Most Ransomware Victims Are Hit Again After Paying

Some 80% of global organizations that have paid a ransom demand experienced another attack, often at the hands of the same threat actors, according to a new study from Cybereason.

The security vendor polled 1,263 cybersecurity professionals in multiple verticals across the US, UK, Spain, Germany, France, the United Arab Emirates, and Singapore to compile its latest report, Ransomware: The True Cost to Business.

It confirmed what law enforcers and commentators have been saying for some time – victim organizations should, if possible, avoid paying their extorters. Some 46% of respondents, rising to 53% in the UK, said they believe the same threat group attacked them the second time.

However, this can be difficult to ascertain definitively given the large number of affiliate groups working with the same malware strains. A Sophos report this week revealed that no two REvil affiliates work in the same way.

Not only does paying a ransom encourage copycat crimes, but there’s no guarantee of a swift return to business-as-usual. Cybereason found that in nearly half (46%) of cases, the victim organization regained access to data following payment, but some or all of it was corrupted.

The report also laid bare the potentially devastating consequences of a successful ransomware attack. Two-thirds (66%) of respondents said they suffered significant revenue loss, over half (53%) said their brand suffered, and a third (32%) lost leadership through dismissal or resignation.

In some cases, an attack can have an existential impact: 29% said they were forced to eliminate jobs following an incident. A quarter (25%) of respondents claimed it led to the organization’s closure.

Big-name organizations from Colonial Pipeline to JBS have recently admitted to paying multimillion-dollar sums to their attackers to mitigate potentially severe customer disruption.

However, Cybereason CEO, Lior Div, was clear about which approach corporate victims should take.

“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks,” he argued.

“Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”

What’s Hot on Infosecurity Magazine?