Nearly a third of companies hit by ransomware attacks paid ransoms four or more times in the past year, according to the Semperis 2024 Ransomware Risk report.

The survey of 900 IT and security executives from France, Germany, the UK, and the U.S. revealed nearly a third (32%) of organizations opted for multiple payments.

According to the report, German companies were particularly vulnerable, with almost half making four or more payments, compared to 20% in the U.S.

More than a third of companies that paid ransoms either received no decryption keys or were given corrupted ones.
Nearly 85% of companies in the U.S. and UK experienced a ransomware attack in the past 12 months, according to the study.

Of those surveyed, 75% paid a ransom to regain control of their data, with around 10% paying more than $600,000.
Additionally, 87% reported some level of operational disruption following the attacks.

In fact, 80% of attacks compromised IT identity systems like Microsoft Active Directory or Entra ID, yet 61% of organizations admitted they lack dedicated backup systems for these critical identity platforms.

Nearly three-quarters of companies also said they endured multiple attacks during the same period.

Attackers Retain Access After Payment

Devin Ertel, CISO at Menlo Security, said the decision of whether to pay a ransom is unique to each organization and situation.

“Multiple factors come into play, making it an overarching business decision rather than a purely technical one,” he said.

While paying might seem like the quickest path to recovery, it’s crucial to remember that attackers might maintain access even after payment, making a full incident response and recovery process essential.

“Never simply pay and consider the issue resolved,” Ertel said. “Instead, use the incident as an opportunity to look back at the gaps that were exploited and incorporate them into your overall security strategy.”

Ngoc Bui, a cybersecurity expert at Menlo Security, added while paying for ransoms might incentivize threat actors, the reality is not paying could be more damaging, especially for organizations involved in critical infrastructure.

“The disruption from ransomware can be catastrophic, and organizations must prioritize protecting operations and stakeholders,” she said.

She said organizations that suffer a ransomware attack should also use it as a learning opportunity to adjust their security measures and ensure they are using actionable intelligence to do so.

Payment Often More Cost-Effective

Carlo Edwards, principal threat intelligence researcher at Ontinue, said in some cases, it can be more cost-effective to pay a ransom demand versus waiting for security teams to assess the problem and act.

In 2021, CNA Financial paid a record amount of $40 million after being locked out for two weeks.

“However, this is a nearly $14B organization,” he explained. “So, paying the ransom was cheaper than losing $500 million they could have potentially lost in that downtime.”

He cautioned that once the organization has paid the ransom or has been breached by a ransomware operator, it is likely that additional attempts will be made in a short period.

“The initial breach shows a lack of security awareness of security measures,” Edwards said.

Because threat actors are opportunistic, they are liked to view this as an indication of how the organization operates and that it lacks security controls, leading the threat actor to try again.

“Without running a full after-action review, key vulnerabilities can be missed, and credential resets might not happen,” he said.

In addition, it’s not uncommon for ransomware operators to leave behind a backdoor to attempt future access or access brokers to sell the access method to multiple groups.

“If this access method is not addressed with haste and vigilance, it’s like leaving the back door of your house unlocked,” Edwards said.