Skip to main content
Cyber News - All

How criminals calculate the Ransomware demand, What Data Tell us

By May 2, 2022February 16th, 2024No Comments

Veterinary practices have experienced a surge in ransomware attacks in the past few years, resulting in millions of dollars in losses. However, despite the increased attacks and the losses, practice owners are still oblivious to how ransomware groups operate, the ransomware economy and the long-term impact these ransomware attacks have on their veterinary practices.

 A recent research done and released by Check Point Research (CPR) in collaboration with Kovrr is offering insights on what to expect before, during and after a ransomware attack. The research, which focused on ransomware attacks across all industries, has data that can be very relevant to what veterinary practices should expect during a ransomware attack.

The research focused on both the victims and cybercriminals and explores what happens behind the curtains of the ransomware attacks.

Growth in Ransomware attacks

Globally and across all industries, ransomware attacks have grown by 24 percent. The number of weekly impacted organizations has also grown from one in 66 to one in 53 for the same year-over-year period of 2021 and 2022.

However, even with the exponential growth of ransomware attacks, few people understand the hidden cost of these attacks beyond the initial extortion payment. These costs include legal fees, costs of restoring services, expert consultation fees and resources used to respond to these cyberattacks.

There has also been a growth in the amount of money extorted by these cybercriminals. The research points to the perfection of the processes involved in defining extortion demands. The cybercriminals have also developed sophisticated techniques for negotiations with victims, in order to convince them to pay the maximum level of ransom payments they are asked for. To achieve this, cybercriminals have become more strategic. They are able to:

–       make an accurate estimation of the victim’s financial position,

–       determine the quality of data they have stolen,

–        analyze the reputational damage they can cause if they leak the data,

–        find out whether the company has cyber-insurance

–       Tailor their negotiations based on their victims.

Ransomware duration

According to research, an average ransomware attack lasted for 9.9 days in 2021. This was an improvement from 2020 when an average attack took 15 days before services were restored. The data also showed that from 2017 to 2020, the number of days taken by each ransomware attack rose significantly. In 2017, it took an average of 5.7 days, in 2018, the number of days had increased to 8.6, with 2019 data showing that it took 11.4 days on average to get services back.

Therefore, as a veterinary practice, you should expect to have your services disrupted for five to 15 days in case of a ransomware attack. The process of service restoration also depended on the ransomware group involved. For instance, the research data showed that, for victims who paid the ransom, the ratio of the average extortion demand to the average extortion payment was different for different years. In 2019, the ratio was 0.889. It dropped to 0.273 in 2020 and 0.486 in 2021. The ratio is a good insight into how much a veterinary practice should expect to pay in case they are attacked and decide paying the ransom is the best path for them.

How Cybercriminals calculate ransom

One of the most lingering questions for victims of ransomware attacks is why they were attacked and how the ransom figure is reached. Luckily, the research was able to do a breakdown of how groups such as Conti calculated the amount they would charge their victims. They used leaked internal communication showing negotiations and the inner workings of these cybercriminal groups, including discussions about what to charge their victims.

One important detail that most cybercriminals take into account is a realistic asking price. This increases their chance of getting paid by their victims. To calculate how much they are going to ask, the research found that some of these ransomware groups had a dedicated team that researched their victim’s financial position, revenues and profits before making the final decision on what to charge. The research found that the amount charged also varied from one industry to another. Although the research did not focus on veterinary practices in this category, they found that real estate companies were charged 1.99 per cent of their revenue. Retail ransom was 0.88 per cent, while law firms were charged between 4.4 to 5 per cent.

Therefore, according to the research, there is a high likelihood that, if your veterinary practice is attacked, cybercriminals already have an accurate estimate of your financial position. Therefore, you should expect your ransom to be between one per cent to five per cent of your revenue. Having such data can help you navigate through the extortion and negotiation phase during and after a ransomware attack. The data can also help you protect yourself from unrealistic extortion and also help you get your data fast.

Negotiation process

One of the most unsurprising, yet revealing facts that the researchers found is that cybercriminals also expect prolonged negotiations. They understand that their asking price for the ransom may not always be the right price range and they are willing to drag the process until they achieve what they are looking for. According to the research, below are the five most common steps that cybercriminals used during their negotiations:

1. The threat: The first phase of the attack is going through the victims’ stolen data and finding out the most sensitive files. These files are then used to threaten their victim that if they do not pay, there is a high likelihood of the data being leaked.

2. Discounts for fast payments: Victims who cooperate and agree to pay the ransom as soon as possible are promised great discounts. This is done to motivate them into giving in to cybercriminals’ demands.

3. Negotiations: if the terms of payments are not clear, the victims are given an opportunity to negotiate with cybercriminals in order to reach a compromise. It is at this stage that cybercriminals expect the victims to ask for more discounts.

4. Threats: The fourth stage is filled with threats during the negotiation process. At this stage, cybercriminals make their frustration with their victims clear. They also threaten to leak sensitive data and make the ransomware attack public if their demands are not met.

5. Agreement or data dump: The last stage involves either reaching an agreement with the cybercriminals, and a decryptor is sent or your data is dumped on the internet after failing to pay their ransom demands.


The research is very insightful for veterinary practices, and what they should be expecting before, during and after ransomware attacks. The data presented above can also be used to gauge how long a ransomware attack is expected to last if your practice is attacked. Using the data below, you can also be able to stall your cyberattackers during the negotiation process while looking for alternative methods to solve the ransomware attack. This can allow you to come up with solutions that avoid paying and fueling ransomware groups that have had a negative impact on the veterinary industry.

Need Help Protecting your veterinary hospital from a Ransomware Attack?

Download our FREE eBook “5 Simple Steps to Protect Your Practice” so you can take the steps to start mitigating cyber attacks against your hospital

Submit questions for our upcoming webinar aiming to demystify the complex world of veterinary technology!

Learn More