Ransomware attacks are surging in the UK, with threat actors possibly encouraged by the propensity of victim organizations to pay up, according to a new study from Cohesity.
The security vendor polled over 3100 IT and security decision-makers in eight countries and multiple sectors to compile its Global cyber resilience report 2024.
It revealed that, in the UK, 53% of respondents had succumbed to ransomware over the past year, up from 38% in the 2023 report.
Of these, more than half (59%) claimed that they’d paid a ransom, while 74% of British respondents said that they would do the same if victimized by ransomware actors.
Surprisingly, just 7% of UK respondents ruled out paying, despite the fact that two-thirds (66%) apparently have clear rules not to pay.
Even more surprising is the fact that the UK is no outlier. Two-thirds (67%) of global respondents said they fell victim to a ransomware attack in the previous 12 months, rising to 86% of French respondents. Globally, 83% claimed they would pay, rising to 97% in France.
The findings are somewhat at odds with a Coveware study which revealed that just 36% of victims paid ransomware actors in Q2 2024, down from a high of 85% in Q1 2019.
UK respondents paid an average of £870,000, with two organizations admitting that they stumped up £10m-£20m. Globally, 5% of respondents said they paid over £10m.
Recovery is Slow
Law enforcement and government authorities always advise victim organizations not to pay their extortionists – partly because it encourages other cybercrime groups, and partly because it’s no guarantee they will be able to recover all encrypted data. Ransomware victims must also remember that paying sanctioned cybercrime gangs is illegal.
Only 4% of respondents hit by ransomware claimed to have recovered all their data, and less than 2% could recover data and restore business processes within 24 hours.
Although over a fifth (23%) of respondents could recover within 1-3 days, 19% said they needed between three weeks and two months.
James Blake, global head of cyber-resiliency strategy at Cohesity, argued that cyber-resilience is critical given that the determination of threat groups and the size of corporate attack surfaces makes preventative measures largely unrealistic.
“Destructive cyber-attacks severely disrupt an organization’s ability to deliver its products and services, impacting revenue, reputation, their downstream supply-chain and customer trust,” he added.
“This risk must be at the forefront of business leaders’ priorities, not just IT and security leaders. Similarly, regulation and legislation should not be seen by companies as the ‘ceiling,’ but instead the ‘floor,’ in both developing cyber-resilience and adopting data security or recovery capabilities.”