Nearly 80% of firms hit by ransomware in the last two years were compromised a second time

Ransomware concept image showing a skull superimposed over a digital interface with computer code in the background.
(Image credit: Getty Images)

Almost eight-in-ten organizations that met ransomware demands in the last two years were hit a second time, according to new research from Cybereason.

Analysis from the security firm found that 56% of organizations suffered more than one ransomware attack in the last 24 months, and nearly two-thirds (63%) were asked to pay again.

Meanwhile, of the organizations that chose to pay a ransom in return for their encrypted systems, only 47% actually got their data and solutions back uncorrupted.

Greg Day, global field CISO at Cybereason said the research highlights the fact that organizations choosing to engage with ransomware groups can’t guarantee their future safety after meeting demands.

"This year’s research shows that, while most businesses have a ransomware strategy in place, many are incomplete. They’re either missing a documented plan, or the right people to execute it. As a result, we see that many organizations are paying the ransom,” he added.

While many have cyber insurance, too many don’t know whether, or to what degree it covers them for ransomware attacks. Similarly, Day warned that there is no guarantee that critical data won’t be leaked regardless of whether they agree to pay.

"This is problematic on several levels," he said. "It’s no guarantee that attackers won’t sell your data on the black market, that you’ll even get your full files and systems back, or that you won’t be attacked again."

The supply chain is a particular weakness highlighted in the Cybereason study.


More than half (56%) of organizations didn’t detect a breach for between three and 12 months, with 41% of attackers getting in via a supply chain partner.

Nearly half of organizations reckon their total business losses to have been between $1 million and $10 million, with 16% putting the figure at even more than that.

Fewer than half said their businesses were adequately prepared for the next attack, with only 41% feeling they have the right people and plans in place to manage the next attack, despite 87% saying they've increased spending.

LockBit takedown shows you can’t trust the promises of ransomware gangs

The recent takedown of the notorious LockBit ransomware group by the UK’s National Crime Agency (NCA), the FBI, and international partners offers enterprises a prime example of why paying demands is ill advised. 

Detailing the takedown, the NCA said that analysis of LockBit systems showed that data belonging to previous victims who paid a ransom was still held by the group.

Paying ransoms “does not guarantee that data will be deleted, despite what the criminals have promised,” the NCA said.

However, plenty of organizations are still doing it, with recent research from data security and management firm Cohesity indicating that while 94% of UK organizations have a policy not to pay out in the event of a ransomware attack, virtually all of those that have fallen victim in the past two years have gone ahead and done so.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.