Ransomware attacks are an expensive proposition for any company. For example, a report this week by cybersecurity firm Sophos found that while the percentage of companies that were victims of ransomware this year has dropped slightly, the recovery costs – which don’t include a ransom payment – have jumped to $2.73 million, a 50% increase over last year.

That said, another cost is becoming more common for these companies: lawsuits that are filed in the wake of a ransomware attack.

According to tech research firm Comparitech, almost 20% of ransomware attacks led to a lawsuit in 2023, marking a steady climb over the past five-plus years. Many of those were filed after a data breach stemming from the ransomware attack, according to a report released this week by Comparitech.

That trend will likely continue, according to Rebecca Moody, head of data research at the firm.

“Over the past couple of years, lawsuits filed following ransomware attacks have increased, with the overall average over the last five years standing at 12 percent,” Moody wrote. “Data for 2024 is limited due to the time it takes for the breach notifications to be issued following ransomware attacks and to file a lawsuit. The data we’ve collated from the last few years suggests lawsuits are going to become even more common following such attacks.”

Cases Tracked Over Five Years

The firm tracked the just more than 3,000 confirmed ransomware attacks – those that were validated by cyberattack and breach notifications – between 2018 and March and found that 335, or about 12% of them, resulted in lawsuits filed. Of those, 228 have been completed, with 59% of those being successful, which means that they resulted in a breach settlement, the company being fined for failing to safeguard systems or data, and were settled out of court or via mediation.

Another 25% of them were voluntarily dismissed by the plaintiffs, which could mean that out-of-court settlements were reached in these cases as well, Moody wrote.

However they were settled, the agreements reached were costly. Comparitech found that since 2018, more than $245 million in settlements have been paid out across 112 cases, with the average amount being almost $2.2 million. The average settlement last year was $2.1 million.

2022 was an Outlier

The number of lawsuits increased from year to year, with 2022 being the exception. In a report earlier this year, blockchain analysis company Chainalysis called 2022 “an anomaly, not a trend.” There were a number of factors that played into the decrease of ransomware attacks that year, from Russia’s illegal invasion of Ukraine, with some cybercriminals shifting their focus from financially motivated attacks to espionage, destruction, and other politically driven efforts, to a growing reluctance by some organizations at the time to paying a ransom for fear of sanctions risks.

At the same time, the FBI’s infiltration of the prolific Hive ransomware group that year played a substantial role, Chainalysis wrote.

However, despite the drop in the number of ransomware attacks in 2022, the percentage of those incidents that resulted in lawsuits still rose from 13% the year before to 18%, according to Comparitech. The percentage in 2023 also came in at 18%.

“With many data breach notifications still being issued for 2023 attacks, this figure could likely increase,” Moody wrote.

More Settlements, Lower Average Amounts

Comparitech also tracked an evolution in how the cases are being settled, with the number that are being settled out of court or dismissed by the plaintiff growing. In 2020, two out of 39 completed lawsuits – or about 5% – were dismissed voluntarily, while three years later, that jumped to 77%, or 24 of 31 cases.

“With the rise in the number of lawsuits filed, settling out of court either through mediation or reaching an agreement directly with the plaintiff(s), will help speed things up and could reduce costs for the defendant,” she wrote.

In the years studied, the highest average settlement was in 2020, when it hit more than $4.1 million. Since then, it’s hovered around $2 million, with 2023 coming in at almost $2.1 million.

The health care industry saw the highest percentage of lawsuits filed after ransomware attack, with 21% – or 111 out of 521 since 2018 resulting in cases – and a 43% success rate, which jumps to 87% if voluntary dismissals are worked in. The settlements totaled more than $74.6 million in the health care space, following only the somewhat amorphous business category, which saw more than $167.7 million paid out in settlements.

More Records Breached Means More Lawsuits

The number of lawsuits also seems to follow the number of records that were breached, according to Comparitech. The largest number of records breached – 51 million – was in health care, while the financial sector had 41 million. Both industries saw the most lawsuits filed, Moody wrote.

“The technology industry has seen the most records impacted but the majority of these stem from the huge attacks on MOVEit, Blackbaud, Accellion, Fortra, LLC (GoAnywhere), and OneTouchPoint (OTP),” she wrote. “All of these attacks led to multiple companies being affected and highlight the growing number of ransomware attacks that exploit unpatched software vulnerabilities.”

In the 355 ransomware incidents where lawsuits were filed, a total of 283.3 million records were involved. Of the 50 ransomware attacks that involved the most records affected, 48 were followed by lawsuits. The two outliers were an attack on the University Medical Center of Southern Nevada in 2021 and the December 2023 attack on apparel and footware brands owner VF Corporation.

However, VF may not remain an anomaly, Moody wrote, adding that the incident “is under investigation by several law firms, however, and due to the large volume of data involved (35.5 million), it’s highly likely we’ll see a number of lawsuits being filed in this case.”