Average ransomware payment for Canadian organizations jumps to more than $1 million, according to new survey

Palo Alto Networks has announced the results of the second edition of its Canadian Ransomware Barometer study which found that the average ransom paid by Canadian organizations has more than doubled since the first report: $1.130 million in 2023 compared to $458,247 in 2021 — an increase of almost 150%.

Conducted by the Angus Reid Group, the survey of IT decision-makers at companies with 100 to 1,000 employees serves to highlight the state of cybersecurity in Canada and the impact of ransomware threats to Canadian businesses. The study found that, of organizations that paid a ransom in 2023, the percentage of those that paid more than $1 million jumped significantly from 8% in 2021 to 36% in 2023, with the average ransom demanded also increasing a significant 102% to $906,115 in 2023 from an average of $449,868 in 2021.

While the amount demanded and paid has increased dramatically, the percentage of Canadian organizations impacted by a ransomware attack has remained relatively unchanged — 35% in 2023 compared to 37% in 2021. However, more organizations are refusing to pay ransoms, with only 34% of organizations paying the demand, compared to 45% in 2021.

Businesses in the manufacturing sector appear to be targeted significantly more than other sectors, with 47% of respondents saying they have been hit with an attack, followed by the construction and healthcare and pharma sectors.

AI emerges as a potential threat: IT decision-makers are concerned with the potential threat artificial intelligence (AI) poses to their organizations. More than two-thirds of respondents believe the emergence of more AI technologies has increased the threat level to their organizations. The top three perceived threats that AI technologies pose to organizations’ cybersecurity include:

• Automated phishing
• Data privacy risks
• Advanced cyberattacks

In a sign of positive progress, the survey found that organizations are taking a more proactive approach to improving their cybersecurity posture compared to two years ago. Over the past 12 months, 1 in 5 organizations have increased their spending on cybersecurity software significantly for better protection against cyberattacks, while a majority have increased spending somewhat.

In addition to investing in cybersecurity solutions and training, more than two-thirds of IT decision-makers believe the federal government has a responsibility to do more to help businesses protect against the latest threats.