Majority of Ransomware Victims That Pay a Ransom Suffer a Second Attack
Paying a ransom may allow encrypted files to be recovered and threat actors usually remove stolen data from data leak sites, but victims that pay are often attacked a second time. These may be attacks by the same threat actor or a different ransomware group.
These double attacks are incredibly common. According to a recent study by the cybersecurity firm Cybereason, 56% of organizations surveyed have suffered more than one ransomware attack, and 78% of organizations that paid a ransom suffered a second ransomware attack. The second time around, 63% were asked to pay even more. Out of the 78% of organizations that suffered a second attack, 36% said the attack was conducted by the same threat actor and 42% were conducted by a different attacker.
The survey confirmed the perils of paying a ransom. Only 47% of organizations that chose to pay the ransom were able to recover their files, with the remainder saying they were either unable to recover their data or that their data was corrupted. Many victims of ransomware attacks choose to pay a ransom to prevent the publication of the stolen data. While ransomware groups usually remove stolen data from their data leak sites when a ransom is paid, there is no guarantee that the data will be deleted. That data is valuable and can easily be sold to another threat actor, so there is little incentive to delete it.
The threat of data disclosure is one of the main reasons why ransoms are paid, but there are several factors that prompt attacked businesses to pay up, such as the lack of backup files, the time taken to recover if a ransom is not paid, fear of loss of business, and a lack of staff to deal with the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Out of the 1,000 organizations surveyed, 84% said they paid a ransom following an attack and the average ransom demand was $1.4 million. Regardless of whether the ransom is paid, the losses can be considerable. 46% of organizations that suffered an attack said their losses were between $1 million and $10 million, and 16% said they lost more than $10 million.
The most common initial access vectors in ransomware attacks were supply chain compromises (41%), direct attacks (24%), and malicious insiders (22%). The study also indicates that many ransomware groups are taking their time to compromise as much of the network as possible. They steal vast amounts of data and only deploy ransomware when they feel they can demand the highest payments. 56% of victims said the attackers had been inside their networks for between 3 and 12 months before ransomware was deployed.
