be covered by insurance.

“But insurers have also been raising their premiums and reducing their coverage amid an exponential increase in cyber attacks globally,” she said.

A recent high-profile global case involved American fuel transporter Colonial Pipeline, which saw its fuel supply to about 50 million customers affected when it was attacked in May last year. It paid US$4.4 million to the hackers to have its data recovered. It is not known if the company recovered all its data.

Another victim was CNA Financial, one of the largest insurance companies in the United States, which reportedly paid US$40 million in March last year to regain control of its network. Again, it is not known if the company recovered all its data.

Brazilian food giant JBS USA also paid US$11 million in ransom to regain access to business data after its operations were disrupted across North America and Australia in June last year.

Companies in the media, leisure and entertainment sectors were the most popular targets, said Sophos.

On average, organisations spent about US$1.4 million to recover from a ransomware attack last year, a slight drop from the US$1.85 million in 2020.

The recovery costs include ransom payments, said Sophos.

In Singapore, organisations spent US$1.91 million on average, including ransom paid, to recover from a ransomware attack last year. This is down from US$3.46 million the year before.

About nine in 10 organisations in Singapore polled this year had cyber insurance against ransomware attacks, similar to the global average.

More than a third of victims here had their ransom paid by their insurance provider last year, compared with about half globally.

Typically, victims could recover only about 60 per cent of the data lost to ransomware attacks even after the ransom was paid, said Sophos.