If your company falls victim to ransomware, the government and the experts agree: Don't pay the ransom they demand.
Yet, four out of five organizations targeted in ransomware attacks wind up paying the ransom, according to a new survey from Kaspersky.
Cybersecurity company Kaspersky may currently be dealing with warnings against its ties to the Russian government issued by the likes of Germany's BSI and the US's FTC — but that doesn't mean its surveys can't highlight a big problem in the business world.
This is just the latest report to attempt an answer to a long-running cybersecurity question: Just how many companies forgo the official guidance to never pay ransoms?
Researchers Can't Agree on the Amount of Ransoms Paid
Due in part to corporate secrecy on the issue, it might be impossible to find out the true amount of ransomware payments that companies have shelled out across all attacks in all industries. Here are just a few of the conflicting reports from the past few years that you'll have to wade through in search of the truth.
First, there's a 2021 survey of “300 US-based IT decision-makers” which found that, of those who were impacted by a ransomware attack in the 12 months previous, an impressive 85% had paid the ransom.
But that amount dropped in a report the next year, when Proofpoint’s 2022 State of the Phish Report found that around 60% of those infected with ransomware paid a ransom, with 54% regaining access after the first payment.
Then there's Kaspersky's latest survey, which last month asked 900 respondents across the globe and found that 79% of all ransomware victims had paid their attackers. An even higher amount — 88% of executives from companies previously hit by ransomware — stated they would pay if they were attacked again.
Why Do Companies Pay Up Even When Professionals Warn Against It?
One big reason why experts warn against a payment is the fact that ransomware attackers don't have any reason to follow up on their promise once they're paid. Some might hold out for an additional payment, while others may vanish without a trace.
“Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom,” the FBI says.
Other security professionals say that paying just encourages a repeat incident. So why do so many ignore that advice?
Because it's often cheaper. As one of the surveys above indicates, businesses do recover their ransomed data immediately about half of the time they pay, and businesses seem to like those odds. When it comes to the business world, potential long-term downsides can't compete with decent odds at a short-term upside.
Ultimately, preventative measures are still the best approach to beating ransomware: Get a great IT team, or at least invest in antivirus software.
We'd end this article by reiterating a warning to all CTOs and CEOs that they really shouldn't pay ransoms. But that's exactly the warning that most of you won't listen to.