Almost a third of companies affected by ransomware attacks have paid ransoms four or more times in the past year, according to the Semperis 2024 Ransomware Risk report.
The survey of 900 IT and security executives in France, Germany, the UK and the US found that almost a third (32%) of organizations have opted for multiple payments.
According to the report, German companies were particularly vulnerable, with almost half making four or more payments, compared to 20% in the US.
More than a third of companies that paid ransoms either did not receive decryption keys or received corrupted keys.
According to the study, nearly 85% of US and UK businesses have experienced a ransomware attack in the past 12 months.
Of those surveyed, 75 percent paid a ransom to regain control of their data, with about 10 percent paying more than $600,000.
In addition, 87% reported some level of operational disruption as a result of the attacks.
In fact, 80% of attacks compromised IT identity systems such as Microsoft Active Directory or Entra ID, but 61% of organizations admitted they did not have dedicated backup systems for these critical identity platforms.
Almost three-quarters of companies also said they suffered multiple attacks during the same period.
Attackers retain access after payment
Devin Ertel, CISO at Menlo Security, said the decision to pay a ransom is unique to every organization and situation.
“Many factors come into play, making it a global business decision rather than a purely technical one,” he said.
While payment may seem like the fastest path to recovery, it’s critical to remember that attackers could still maintain access even after payment, making a full recovery and incident response process essential.
“Never pay and consider the problem solved,” Ertel said. “Instead, use the incident as an opportunity to look back at the vulnerabilities that were exploited and incorporate them into your overall security strategy.”
Ngoc Bui, cybersecurity expert at Menlo Security, added that while paying for ransoms could incentivize threat actors, the reality is that not paying could be more damaging, especially for organizations involved in critical infrastructure.
“The disruption caused by ransomware can be catastrophic, and organizations must prioritize protecting operations and stakeholders,” she said.
She said organizations that suffer a ransomware attack should also use it as a learning opportunity to adjust their security measures and ensure they are using useful information to do so.
Paying often more cost-effective
Carlo Edwards, principal threat intelligence researcher at Ontinue, said in some cases it may be more cost-effective to pay a ransom demand than wait for security teams to assess the problem and take action.
In 2021, CNA Financial paid a record $40 million after being locked up for two weeks.
“However, this is a nearly $14 billion organization,” he explained. “So paying the ransom was cheaper than losing $500 million that they could have lost in that downtime.”
He warned that once the organization has paid the ransom or been breached by a ransomware operator, further attempts are likely to be made in a short period of time.
“The initial breach shows a lack of awareness of security measures,” Edwards said.
Because threat actors are opportunistic, they like to see this as an indication of how the organization operates and lacks security controls, prompting the threat actor to try again.
“Without performing a full after-action review, key vulnerabilities may be missed and credential resets may not occur,” he said.
In addition, it is not uncommon for ransomware operators to leave behind a backdoor to attempt future access, or to broker access to sell the access method to multiple groups.
“If this method of access is not addressed with haste and vigilance, it is like leaving the back door of the house unlocked,” Edwards said.
#Companies #pay #ransomware #attackers #multiple #times
