Why Do Companies Decide to Pay or Not Pay a Ransom?

November 25, 2021

IBM’s Cyber Resilient Organization Study is a valuable source of information about how organizations are handling today’s most complex threats and how companies prepare for them. This year’s data on ransomware defense shows that many companies just aren’t ready for an attack. Even more troubling is the news that when companies do fall victim to a ransomware attack, far too many opt to pay the ransom, rewarding the cybercriminals for their behavior. What’s driving the train when it comes to ransomware attacks, and why are companies so willing to pay for it? 


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


Almost Half of Companies Have Weathered a Ransomware Attack 


Cybercrime has been pummeling businesses, with ransomware leading the charge. The booming dark web data market is a strong enticement for cybercriminals to perpetrate ransomware attacks, especially for attacks perpetrated on organizations that store or handle large amounts of desirable data.  

Most Prevalent Types of Data Stolen in Breaches    

  • Credentials: 60%   
  • Personally Identifying Data (PII): 40%   
  • Medical Data: 10%   
  • Bank Data: 10%   
  • Internal Data: 10%   
  • Payment Data: 10%  

Source: Verizon Data Breach Investigations Report 2021 

Even if the victim doesn’t pay a ransom, bad actors can still profit from stolen data. Data that is at risk also provides additional leverage for double or triple extortion attacks.  Of the respondents surveyed in this year’s study, 51% said that their organization had sustained a data breach over the last 12 months and 46% said that their organization had experienced at least one ransomware attack over the past two years. 


How Are Cybercriminals Delivering Ransomware? 


IBM’s Cyber Resilient Organization Study also breaks down exactly how ransomware attacks are arriving at targeted organizations. Researchers determined that when considering organizations that sustained at least one attack, four major causes represented the catalyst for most ransomware events. 

  • 45% from phishing or social engineering 
  • 22% from insecure or spoofed websites 
  • 19% from social media 
  • 13% from malvertisements 

See how to avoid cybercriminal sharks, phishing & ransomware in Phishing 101. DOWNLOAD IT>>


Ransomware Costs & Demands Are Outrageous 


The price of a ransomware-related data breach is trending upward with no ceiling in sight. In this year’s IBM Cost of a Data Breach Report, researchers determined that the average cost of a data breach in 2021 is estimated at $4.2 million per incident, the highest ever recorded in the 17 years of study. If that data breach involves ransomware, it’s even more expensive. Researchers determined that a ransomware-related data breach kicked the cost up to an average of $4.62 million, and that’s without even considering the ransom demand.   

How much were cybercriminals asking for? Ransom amounts vary but a few consistent patterns give us a glimpse at what a victim organization may be facing. Only 35% of the impacted organizations in this study reported that their ransom demand was less than $2 million. Instead, the majority (46%) said that cybercriminals demanded ransoms of $2 – 10 million from their organizations and 19% reported a ransom demand of $10 million to more than $50 million. That squares with a report in Tripwire detailing the average ransoms paid by organizations. Researchers concluded that average paid ransom amounts have increased by 82%. The average demand is now a record $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020.  



See how to avoid cybercriminal sharks, phishing & ransomware in Phishing 101. DOWNLOAD IT>>


What Influences Companies to Pay or Refuse? 


For organizations that are hit by a ransomware attack, there are a number of hard choices that need to be made – and one of the most difficult is whether or not to pay the ransom. The IBM researchers studying organizations that had suffered a successful ransomware attack were able to illustrate some of a company’s decision-making process when deciding whether or not their organization should fork over money to extortionists.  

Paying extortionists is never a good idea. Less than 60% of companies that pay the ransom when they’ve been hit by a ransomware attack are able to recover even part of their data, and 39% of companies that pay a ransom never see any of their data again. It is also illegal in many areas. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is likely to be unlawful. Organizations that pay ransoms to cybercriminals or facilitate ransomware payments on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, are violating OFAC regulations. 


See how ransomware rocks businesses in The Ransomware Road to Ruin. DOWNLOAD IT NOW>>


For organizations that are hit by a ransomware attack, there are a number of hard choices that need to be made – and one of the most difficult is whether or not to pay the ransom. The IBM researchers studying organizations that had suffered a successful ransomware attack were able to illustrate some of a company’s decision-making process when deciding whether or not their organization should fork over money to extortionists.  

Paying extortionists is never a good idea. Less than 60% of companies that pay the ransom when they’ve been hit by a ransomware attack are able to recover even part of their data, and 39% of companies that pay a ransom never see any of their data again. It is also illegal in many areas. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is likely to be unlawful. Organizations that pay ransoms to cybercriminals or facilitate ransomware payments on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, are violating OFAC regulations. 


See the tide of phishing rise & fall to spot future trends in the eBook Fresh Phish. GET IT>>


Doubts About Ransomware Defense  


Every organization needs to have a ransomware defense and response strategy on the table because it is only a matter of time before they’re facing a ransomware attack. No business is too small – 50% of ransomware attacks last year hit SMBs, and 55% hit businesses with fewer than 100 employees.  However, while organizations know that a ransomware attack is a possibility, that doesn’t mean that they’re ready to handle the challenge. A shocking 50% of IT pros do not believe their organization is prepared to repel a ransomware attack – but there is an affordable way to ensure that your company is a step ahead of ransomware attacks. 


Stop phishing with Graphus – the most simple, automated & affordable phishing defense available.



One of the best ways to protect a company from ransomware is to protect it from phishing. An estimated 94% of ransomware arrives at businesses via email. These messages often use sophisticated social engineering techniques to entice employees to download an attachment, visit a malicious website or give up their credentials to cybercriminals. Stopping ransomware starts with stopping phishing messages from reaching employee inboxes.  

Your business needs powerful, automated email security that can provide you with advanced protection against malicious messages that contain threats like ransomware without a high price tag. Graphus answers that call.   

  • Sophisticated smail security automation puts 3 layers of protection between your business and phishing messages  
  • Automated email solutions like Graphus catch 40% more malicious messages than conventional solutions or a SEG  
  • Smart AI never needs threat reports, instead using over 50 points of comparison to sniff out targeted spear phishing, ransomware, zero-day attacks and other complex threats.  

Don’t wait until you’re paying the bills for a ransomware attack to improve your email security – 60% of companies that are hit by a cyberattack go out of business. Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. Contact one of our solutions specialists today and put protection that never takes a day off to work for your business. 

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus