UK CISO’s are cowing to ransomware demands more than you think, here’s why they shouldn’t pay up

ransomware stock image featuring binary code in a room colored in red
(Image credit: Getty Images)

One-third of UK-based CISOs have confessed to paying ransomware groups millions of dollars in recent years in a bid to alleviate the impact of an attack, according to new research. 

Analysis from security firm Trellix found four-in-ten UK CISOs have managed a ransomware attack in the last five years – and in every single case, their organization opted to pay.

Trellix found that one-third of CISOs paid between $5 million and $15 million for a ransom demand while 13% paid between $10 and $15 million.

The minimum ransom paid by all UK businesses across a five year period stood at around $250,000, the study found.

Trellix said its research underlines the stark realities of ransomware attacks and the impact they have on organizations across a host of industries globally. Faced with the monumental task of remediation and regaining access to data, many simply opt to pay up.

"The impact of a ransomware attack is stark," said Fabien Rech, general manager and SVP EMEA at Trellix.

"Businesses are not only at risk of losing sensitive data, but there are also significant financial implications associated with paying the ransom. Our research is a sobering reminder of the vast scale of the issue, with all UK CISOs confessing that their businesses paid the demand to protect their data."

The research found that well-established cyber criminal groups such as AlphV/Blackcat and LockBit are continuing to target businesses of all sizes.

Sophisticated state-backed adversaries are also ramping up campaigns, the study found. More than 668,000 ransomware attacks were recorded in Q3 2023 alone.

"It’s crucial for UK businesses to bolster their defenses and invest in the right technology, if they are to successfully defend against ransomware attacks," Rech said.

"By implementing a security architecture that can readily adapt to emerging threats, organizations can better mitigate against attacks and protect their data and their bottom line."

Ransomware: To pay or not to pay

Ransomware payments have become a contentious issue of late. Last year, the US-led Counter Ransomware Initiative (CRI) agreed to never pay ransoms to hackers in a bid to tackle global cyber crime. 

Over 40 countries have pledged their support for the CRI, which aims to stem the flow of funding to sophisticated ransomware gangs.

But the question of whether or not to pay has sparked controversy in the security industry of late amid calls for companies to be sanctioned for paying up.

Last week, Emsisoft called for a blanket ban on ransomware payments, suggesting that this tactic represents the only realistic approach to completely stamping out ransomware gang activities.


Whitepaper cover with title and blue, green, and pink circular arrow line graphics overlapping

(Image credit: IBM)

Discover the benefits that wait for you when you connect processes, applications, and the data that run the supply chain


“The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work,” said Brett Callow, threat analyst at Emsisoft.

The call to action from Emsisoft prompted a backlash from some industry stakeholders, who warned that government-imposed bans on complying with demands risk criminalizing victims and could result in a reluctance among firms to disclose breaches.

Speaking to ITPro at the time, Dominic Trott, director of strategy and alliances at Orange Cyberdefense, said a proposed ban would “shift the focus of criminality” from perpetrators to victims.

“Criminalizing ransom payments could shift the focus of criminality from the perpetrator to the victim, and set off a chain of unintended consequences, such as a reluctance to report breaches,” he said.

“Whether criminalized or not, businesses should not pay the ransom demanded of them.”

Proposals to implement a blanket ban on ransom payments were rejected in the US last year, although calls are now being made to reconsider the approach.

Trellix CEO Bryan Palma said the question of whether to meet demands is often a difficult decision for a business to make. As such, it’s the responsibility of the cyber security industry to create a safer environment for firms to operate in .

"Balancing what to do can be challenging. It is an organization’s decision, with laws and regulations to consider, and not one to make lightly. Policy leaders recognize the risks," he said.

"As an industry, we need to pursue a holistic approach to combat this issue. One focused on comprehensive cyber security resiliency, public-private collaboration, and threat information sharing. The result is safeguarding both corporate and national security interests.”

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.