Why paying the ransom is not the answer

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

Ransomware attacks continue to be on the rise and show no signs of slowing down. In fact, a ransomware attack occurs every 39 seconds. That’s over 2200 attacks per day. The sophistication of these attacks evolves constantly, making it extremely challenging for any organization to maintain a strong security posture.

New ransomware variants employ various tactics to compromise data, including slow encryption, shadow encryption, and byte replacement techniques. Additionally, attackers are increasingly focusing on data exfiltration, threatening to publish sensitive information if a ransom is not paid. No industry is immune to these threats, with ransomware campaigns specifically targeting sectors like supply chain, healthcare, and state and local governments.

Scott Cooper

VP of Field Engineering at Index Engines.

The risk in paying the ransom

Many organizations believe that paying the ransom will restore their operations quickly, but the reality is far more complex. A 2024 study by security provider Sophos found that recovering from a ransomware attack typically costs 10 times more than the ransom itself. Attackers have also learned to target critical backup and data protection infrastructure, further complicating recovery. In fact, 94% of ransomware attacks involve attempts to compromise backups, with 57% of those attempts proving successful.

Beyond the financial costs, ransomware attacks lead to operational downtime, disrupting business processes, reducing productivity, and harming profitability. The financial consequences extend beyond the ransom itself, including recovery expenses, regulatory fines, and in some cases, business closures. Organizations that pay ransoms and cannot recover their data often see significant increases in cyber insurance rates because they are at a higher risk of a second attack.

Even when paying the ransom, ransomware can also corrupt or permanently delete critical data, undermining long-term business continuity. Customer trust is difficult to rebuild after a data breach, and failure to protect sensitive information can lead to severe penalties under regulations like GDPR and HIPAA.

Prioritize recovery - Every ransom fuels the next attack

Paying the ransom only perpetuates the cycle of cybercrime. Instead of funding attackers, organizations must invest in a recovery-first approach that ensures operational resilience and minimizes downtime. This approach starts with immutable backups or snapshots, ensuring that data cannot be altered or deleted by ransomware.

Secure ransomware detection mechanisms must be in place to identify ransomware attacks and give confidence that data brought back online does not reinfect the system. Continuous data validation ensures that backups remain recoverable and uncompromised. Finally, proven recovery strategies must be implemented to restore operations without resorting to ransom payments.

By prioritizing recovery, organizations can disrupt the economic incentives that drive cybercriminals and enhance their long-term security posture. A strong focus on recovery does not just mitigate the effects of a ransomware attack, it helps break the cycle of funding future attacks.

Every ransom paid strengthens cybercriminals, enabling them to develop more sophisticated attacks that target more victims. Organizations that invest in secure, reliable recovery measures play a crucial role in stopping the spread of ransomware.

Post-attack recovery

Businesses are doing what they believe is right and many are making heavy investments in security. Yet the vulnerabilities persist, leaving these organizations susceptible to ransomware. Many traditional resilience solutions fall short in ensuring quick and reliable recovery. To truly secure their environments, businesses must go beyond conventional approaches and implement comprehensive data integrity strategies.

A robust post-attack recovery plan should include forensic analysis to understand how the attack occurred and identify compromised systems, accurate ransomware behavior detection to detect anomalies that signal an ongoing attack, and a unified approach to data integrity to ensure that only clean and uncorrupted backups are restored. Organizations must also establish clear recovery objectives, including defined recovery timeframes and prioritized systems for restoration, to ensure minimal disruption and maximum effectiveness.

Prepare for the future

Cyber resilience requires a proactive, team-oriented approach. Siloed organizations mean less institutional knowledge shared, creating gaps in security. Organizations should take multiple steps to strengthen their defenses, including implementing multi-factor authentication, network segmentation, and intrusion detection systems. Regular security audits should be conducted to identify vulnerabilities before attackers can get in and exploit them. Incident response training is also important to prepare teams with simulations and drills to ensure a coordinated response.

The bottom line is it’s not if, but when ransomware will come to call, and prevention alone is not enough. A comprehensive data recovery plan, regularly tested and updated, will ensure that organizations can restore operations with minimal disruption and as quickly as possible. Recovery-first strategies must be ingrained in business continuity planning, ensuring that businesses can continue functioning even in the face of sophisticated cyber threats. By emphasizing data integrity and adopting a recovery-first mindset, organizations can break the cycle of ransomware attacks and fortify their cybersecurity defenses for the future.

We've featured the best malware removal software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

VP of Field Engineering at Index Engines.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.