Ransomware victims are paying up. But then the gangs are coming back for more

Cybersecurity experts warn against paying ransoms - this is why.
Written by Danny Palmer, Senior Writer

Many organisations that fall prey to ransomware attacks end up paying a ransom multiple times as cyber criminals exploit weaknesses in cybersecurity to squeeze their victims for as much cash as they can. 

According to analysis by cybersecurity researchers at Proofpoint, 58% of organisations infected with ransomware paid a ransom to cyber criminals for the decryption key – and in many cases, they paid up more than once. 

Law enforcement agencies and cybersecurity experts warn organisations against paying ransoms, because not only is there no guarantee that the supplied decryption key will work, giving in to ransom demands just encourages more ransomware attacks as it shows cyber criminals that the attacks work.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

Of those who paid the ransom, just over half – 54% – regained access to data and systems after the first payment. But another third of ransomware victims ended up paying an additional ransom demand before they received the decryption key, while a further 10% also received additional ransom demands but refused the additional payment, walking away without their data. 

In 4% of cases, organisations paid a ransom or ransoms but still couldn't retrieve their data, either because of a faulty decryption key, or because the cyber criminals simply took the money and ran. 

When organisations fall victim to ransomware attacks, the crooks have often been inside that network for weeks or months prior to the attack. That means that even if the ransom is paid, the hackers have the necessary controls and permissions to return and trigger another attack. 

"I don't think a lot of organisations are aware of the fact that you might pay the ransom once, but if the criminals have been in your infrastructure for eight weeks, you don't know what else they stole," Adenike Cosgrove, cybersecurity strategist at Proofpoint, told ZDNet.  

Stolen data is commonly used as additional leverage in ransomware attacks, as the cyber criminals threaten to publish it if they don't receive a ransom payment. While this does force some victims into paying, there's no guarantee that the cyber criminals won't return with additional threats to publish the stolen data later. 

"The first run is 'give me a ransom so I can give you the decryption key'. The second ransom is 'give me a ransom or I'm going to put this data on the dark web'," Cosgrove explained. 

"Third might be 'give me a ransom or I'm going to tell media publications about this data breach that you have and tell the regulators that, hey you didn't notify customers that their privacy was impacted,'" she added. 

The best way to deal with ransomware attacks is to prevent them from happening in the first place.  

According to Proofpoint, 75% of ransomware incidents begin with phishing attacks, which cyber criminals use to steal usernames and passwords, or plant remote access trojans to gain an initial foothold in the network. 

Being able to detect suspicious activity early on can, therefore, provide a means of preventing a full-scale ransomware attack. 

"The assumption is that a ransomware attack is the beginning of an incident, but the reality is the incident started weeks ago," said Cosgrove. 

Training users to identify and report suspicious emails can help organisations detect ransomware and other malware attacks early.

Enabling two-factor authentication can also provide a significant stumbling block to phishing attacks that aim to steal usernames and passwords, because without access to the authentication app, it's much harder for cyber criminals to leverage compromised login credentials. 


Editorial standards