Ransomware attackers often strike targets twice, regardless of whether the ransom was paid.
Paying ransomware attackers doesn’t pay off and often paints a bigger target on a victim’s back. Eighty percent of ransomware victims that paid their attackers were hit a second time by the malware scourge.
New ransomware numbers come from a Cybereason’s April ransomware survey of 1,456 cybersecurity professionals. According to the gated report (registration required), victims that were successfully extorted were not only targeted a second time, but frequently data encrypted by criminals later became unusable during the decryption process because of corruption issues.
“The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way,” wrote Bill Keeler, senior director of global public relations at Cybereason, in a written exchange with Threatpost. “Why not hit the same company, demand a higher ransom, and get paid?” The report confirms not just the rise in ransomware incidents, something the recent Verizon DBIR documents explicitly, but a worrying new trend. That trend is threat actors going beyond double and triple-extortion attacks and opening a new ransomware threat dynamic.
The Perils of Paying
While the FBI and the Cybersecurity and Infrastructure Security Agency strongly discourage paying a ransom to criminal actors, it happens.
Cybereason found when it does, even a well-intentioned ransomware deal can go wrong. Here is how:
- The attackers don’t honor their promise to decrypt and restore the stolen data and downed systems.
- The data became corrupted during the decryption process.
- The attackers operate in a nation where paying a ransom by a business is a criminal offense, based on government rules tied to “doing business” with an identified terrorist entity.
- Ransom payment encourages the attackers to repeat their success on the same victim.
Ransom Payments Lead to Repeat Attacks
Of those surveyed by Cybereason, 68 percent said were hit a second time within the very same month as their first attack.
“When I drill down deeper into the data, it is nearly 50 percent that were hit the second time in 1-7 days,” Keeler wrote.
Additionally, 48 percent of organizations that paid a ransom reported having been breached twice by the same attackers. Worse, when a second attack occurred, “threat actors demanded an even higher ransom amount the second time around,” according to the report.
Of those repeat ransomware victims that paid, 44 percent paid again during a separate ransomware incident. Of those that paid twice, 9 percent paid three or more times in separate new attacks.
The April Cybereason survey was conducted by Censuswide. Participants represented a global mix of cybersecurity professionals with geographies ranging from the United States (24 percent), U.K. (17 percent), U.A.E., Japan, Singapore and other. A broad mix of industries were represented in the data and ranged from manufacturing (14 percent), finance (10 percent) and other.