Almost four in five (78%) of organizations who paid a ransom demand were hit by a second ransomware attack, often by the same threat actor, according to Cybereason’s Ransomware: The Cost to Business Study 2024.
Nearly two-thirds (63%) of these organizations were asked to pay more the second time.
Of the 78% breached a second time, 36% of perpetrators were the same threat actor and 42% a different attacker.
In total, 56% of organizations suffered more than one ransomware attack in the last 24 months.
The study, which surveyed over 1000 cybersecurity professionals, found that a staggering 84% of organizations agreed to pay a ransom demand after being breached.
Of these, less than half (47%) got their data and services back uncorrupted, emphasizing that paying is generally not the solution.
Greg Day, Global Field CISO (VP), Cybereason, explained that paying ransom demands is problematic for a number of reasons.
“It’s no guarantee that attackers won’t sell your data on the black market, that you’ll even get your full files and systems back, or that you won’t be attacked again,” he noted.
The respondents cited several factors in deciding to pay a ransomware demand:
- Attackers threatened to disclose sensitive information
- They feared loss of business
- Paying seemed to be the fastest solution
- It was a holiday/weekend and they were short-staffed
- It was a matter of life and death
- They didn’t have backup files
Staggering Business Costs of Ransomware
Nearly half (46%) of ransomware victims estimated business losses to be $1-10m as a result of the attack, with 16% reporting losses of over $10m.
The average ransom demand for US businesses has risen to $1.4m, the highest cost among the nations surveyed. This was followed by France ($1m), Germany ($762,000) and the UK ($423,000).
These findings follow research by Arctic Wolf in February 2024, which found that initial ransomware demands reached a median of $600,000 in 2023, a 20% increase on the previous year.
Despite this risk, only 41% of organizations feel they have the right people and plan to manage the next attack.
Additionally, while almost all respondents have taken out cyber insurance, only 40% are sure that a ransomware attack would be covered.
Day said that the research demonstrates most businesses’ ransomware strategies are incomplete, preventing effective recovery following an incident.
“They’re either missing a documented plan, or the right people to execute it. As a result, we see that many organizations are paying the ransom. Likewise, whilst many have cyber insurance, too many simply don’t know if, or to what degree it covers them for ransomware attacks,” he outlined.
Ransomware Attackers Are Evolving Their Tactics
The research highlighted a shift towards more complex “low-and-slow” ransomware attacks, designed to compromise as much of the targeted network as possible to extract the highest ransom payment.
More than half (56%) of cybersecurity professionals said their organization didn’t detect a breach for 3-12 months.
The most common method ransomware actors used infiltrated organizations’ systems was via a supply chain breach (41%). This was followed by 24% who got in directly, and 22% who accessed victims’ networks with the help of an insider.
The researchers also noted that ransomware actors are becoming more effective due to their use of generative AI tools. These technologies are primarily being leveraged to craft more professional social engineering messages and effectively translate them into any language.