Energy companies paid over $3 million on average for ransomware attacks in 2023, survey shows

The average payment made by 86 energy, oil, gas and utility companies to regain access to data block by a ransomware attack last year was $3.2 million, according to a nw survey by the cybersecurity firm Saphos.

The survey also finds that 67% of energy, oil and gas, and utility companies that responded to the survey were victims of a ransomware attack last year.

This was the same rate as the previous year, and down from 2021, when 75% of companies surveyed were hit. 

On average, 62% of computers in the companies were impacted by the attacks, which was above the cross-sector average of 49%, according to the survey.

This rivaled the healthcare sector, which reported 58% of computers impacted by ransomware attacks. Nearly two-thirds of energy and utility companies attacked said they had 91% or more of their computers targeted. 

These attacks exploited a data-security vulnerability nearly half the time. Credentials were compromised in 31% of the attacks, and malicious email was used in 24% of cases. 

Almost all the companies that had their data encrypted by the attackers were able to get their data back. Of those, 61% paid the attackers, up from 50% in 2022. In 2023, 51% used backups to restore the data, which was down from 70% the previous year.