If you’re thinking of paying a ransom demand, think again.

If you’re thinking of paying a ransom demand, think again.

For years now, law enforcement has been urging victims of ransomware attacks not to pay ransom. Their explanations are simple: (1) criminals do not keep their word to delete any data they have stolen from you, (2) criminals will not keep their word not to attack you again, and (3) paying criminals encourages them to not only attack you again, but to attack others.

A recent survey of more than 1,000 enterprise IT professionals provides strong support for that advice. All of the respondents had been the victims of breaches within the past 24 months. The survey, conducted by Censuswide for Cyberason, asked some simple but important questions about how the breach occurred, whether the victims paid, and why they paid, if they did. The survey also asked about what happened after that.

One of their most stunning findings was that 84% of the victims paid the ransom, but only 47% got their data and services back uncorrupted. 82% percent were then breached again within a year — 36% by the same threat actor(s) and 42% by a different actor. Of those, 63% were asked to pay even more the second time!

From Ransomware: The True Cost, p. 7. Cybereason, 2024.

The paper, Ransomware: The True Cost to Business 2024, also includes recommendations for businesses, but emphasizes that entities should decide not to pay ransom.