Companies take an average of four months to report a ransomware attack

A new study from Comparitech, based on data collected from 2,600 attacks between 2018 and 2023, shows the average time for a US company to report a data breach following a ransomware attack is 4.1 months.

From 2018 to 2023, the average time to report a ransomware breach has increased, rising from 2.1 months in 2018 to just over five months in 2023. Healthcare has the lowest reporting time with 3.7 months, while businesses (4.2 months) and government entities (4.1 months) are similar.

The longest known data breach reporting period (38 months) came from a healthcare company which started notifying patients of a July 2020 ransomware attack. Initially, it believed the data breach was limited to one patient but further investigations revealed this wasn’t the case.

Interestingly, law firms have the worst overall average, taking 6.4 months to report a data breach stemming from a ransomware attack. The education sector is not far behind on 6.3 months.

Rebecca Moody, head of data research at Comparitech, notes, "Five months is a long time for people to be unaware their data has potentially been impacted in a ransomware attack. Not only that, but hackers often post victims to their data leak sites within a month of the attack taking place if ransom negotiations fail. Therefore, stolen data may have been on the dark web for four months or more before those whose data is compromised are any the wiser."

Ransomware strains Pysa and LockBit have the highest average reporting periods (6.8 months and 5.7 months, respectively), while among the lowest were Lynx (2.6 months), RansomHub (3.2 months), and Qilin (3.3 months).

Some states mandate specific timeframes for reporting a data breach and these have a slightly lower average reporting period than those without (3.9 months compared to 4.2 months).

You can read more on the Comparitech site.

Image credit: AndreyPopov/depositphotos.com