It Doesn’t Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again

It doesn’t pay to pay. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper. 

It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.

Business disruption is almost inevitable. Thirty-one percent of companies were forced to temporarily or permanently suspend operations following an attack, and nearly 40% of companies laid off staff as a consequence. Only 42% said the payment resulted in restoration of all systems and data (down from 51% last year. Furthermore, 54% said that system issues persisted or that some data was corrupted after decryption.

But the most shocking indicator of the futility of paying comes from the repetitive nature of extortion attacks. Eighty percent of victims were hit a second time. Forty percent paid the second ransom. Ten percent paid a third ransom, and 1% paid a fourth. The additional attacks come rapidly and usually demand a higher figure. Sixty-eight percent of firms said the second attack came less than a month after the first, with an increased demand.

Cybereason believes that problems with full recovery after a successful attack and subsequent decryption are a key factor in repetitive attacks. The attackers know that full and effective restoration, forensic analysis and deployment of new defenses takes time – so they attack again while the company is still weak and reeling from the first attack.

“The key to understanding this lies in understanding the economy behind ransomware-as-a-service,” Cybereason’s CSO Sam Curry told SecurityWeek. 

“It’s tempting from the normal name we give these groups to think of them like roving gangs. But that’s misleading. Ransomware cartels would be a better name for them than ransomware gangs. There is a network of affiliates that harvest victims in an automated fashion and effectively sell those to the ransomware outfits who carry out the dirty work of network penetration, detonation and extortion.”

Curry believes the affiliates, in many cases, retain the lead and can sell them to another gang or cartel. “For that matter,” he added, “the cartel itself can keep coming back for more. Why not if the victim doesn’t change security practices? As in the real world, organized crime doesn’t turn away from money and very often the score can turn into a continuing-to-pay protection racket quite naturally.”

But he also believes that the evolution of ransomware will not stop at double extortion. Extortion only continues to work if victims pay the demand – ransomware evolved into double extortion to make the threat increasingly compelling. But Cybereason’s own figures show that it doesn’t always work. “Paradoxically,” says the report, “78% of organizations that indicated they did not pay a ransom said they were able to fully restore systems and data without receiving the decryption key at all.” If this practice grows, and the report indicates it should be every victim’s aim, the attackers will need to evolve again.

Will this include increased direct targeting of OT? “Absolutely!” he said. “The data in this study may not be sufficient to point to that, but OT itself is growing exponentially and is woefully insecure.” There are too many OT devices shipping with poor cryptography, non-functional hardware roots of trust, insufficient update mechanisms, weak default identity credentials and much more. 

“Not only can these devices be abused and denied use, like an MRI machine being bricked or a lathe in a production shop, but they can also form a point of ingress for other networks and can open organizations to entirely new attack vectors. The next evolutionary step not only could but will exploit the path of least investment and least risk for greatest yield – and OT has to be in consideration in the R&D departments of ransomware cartels and their ilk around the world.”

Related: Beating Ransomware with Advanced Backup and Data Defense Technologies

Related: Access Brokers and Ransomware-as-a-Service Gangs Tighten Relationships

Related: Ransomware, Malware-as-a-Service Dominate Threat Landscape

Related: SecurityWeek Cyber Insights 2022: Ransomware