Over 75% ransomware hit orgs pay to get data access back

Businesses are rapidly losing the battle when it comes to defending against ransomware attacks. While most organisations end up paying ransomware apropos a cyber attack, many still do not get their data back.

According to a report by data management company Veeam Software, a whooping 76% of cyber-victims paid the ransom to end an attack and recover data in the last 12 months. While 52% paid the ransom and were able to recover data, 24% paid the ransom but were still not able to recover data resulting in a one out of three chance that paying the ransom still leads to no data.

It is notable that 19% of organisations did not pay the ransom because they were able to recover their own data. This is what the remaining 81% of cyber-victims must aspire to — recovering data without paying the ransom.

It also found that 80% of successful attacks targeted known vulnerabilities. Almost all attackers attempted to destroy backup repositories to disable the victim’s ability to recover without paying the ransom.

Also read: India’s connected machines become cyber weapons for hackers

Veeam said that it surveyed 1,000 IT leaders whose organisations had been successfully attacked by ransomware at least once during the past 12 months, making it one of the largest reports of its kind.

Another report by Sophos states that 78% of Indian organisations surveyed were hit with ransomware in 2021, up from 68% in 2020. This is the highest rate of ransom payment reported across all 31 countries surveyed.

The average ransom paid by Indian organisations that had data encrypted in their most significant ransomware attack, was $1,198,475, with 10% of victims paying ransoms of $1 million or more.

“Ransomware has democratised data theft and requires a collaborative doubling down from organisations across every industry to maximize their ability to remediate and recover without paying the ransom,” said Danny Allan, CTO at Veeam.

“Paying cybercriminals to restore data is not a data protection strategy. There is no guarantee of recovering data, the risks of reputational damage and loss of customer confidence are high, and most importantly, this feeds a self-fulfilling prophecy that rewards criminal activity,” Allan added.