Even Though Experts Say It’s a Bad Idea, Two-Fifths of Ransomware Victims Pay Up

February 11, 2022

Do you know what choices your company would make when faced with a successful ransomware attack? Unfortunately, far too many companies these days are finding themselves in the uncomfortable position of figuring out how to dig themselves out of a ransomware nightmare. That number is growing at an alarming rate. The US has incurred a 127% year-to-date increase in the number of ransomware attacks while the UK has seen a 233% surge in ransomware infections. Businesses that fall prey to ransomware attacks are faced with some tough decisions including whether or not they intend to pay the cybercriminals their demanded ransom, and what impact that choice has on their company’s potential recovery.  

Learn how incident response planning boosts cyber resilience & security. GET THE EBOOK>>

Experts Caution: Don’t Do It! 

In a joint advisory just released by Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the Australian Cyber Security Centre (ACSC), those agencies make their recommendations about the wisdom of paying a ransom crystal clear: “Cybersecurity authorities in the United States, Australia, and the United Kingdom assess that if the ransomware criminal business model continues to yield financial returns for ransomware actors, ransomware incidents will become more frequent. Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model. “ 

Paying a ransom may also be against the law in the US. September 2021 guidance from the US Treasury’s Office of Foreign Asset Control (OFAC) warns that companies face potential legal action when making and facilitating ransomware payments because the payment may violate various forms of sanctions including sanctions against individuals and nations that may be relevant to national security interests. The advisory also reminds people that facilitate ransom payments that they’re also potentially on the hook for legal trouble in the form of civil penalties.   

Putting aside legal complications, how well does paying the gang work out practically for businesses? Just like any other extortion racket, the results of paying the ransom are wildly variable, and none of them are good. An estimated 66% of organizations that pay the ransom are able to recover their data at least in part. Another 34% of companies that pay the ransom never see their data again. Even if you opt to pay off the bad guys, there’s no guarantee that your data won’t be copied, or that they won’t leave a going away present of a backdoor into your systems that allows them to return at their leisure. You won’t recover the cash from insurance either. In the past insurers may have covered ransom payments but many insurers like AXA are saying no these days.    

Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>

Companies Aren’t Listening 

However, all of these stern warnings from officialdom aren’t giving companies that are faced with the reality of enduring a ransomware attack much pause. Even though paying extortionists of any type is historically a bad idea, a surprisingly large number of companies in every sector are choosing to pay the bad guys in the hope of blunting the impact of their successful cyberattack. In a new report from Anomali, researchers determined that an estimated two-fifths or 39% of ransomware victims choose to pay the cybercriminals responsible for the attack – and no one got off cheaply. 

The Harris Poll interviewed 800 security decision-makers around the world as part of that study to measure the impact of ransomware on their organizations, and it gathered some pretty interesting data that sheds light on the threat landscape that businesses are facing right now. A whopping 87% of respondents said their organization had been the victim of a successful cyberattack that left them holding the bag for damage, business disruption or a data breach in the last two years. Over half of those unfortunate organizations were ransomware victims. Over half (52%) were ransomware victims, with 39% paying up. Of these, 58% gave their attackers between $100,000 and $1 million, while 7% handed over more than $1 million. 

The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>

A Data Breach Cause by Ransomware is Punishingly Expensive 

The price of a ransomware-related data breach is trending upward with no ceiling in sight. In this year’s IBM Cost of a Data Breach Report, researchers determined that the average cost of a data breach in 2021 is estimated at $4.2 million per incident, the highest ever recorded in the 17 years of study. If that data breach involves ransomware, it’s even more expensive. Researchers determined that a ransomware-related data breach kicked the cost up to an average of $4.62 million, and that’s without even considering the ransom demand.    

How much were cybercriminals asking for? Ransom amounts vary but a few consistent patterns give us a glimpse at what a victim organization may be facing. Only 35% of the impacted organizations in this study reported that their ransom demand was less than $2 million. Instead, the majority (46%) said that cybercriminals demanded ransoms of $2 – 10 million from their organizations and 19% reported a ransom demand of $10 million to more than $50 million. That squares with a report in Tripwire detailing the average ransoms paid by organizations. Researchers concluded that average paid ransom amounts have increased by 82%. The average demand is now a record $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020. 

See 10 reasons why Graphus is better than other email security solutions. SEE THE LIST>>

Businesses Are Paying for a Lack of Preparedness     

A lack of preparedness to defend against a ransomware attack is a security risk that can lead to disaster. Unitrends MSP surveyed MSPs about their clients’ readiness for ransomware and the results of that survey showed that the organizations that they serve have a long way to go before they can stand up to an attack. The majority of surveyed MSPs reported that their clients are only somewhat prepared or not prepared at all to face a ransomware attack. 

Levels of Client Preparedness for a Ransomware Attack  

  • Somewhat Prepared 50%   
  • Mostly Prepared 37%   
  • Extremely Prepared 7%   
  • Not Prepared 7%  

That’s a sure path to an expensive, painful incident response cycle followed by a recovery nightmare. In the Unitrends MSP report, researchers also took a look at what organizations faced in the aftermath of a ransomware attack. They determined that for companies that have faced ransomware head-on, data loss (22.34%) and downtime (22.13%) were the most common consequences, followed by reputation damage (15.24%), lost profits (13.57%) and compliance failures (9.39%). Outcomes like these keep the expense of a ransomware incident snowballing, creating major danger for the long-term viability of the victimized businesses.  

Consequences of a Ransomware Attack for Clients  

  • Downtime 22%   
  • Lost Data 22%   
  • Lost Profits 14%   
  • Data Recovered (Paid Ransom) 5%   
  • Data Lost (Paid Ransom) 6%   
  • Reputation Damage 15%   
  • Compliance Failure 9%   
  • Other 2%   
  • Clients Not Affected 5%   

AI is the secret weapon you’re looking for to boost business email security. SEE WHY>>

Automated Email Security Protects Businesses from Ransomware 

One of the best ways to protect a company from ransomware is to protect it from phishing. An estimated 94% of ransomware arrives at businesses via email. These messages often use sophisticated social engineering techniques to entice employees to download an attachment, visit a malicious website or give up their credentials to cybercriminals. Stopping ransomware starts with stopping phishing messages from reaching employee inboxes, and AI-driven email security is the superior choice for doing just that.  

  • Sophisticated email security automation puts 3 layers of protection between your business and phishing messages  
  • Automated email solutions like Graphus catch 40% more malicious messages than conventional solutions or a SEG  
  • Smart AI never needs threat reports, instead using over 50 points of comparison to sniff out targeted spear phishing, ransomware, zero-day attacks and other complex threats.  

Don’t wait until you’re paying the bills for a ransomware attack to improve your email security – 60% of companies that are hit by a cyberattack go out of business. Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. Contact one of our solutions specialists today and put protection that never takes a day off to work for your business. 

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus