Some companies pay ransomware attackers multiple times, survey finds

 

Nearly one-third of companies that suffered a ransomware attack paid a ransom four or more times in the past 12 months to regain access to their systems, according to the 2024 Ransomware Risk Report released Tuesday by Semperis, a cybersecurity software company.

This decision to pay multiple times involved 32% of attacked companies in France, Germany, the U.K. and U.S. across multiple industries, according to the survey of 900 IT and security executives.  

Nearly half of the German companies queried paid four or more ransom payments, compared to one-fifth of companies in the U.S.

More than a third of companies that paid the extortion demand either did not receive the decryption keys from attackers or were given corrupted keys, according to the report.

Almost three-quarters of companies said they had endured multiple attacks, and 87% said the attacks had caused some level of disruption. Companies in the U.S. and U.K. were slightly more likely to have experienced a ransomware attack, with 85% in each country reporting such an attack within the past 12 months, Semperis said.

About 75% of those surveyed reported paying a ransom to regain control of their data; about 10% said they had paid more than $600,000.

“Ransomware, once a sporadic menace, has evolved into an unrelenting adversary,” the study, conducted in partnership with Censuswide, said. “Attacks are no longer isolated incidents; they occur incessantly.”

More than 80% of ransomware attacks compromised an organization’s IT identity system, such as Microsoft Active Directory or Entra ID, but 61% of respondents said they don’t have dedicated AD or Entra ID backup systems, according to the report.

Ransomware attacks have evolved from individual bands of actors to “the sum of activities by a loose confederation of groups,” said Chris Inglis, a Semperis adviser and former U.S. National Cyber Director. That means a company often must negotiate with, and pay, more than one attacker.

“Any company that thinks, ‘I’ll just pay my way out,’ is setting themselves up for a harder ride than they might have imagined,” he said.

Companies should assume “a constant breach” posture, according to Semperis, which is based in Hoboken, New Jersey.

Threat actors share information, purchase ready-made ransomware as a service kits, use regulatory fines as leverage and attack industries that were once considered off limits, the reports said. 


Comments