Ransomware victims that have backups are paying ransoms to stop hackers leaking their stolen data

Ransomware attacks are proving more lucrative for cyber criminals as even organisations that can restore from backups are paying ransom demands to prevent further damage.
Written by Danny Palmer, Senior Writer

Some organisations that fall victim to ransomware attacks are paying ransoms to cyber-criminal gangs despite being able to restore their own networks from backups, in order to prevent hackers publishing stolen data.

Over the course of the past year, many of the most successful ransomware gangs have added an additional technique in an effort to coerce victims into paying ransoms after compromising their networks – publishing stolen data if a payment isn't received.

As 2020 started, only the Maze ransomware gang was using this tactic. But as it ended, an additional 17 ransomware crews had taken to publishing stolen data of victims if they didn't receive payment.

SEE: Security Awareness and Training policy (TechRepublic Premium)

However, according to cybersecurity company Emsisoft's 'State of Ransomware' report, there are victims of ransomware attacks that are entirely capable of restoring their network from backups and have successfully done so – but are still paying a bitcoin ransom of hundreds of thousands or millions of dollars to cyber criminals in an effort to prevent cyber criminals from leaking stolen information.

"Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work. Some organisations that were able use backups to recover from attacks still paid the ransom simply to prevent their data being published," said the report.

"This resulted in a greater percentage of attacks being monetized and, as a result, better ROI for the cybercriminals," it added.

Ransomware attacks claimed thousands of victims during the past year, with hundreds of government agencies, healthcare facilities, schools and universities, as well as private companies, among those hit by cyber-criminal attempts at extortion.

According to the report, public sector organisations in the US were particularly badly hit by ransomware attacks with at least 2,354 government, healthcare and educational institutions impacted.

They included 1,681 schools, colleges and universities, 560 healthcare facilities and 113 federal, state and municipal governments and agencies. Meanwhile, over 1,300 private companies were also hit by ransomware attacks.

While some organisations give into this ransom demand, paying out hundreds of thousands or even millions of dollars in bitcoin, perceiving it to be the quickest way to restore the network, others refuse and can spend weeks or months attempting to restore the network – while some restored from backups and also paid the ransom.

According to Emsisoft, the total cost of financial damage done by ransomware attacks is likely to be billions. And because it's proving successful, it's likely that even more ransomware groups will adopt the technique of stealing and publishing data, because put simply, it works and cyber criminals are making money from businesses who don't want their data leaked.

However, while ransomware attacks continue to be damaging for a significant number of organisations, there are relatively simple steps that can be taken in an effort to protect against ransomware and other malware attacks.

SEE: Ransomware: 11 steps you should take to protect against disaster

Phishing remains one of the key methods of distributing ransomware – especially following the rise in remote working – so organisations should attempt to hammer home the importance of being careful when opening emails and attachments. If employees are suspicious about something, they should report it.

Organisations should also make sure that they have a good patching strategy and have the latest security updates applied. That prevents cyber criminals from taking advantage of known vulnerabilities to distribute malware.

Regularly updating backups should also be a priority, because if the worst happens and the organisation falls victim to a ransomware attack, the network can be restored without paying the ransom.

"2021 need not be a repeat of 2020. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents that did occur would be less severe, less disruptive and less costly," said Fabian Wosar, CTO of Emsisoft.


Editorial standards