Security Experts:

Connect with us

Hi, what are you looking for?



It Doesn’t Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again

It doesn’t pay to pay. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

It doesn’t pay to pay. This advice on ransomware payment is often given, but rarely enumerated. Now it has been. A new study finds that 80% of companies that paid a ransom were hit a second time, with 40% paying again. Seventy percent of these paid a higher amount the second time round.

These figures come from an April 2022 Cybereason study that queried 1,456 cybersecurity professionals from organizations with 700 or more employees. The shocking nature of the statistics, published in Ransomware: The True Cost to Business (PDF) go much deeper. 

It’s not a problem that can be ignored with the vague belief, ‘it won’t happen to me’. Seventy-three percent of organizations have suffered at least one ransomware attack in the past 24 months – up 33% from last year.

Sixty percent of companies admitted ransomware gangs had been in their network from one to six months before they were discovered – a key indicator of a double extortion attack. But paying the double extortion fee doesn’t really help; nearly 200,000 companies never received their data back after paying. And the criminals still have the data regardless. Thirty-five percent of companies suffered C-level ‘resignations’ because of a ransomware attack.

Other key findings of the research include the prevalence of the supply chain as a factor in the attack. Sixty-four percent of companies believe the ransomware gang got into their network via one of their suppliers or business partners.

Business disruption is almost inevitable. Thirty-one percent of companies were forced to temporarily or permanently suspend operations following an attack, and nearly 40% of companies laid off staff as a consequence. Only 42% said the payment resulted in restoration of all systems and data (down from 51% last year. Furthermore, 54% said that system issues persisted or that some data was corrupted after decryption.

But the most shocking indicator of the futility of paying comes from the repetitive nature of extortion attacks. Eighty percent of victims were hit a second time. Forty percent paid the second ransom. Ten percent paid a third ransom, and 1% paid a fourth. The additional attacks come rapidly and usually demand a higher figure. Sixty-eight percent of firms said the second attack came less than a month after the first, with an increased demand.

Cybereason believes that problems with full recovery after a successful attack and subsequent decryption are a key factor in repetitive attacks. The attackers know that full and effective restoration, forensic analysis and deployment of new defenses takes time – so they attack again while the company is still weak and reeling from the first attack.

“The key to understanding this lies in understanding the economy behind ransomware-as-a-service,” Cybereason’s CSO Sam Curry told SecurityWeek

“It’s tempting from the normal name we give these groups to think of them like roving gangs. But that’s misleading. Ransomware cartels would be a better name for them than ransomware gangs. There is a network of affiliates that harvest victims in an automated fashion and effectively sell those to the ransomware outfits who carry out the dirty work of network penetration, detonation and extortion.”

Curry believes the affiliates, in many cases, retain the lead and can sell them to another gang or cartel. “For that matter,” he added, “the cartel itself can keep coming back for more. Why not if the victim doesn’t change security practices? As in the real world, organized crime doesn’t turn away from money and very often the score can turn into a continuing-to-pay protection racket quite naturally.”

But he also believes that the evolution of ransomware will not stop at double extortion. Extortion only continues to work if victims pay the demand – ransomware evolved into double extortion to make the threat increasingly compelling. But Cybereason’s own figures show that it doesn’t always work. “Paradoxically,” says the report, “78% of organizations that indicated they did not pay a ransom said they were able to fully restore systems and data without receiving the decryption key at all.” If this practice grows, and the report indicates it should be every victim’s aim, the attackers will need to evolve again.

Will this include increased direct targeting of OT? “Absolutely!” he said. “The data in this study may not be sufficient to point to that, but OT itself is growing exponentially and is woefully insecure.” There are too many OT devices shipping with poor cryptography, non-functional hardware roots of trust, insufficient update mechanisms, weak default identity credentials and much more. 

“Not only can these devices be abused and denied use, like an MRI machine being bricked or a lathe in a production shop, but they can also form a point of ingress for other networks and can open organizations to entirely new attack vectors. The next evolutionary step not only could but will exploit the path of least investment and least risk for greatest yield – and OT has to be in consideration in the R&D departments of ransomware cartels and their ilk around the world.”

Related: Beating Ransomware with Advanced Backup and Data Defense Technologies

Related: Access Brokers and Ransomware-as-a-Service Gangs Tighten Relationships

Related: Ransomware, Malware-as-a-Service Dominate Threat Landscape

Related: SecurityWeek Cyber Insights 2022: Ransomware

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...