Nearly 78% of firms who had fallen victim to ransomware attacks and paid ransoms go on to

suffer repeat attacks according to the latest research from identity-driven cyber resilience

pioneer, Semperis (https://www.semperis.com).

In a study of nearly 1,000 IT and security professionals at organizations spanning multiple industries across the USA, UK, France and Germany, the Semperis’ 2024 Ransomware Study aims to understand the prevalence, frequency and costs of ransomware attacks – in both ransom payments and collateral damage, and highlights an alarming trend toward multiple, sometimes simultaneous attacks, forcing business leaders to re-evaluate their cyber resilience strategies to address common points of failure, including inadequate identity system backup and recovery practices.  

“Considering that there is a 24/7 threat arrayed against today’s organizations, you can never say ‘I am safe’ or take a moment off.  The best you can do is to make your environment defensible and then defend it,” says Chris Inglis, Semperis Strategic Advisor and first U.S. National Cyber Director.  “At the centre of this whole discussion is business viability.  Attackers are trying to hold that at risk so that they can then convince you to buy them out.  If they can achieve a successful attack on identity, then they own privilege, and they can then use that privilege to their benefit.”
 
Key findings from the study reveals that overall, 74% of respondents that were attacked for ransom in the past 12 months were attacked multiple times – many within the span of a week.  In the UK, 83% of organizations which were attacked were targeted more than once.  Of those targeted, 78% of organizations paid the ransom with 735 of UK firms paying multiple times, while 38% of those paid ransom did so four times or more.

Few companies see an alternative to ransom payment with 87% of attacks causing business disruption – even for those that paid ransom – including data loss and the need to take systems offline.  For 16% of respondents, the attack created a life-or-death dilemma with a further 14% of respondents in the UK saying it was a matter of life and death.

However, paying ransom does not guarantee a return to normal business operations.  The Semperis study reveals that 35% of victims who paid ransom either did not receive decryption keys or received corrupted keys.  Additionally, 49% of respondents (UK: 51%) needed 1 to 7 days to recover business operations to minimal IT functionality after a ransomware attack, and 12% (UK: 13%) needed 7 days or more, indicating that Recovery Time Objectives (RTOs) are not being met.
 
Although research found that 72% of UK respondents had an identity recovery plan – signalling strong progress towards IAM-centric security – only 32% reported having dedicated, AD-specific backup systems.  Without AD-specific, malware-free backups and a tested, cyber-specific recovery plan, recovery will be prolonged, increasing the chance that the organization will decide to pay ransom to restore business operations.
 
“For management and the Board to make an educated decision not to pay ransom, they need to know how long recovery will take and have confidence in the process,” says Mickey Bresman, CEO, Semperis.  “That means you must test your plan in as close to a real-world scenario as possible and present it to the Board before an attack occurs.  That way, when disaster strikes, decision makers will have been confident in their ability to say ‘no’ to attackers.”

Ongoing cybersecurity challenges continue to plague organizations with lack of support from the Board of Directors topping the list, followed by concerns around budget constraints, staffing shortages, outdated systems and cybersecurity regulations and directives.
 
“Technology can help us analyze and assess what's happening, moment by moment,” comments Inglis.  “It can help us respond more quickly and recover more quickly.  But the thing that is most wanting now is a collective realization that we all have a part to play.  That starts with the Board, not with the IT shop.  The Board is accountable; the SEC has made that clear.  Regulations are increasingly making it clear: cybersecurity is a business issue.”

The full ransomware study, which includes breakdowns of responses by vertical market and by country, is available at https://www.semperis.com/ransomware-risk-report/.