Most firms face second ransomware attack after paying off first

Some 80% of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack, amongst which 46% believe it to be caused by the same attackers.
Written by Eileen Yu, Senior Contributing Editor

The majority of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack. And almost half of those that pay up say some or all their data retrieved were corrupted.

Some 80% of organisations that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers. Amongst those that paid to regain access to their systems, 46% said at least some of their data was corrupted, according to a Cybereason survey released Wednesday. Conducted by Censuswide, the study polled 1,263 security professionals in seven markets worldwide, including 100 in Singapore, as well as respondents in Germany, France, the US, and UK. 

Globally, 51% retrieved their encrypted systems without any data loss, while 3% said they did not regain access to any encrypted data. The report revealed that one particular organisation reportedly paid up a ransomware amount in the millions of dollars, only to be targeted for a second attack by the same attackers within a fortnight. 

In Singapore, 90% experienced a second ransomware attack after paying up for the first ransom, with 28% regaining access to data that were corrupted. Some 73% admitted they lost revenue as a result of the attack, compared to the global average of 66%, while 40% saw their brand or reputation adversely affected, compared to 53% globally.

Some 37% of Singapore organisations that paid a ransomware forked out $140,000 to $1.4 million, and 5% paid ransom amounts of at least $1.4 million. Another 13% acknowledged having to lay off employees due to financial losses following an attack, while 20% were forced to close down. 

Cybereason's Asia-Pacific vice president Leslie Wong said: "Singapore businesses must understand that paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organisation again, and in the end only exacerbates the problem by encouraging more attacks. Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business."

Globally, the survey found that 81% of respondents were highly concerned about risks posed by such attacks, with 73% saying they had policies or plans in place to specifically manage ransomware attacks. 

Ransomware attacks were projected to cost $265 billion worldwide by 2031, with one attack impacting businesses and consumers every few seconds, according to Cybersecurity Ventures. This year, such attacks were estimated to cost $20 billion, up 57-fold from 2015. 

Check Point Research also revealed Wednesday that the average number of ransomware attacks worldwide climbed 20% in the last two months, 41% over the last six months, and 93% in the past year. 

In Singapore, such attacks grew 40% over the last couple of months, 99% in the last half a year, and 147% over the past year, said the security vendor. It added that Latin America and Europe clocked the highest spikes in ransomware attacks since the start of 2021, at 62% and 59%, respectively. 

A Veritas survey last November revealed that 78% of businesses in Singapore and 88% in Australia had paid up ransoms in full or in part, after falling to victim to such attacks. In addition, 45% in Singapore took between five and 10 days to recover fully from a ransomware attack, compared to 11% in India and 35% in China.

Cybersecurity vendors typically advise organisations against paying up after experiencing ransomware attacks, advocating instead that businesses adopt a data protection and recovery strategy. 

Cybereason, though, noted that data backup plans would not work as effectively when cybercriminals launched "double extortion" malware attacks, in which hackers went beyond encrypting data to exfiltrate sensitive data and intellectual property. They then would threaten to expose or peddle the stolen data if their ransom demands were not met. 


Editorial standards