Organizations that give in to ransomware demands were frequently victims of subsequent attacks -- often by the same threat actors demanding higher payments, a recent report found.
Despite facing potentially massive recovery costs, ransomware victims are advised not to give in to hacker demands so as not to encourage criminal activity.
But there’s an even better reason not to pay: An overwhelming majority of organizations that pay ransoms get hit with another attack, often by the same threat actors, according to a recent report from cybersecurity firm Cybereason.
Of the 1,456 global cybersecurity professionals surveyed in April, 73% conceded that their organizations were targeted by at least one ransomware attack over the past 24 months – up from 55% in last year’s survey.
Of the victims that paid the ransom, 80% of them admitted being hit a second time, 68% within a month – with a higher ransom demand. Those that pay to decrypt data are seen as vulnerable targets Cybereason suggested, adding that 9% paid a third time.
“Adding insult to injury … nearly 6-out-of-10 organizations were unable to recover all of their systems and data even after paying the ransom,” the report said.
In addition, the decryption tools victims receive from attackers are “often buggy or slow, forcing companies to restore from their own backups even after they have paid the ransom,” the report said. Moreover, paying a ransom does not guarantee a faster recovery from the attack.
Only 42% said payment led to full restoration of all systems and data, a 9% decrease from the 2021 study. More than half detailed persistent system issues or corrupted data after decryption, an 8% increase from the previous year. By contrast, 78% of organizations that chose not to pay the ransom said they fully restored systems and data without a decryption key.
Dealing with recovery costs in the aftermath of an attack can vastly outweigh hacker demands, as seen from attacks on Atlanta, Baltimore, Denver and New Orleans. Many organizations feel compelled to pay, fearing damage to their reputations, the implications of system downtime and disruptions to citizen services. These are mostly short-term impacts, the report said, but in the long-term, an attack can result in employee layoffs, loss of key executives and strategic partners.
To mitigate the damage, many respondents turned to cyber insurance, with 93% saying they had some type of policy in place. Among the respondents with insurance, ransomware coverage also shot up from 54% last year to 83% in 2022.
Ransomware attacks have also grown more sophisticated and complex. "It is becoming increasingly common for ransomware attacks to involve complex attack sequences in low-and-slow campaigns designed to infiltrate as much of the targeted network as possible versus infecting a single machine with the ransomware payload," the report read.
To bolster preparedness, the recommendations remain the same. Cybereason advised following cybersecurity best practices, conducting periodic tabletop exercises targeting specific incident response scenarios, deploying endpoint and extended detection and response and locking down critical accounts during holidays and weekends.
There is a silver lining, however. Many organizations reported malware in their systems for up to six months before being detected, which means “there are potentially weeks or even months' of detectable activity that could allow organizations to disrupt an attack before it results in serious impact, provided they have the right tools in place,” the report said.