78% of Organizations Suffer Repeat Ransomware Attacks After Paying

According to researchers at Cybereason, almost four in five or (78%) of ransomware victims who paid a ransom were hit by a second ransomware attack, often by the same threat actor. These details are highlighted in Cybereason’s Ransomware: The Cost to Business Study 2024. Nearly two-thirds (63%) of these organizations were asked to pay more the second time. Of the 78% breached a second time, (36%) of perpetrators were the same threat actor and (42%) a different attacker. In total, (56%) of organizations suffered more than one ransomware attack in the last 24 months.

The study surveyed over 1000 cybersecurity professional, and revealed that (84%) of organizations agreed to pay a ransom after being breached. More surprising, less than half (47%) got their data and services back. It is not uncommon for the encryption process to not go right, or not fully encrypt due to security measures stopping an attack half-way through. Ransomware negotiators will typically ask the ransomware groups to prove they are able to decrypt files, which in some cases they cannot.

Security Officer Comments:
What is interesting about these findings is the fact that many organizations did not get their data back after paying. It is typically in a ransomware groups interest to recover victims files, as news of unsuccessful decryption would lead to victims not trusting the adversaries could restore files, and not paying ransoms. It’s possible the threat of double extortion via data leaking, means ransom actors are less concerned about recovering victims files.

The report highlights several reasons victims decided to pay the ransomware demands:

  • Attackers threatened to disclose sensitive information
  • They feared loss of business
  • Paying seemed to be the fastest solution
  • It was a holiday/weekend and they were short-staffed
  • It was a matter of life and death
  • They didn’t have backup files

“Nearly half (46%) of ransomware victims estimated business losses to be $1-10m as a result of the attack, with (16%) reporting losses of over $10m. The average ransom demand for US businesses has risen to $1.4m, the highest cost among the nations surveyed. This was followed by France ($1m), Germany ($762,000) and the UK ($423,000)” (Info Security Magazine, 2024). These findings follow research by Arctic Wolf in February 2024, which found that initial ransomware demands reached a median of $600,000 in 2023, a (20%) increase on the previous year.

Other interesting data points identified by the survey included, only (41%) of organizations feel they have the right staff to manage the next attack. Almost all survey participants had taken out cyber insurance, but only (40%) were sure a ransomware attack would be covered.

“The research highlighted a shift towards more complex “low-and-slow” ransomware attacks, designed to compromise as much of the targeted network as possible to extract the highest ransom payment. More than half (56%) of cybersecurity professionals said their organization didn’t detect a breach for 3-12 months” (Info Security Magazine, 2024). Supply chain breach was the most common initial access vector at (41%), followed by (24%) direct access, and (22%) of attacks were the result of insider help.

Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.