58% of Ransomware Victims Forced to Shut Down Operations
Over half (58%) of organizations hit by ransomware in 2024 were forced to shut down operations in order to recover, according to a new report by the Ponemon Institute.
This represents a significant increase from the previous Global Cost of Ransomware Study by Ponemon from 2021, which found that 45% of ransomware victims shut down operations as a consequence of the attack.
The new report emphasized the growing impact ransomware attacks are having on victims’ revenue and reputations.
The proportion of respondents that reported a significant revenue loss as a result of a ransomware attack nearly doubled from 2021 to 2024, from 22% to 40%.
Additionally, 35% of organizations said they experienced brand damage as a consequence of a ransomware attack in 2024, up from 21% in 2021.
Encouragingly, organizations recovered faster from ransomware attacks in 2024 compared to 2021. According to the findings, containment and remediation of an organization’s largest ransomware attack took an average of 132 hours and used an average of 17.5 staff and third parties. This resulted in an overall average cost of $146,685.
In 2021, organizations spent an average of 190 hours and had 14 staff and third parties involved in containment and remediation, costing an average of $168,910.
Reputation and brand damage is now considered to be the biggest financial cost of a ransomware attack, replacing the costs associated with legal and regulatory actions in 2021.
The study surveyed 2547 IT and cybersecurity practitioners in the US, UK, Germany, France, Australia and Japan who are responsible for addressing ransomware attacks.
Majority of Victims Paid a Ransom
The report found that 51% of ransomware victims paid a ransom demand to the attackers. The motivations for paying a demand were:
- We didn’t want our data leaked (47%)
- We cannot afford downtime (47%)
- We have cyber insurance (41%)
- All of the above (40%)
Data exfiltration was the most common tactic used by ransomware groups to exert pressure to pay a ransom (47%). This was followed by DDoS attacks (45%), data encryption (43%) and communicating with stakeholders/customers (34%).
However, paying the ransom usually did not prevent negative consequences of such an attack.
Just 13% of respondents said all impacted data was recovered after paying a ransom. Additionally, 40% said that the data was still leaked following payment, while 32% revealed the attackers demanded further payment or threatened more attacks.
Read now: UK Considers Ban on Ransomware Payments by Public Bodies
Of the 49% of ransomware victims that did not pay a demandransom, the main reasons for not doing so were:
- Compromised data wasn’t critical (49%)
- Having an effective backup strategy (48%)
- Company policy (47%)
- Lack of trust in the provision of a decryption key (46%)
- Law enforcement advice (40%)
- Other (4%)
Just 28% of respondents said their organizations informed law enforcement when they were hit by ransomware. The primary reasons for not wanting to report these incidents were unwanted publicity (39%), being up against a payment deadline (38%), fear of retaliation (38%) and not believing the extortion demand was exorbitant (24%).
How Ransomware Actors Are Compromising Victims
Phishing was the most common way delivering ransomware, making up 45% of incidents. This represents a slight fall compared to 2021, when phishing was used in 48% of ransomware attacks.
The next most common methods were remote desktop protocol (RDP) compromises (32%) and exploiting software vulnerabilities (19%). The proportion of ransomware payloads delivered through a software vulnerability rose slightly compared to 2021 (16%).
The report found that cybercriminals are increasingly targeting vulnerabilities once in a network to achieve lateral movement and privilege escalation. Over half (52%) of respondents said systems with unpatched vulnerabilities are targeted for these activities, a significant rise from 33% in 2021.
