Some companies pay ransomware attackers multiple times, survey finds

Nearly one-third of companies that suffered a ransomware attack paid a ransom four or more times in the past 12 months to regain access to their systems, according to a survey of corporate IT executives in four countries.

This decision to pay multiple times involved 32% of attacked companies in France, Germany, the U.K. and U.S. across multiple industries.

Nearly half (49%) of the German companies queried had paid four or more ransom payments, while 21% of companies in the U.S. said the same, according to the 2024 Ransomware Risk Report released Tuesday by Semperis, a cybersecurity software company.

Almost three-quarters (74%) of companies said they had endured multiple attacks, and 87% said the attacks had caused some level of disruption. Companies in the U.S. and U.K. were slightly more likely to have experienced a ransomware attack, with 85% in each country reporting such an attack within the past 12 months, Semperis said.

About 75% of the 900 companies surveyed reported paying a ransom to regain control of their data; about 10% said they had paid more than $600,000.

“Ransomware, once a sporadic menace, has evolved into an unrelenting adversary,” the report says. “Attacks are no longer isolated incidents; they occur incessantly.”

More than 80% of ransomware attacks compromised an organization’s IT identity system, such as Microsoft Active Directory or Entra ID, but more than half (61%) said they don’t have dedicated AD or Entra ID backup systems, according to the report.

Ransomware attacks have evolved from individual bands of actors to “the sum of activities by a loose confederation of groups,” said Chris Inglis, a Semperis adviser and former U.S. National Cyber Director. That means a company often must negotiate with, and pay, more than one attacker.

“Any company that thinks, ‘I’ll just pay my way out,’ is setting themselves up for a harder ride than they might have imagined,” he said.

Companies should assume “a constant breach” posture, according to Semperis, which is based in Hoboken, N.J.

Bad actors share information, purchase ready-made “ransomware-as-a-service (RaaS) kits,” use regulatory fines as leverage and attack industries that were once considered off limits, the reports says.

More than a third of companies (35%) that paid the extortion demand either did not receive the decryption keys from attackers or were given corrupted keys, according to the report.