Nearly 80 per cent of companies that paid a ransomware ransom ended up being hit again – most within a month – and paid even more money the second time around, according to new figures suggesting many companies have accepted ransoms as a cost of doing business.

Fully 48 per cent of those that paid ransoms said they were successfully attacked by the same malicious actors that compromised their systems the first time around – and that they had been marked as easy prey by attackers that demanded higher ransoms the second time.

Nonetheless, 44 per cent of the 1,456 respondents to Cybereason’s Ransomware: The True Cost to Business report said they paid the second ransom demand – and 9 per cent had paid ransom demands three times or more.

The figures suggest that efforts to convince companies not to pay ransomware to cybercriminals are failing to resonate with executives that still believe they – or increasingly disaffected insurance companies – can just pay up to make the problem go away.

“Ransomware attacks are traumatic events, and when ransomware gangs attack a second, third or fourth time in a matter of weeks, it can bring an organisation to its collective knees,” said Cybereason CEO and co-founder Lior Div, who said many companies are so focused on recovering from the initial attack that they leave open a window of opportunity for cybercriminals to return.

“Deploying effective anti-ransomware solutions is easier said than done,” Div said, “and the hackers know it…. Organisations need time to assess their security posture, determine what are the right tools to deploy, and then find the budget to pay for it. The ransomware gangs know this, and it is the biggest reason they strike quickly.”

The second attacks inevitably come during a period of great turmoil within ransomware victims, with 40 per cent of organisations reporting that they laid off staff after an attack, 35 per cent reporting that an attack had forced the resignation of C-level executives, and 31 per cent saying they had been forced to temporarily or permanently suspend operations after the attack.

Even where companies pay the ransomware to recover their data, increasingly malicious ransomware is permanently damaging more data than in the past, with 54 per cent of respondents admitting that some or all of their data was corrupted during recovery – up from 46 per cent of respondents a year earlier.

Fewer options after infection

Surveys regularly confirm that most companies are suffering ransomware compromise: 73 per cent of companies in Cybereason’s survey reported a ransomware hit in the past year, not far off the 85 per cent that said the same during a recent survey of 500 decision makers by Wakefield Research for ExtraHop.

And while there are ways to ensure rapid recovery from a ransomware attack, many companies still prefer denial as a strategy: not only did 72 per cent of the ExtraHop respondents admit paying the ransom, but a similar percentage had tried to prevent the incident from being publicly revealed.

Although two-thirds of ExtraHop respondents agreed it was good to disclose attacks, just 39 per cent said they were actually willing to do so.

To pay or not to pay, that is the question

The immediacy and magnitude of ransomware threats has made it essential for companies to develop policies about whether to pay ransoms or not – and motivated government legislation that would force businesses to reveal any ransomware payments they make.

Official Australian Cyber Security Centre (ACSC) guidance has long recommended in no uncertain terms that companies “never pay a ransom”, warning – presciently, as the Cybereason figures confirm – that “you may also be targeted by another attack.”

Yet even with an abundance of advice about how to respond to ransomware attacks, how to prevent them in the first place and how to avoid future attacks, most companies are still being outwitted by cyber criminals that compromise their networks and quietly wait for months, downloading masses of confidential data before deciding the most opportune time to strike.

Threats to publish that data is used as a lever to convince companies to pay the ransom, with data often sold on darkweb forums when, as was the policy of compromised organisations like Canon and Anglicare Sydney, the companies decide not to pay the ransoms.

Fully 60 per cent of organisations in the Cybereason survey admitted ransomware gangs were in their networks up to 6 months before they were discovered – a metric known as ‘dwell time’.

Those results corroborate new analysis by the Sophos Rapid Response team that found the median dwell time increased 36 per cent – from 11 days in 2020 to 15 days last year – and that dwell time was higher for smaller companies, where median dwell time increased to 52 days.

“The world of cybercrime has become incredibly diverse and specialised,” said Sophos senior security advisor John Shier, adding that “it can be hard for organisations to keep up with the ever-changing tools and approaches attackers use.”

“It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible.”