attacco ransomware Piergiorgio Venuti

Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.

Estimated reading time: 5 minutes

The devastating impact of ransomware on businesses

Ransomware has become one of the most damaging cyber threats to businesses in recent years. Cyber criminals target company networks, encrypt important files, and demand a ransom to provide the decryption key. The dilemma of whether or not to pay the ransom is something every affected company has to face.

According to the 2021 Clusit report, ransomware attacks in Italy grew 105% compared to 2020, confirming themselves as the leading type of malware. The consequences of these attacks can be devastating, with systems locked, operations interrupted, and data encrypted. 66% of affected companies declared the impact ranged from moderate to catastrophic.

Recovery times after a ransomware attack are long: 48% of companies took at least 3 days to return to normal, but in some cases the disruptions continued for weeks. This causes significant productivity losses and missed earnings.

Why companies choose to pay the ransom

Despite the risks, about 30% of affected companies opt to pay the ransom. The motivations are:

  • Quickly obtaining the keys to resume operations as soon as possible
  • Avoiding immediate reputational impact by promptly paying the demand
  • Lack of reliable backups to restore systems
  • Presence of insurance policies covering the ransom
  • Perception that it is the only way to regain access to data

Often companies are not aware of the risks associated with payment, namely:

  • Having no guarantee of obtaining decryption keys
  • Financing further attacks thus incentivizing criminals
  • Incurring other costs and impacts post-payment

Cost/benefit analysis: is it worth paying the ransom?

ransomware attack

Before making a decision it is important to thoroughly evaluate the costs and benefits of paying the ransom:

Potential benefits:

  • Speed of system recovery and business continuity
  • Lesser immediate reputational impact

Potential risks and costs:

  • No guarantee of obtaining working keys
  • Financing organized crime
  • Violation of international sanctions
  • Post-attack costs: forensic analysis, system restoration, communications
  • Legal impacts and regulatory compliance
  • Long-term reputational damages

Most analysts agree that the potential damages outweigh the actual benefits. Companies should invest more in ransomware prevention.

Increasing trend despite the risks

Despite these assessments, ransomware ransom payments are on the rise. In 2021 attackers globally earned about $603 million, of which $350 million in the United States alone.

This shows that a certain percentage of companies still prefer to pay, driven by the need to quickly restore operations. But experts agree that this strategy only risks further fueling the ransomware threat.

How widespread is ransom payment by geographic area?

The propensity of companies to pay ransom can vary significantly by geographic region:

  • North America: about 33%
  • United Kingdom: 46%
  • Germany: 15%
  • Nordic countries: 10%
  • Australia: 42%
  • India: 28%
  • Singapore: 19%
  • Brazil: 35%
  • Chile: 13%
  • Argentina: 19%

In some countries the authorities strongly discourage and deter any payment, influencing the choices of affected companies. Also the overall cyber maturity of a country can affect it.

Ransomware-as-a-Service: a growing criminal business

Much of the growth in ransomware attacks is due to the spread of Ransomware-as-a-Service (RaaS) models. Criminal groups develop and manage the malware and infrastructure, then rent access to affiliates for a percentage of the attacks’ proceeds.

RaaS has made ransomware attacks within reach of even less skilled criminals. This has led to a proliferation of the threat. Dismantling this model requires an international commitment by law enforcement and governments.

The importance of investing more in prevention

The best strategy for addressing the growing ransomware threat is to invest more heavily in prevention, detection, and incident response. Companies should:

  • Implement strong multi-layered security defenses
  • Perform regular complete backups and test their restoration
  • Adequately train staff on cybersecurity
  • Have tested incident response plans in place
  • Always keep entire software fleet updated
  • Closely monitor network for suspicious activity

Cyber insurance and actively collaborating with law enforcement in case of an attack are also advisable.

Government support against attacks

Government authorities and law enforcement are trying to counter the ransomware threat with initiatives on multiple fronts:

  • Awareness campaigns towards citizens and companies
  • Platforms for sharing threat intelligence
  • Specialized units dedicated to fighting cybercrime
  • International cooperation for joint investigations and operations
  • Sanctions against organizations and states supporting ransomware
  • Discouraging or banning ransom payments

However, efforts need to be intensified, given the global scale the phenomenon has taken on and the vast resources available to the attackers.

Conclusions: better prevent than pay

In summary, the best strategy for dealing with ransomware remains heavily investing in prevention, rather than indulging attacker demands by paying ransoms. A culture of cybersecurity, robust technological defenses, and active collaboration with authorities are the most effective tools to counter this evolving threat.

SOD (Secure Online Desktop) can provide various useful services to prevent the problem of ransomware attacks:

  • Backup and disaster recovery: SOD can offer managed data backup services, both on-premise and cloud-based, to guarantee system restoration in case of a ransomware attack.
  • Virtualized servers: The use of virtualized servers hosted by SOD makes it harder for ransomware to encrypt data, thanks to isolation between virtual machines.
  • Threat monitoring and detection: SOD can monitor client company networks and detect suspicious activity to identify potential ongoing ransomware attacks.
  • Sandboxing: Suspicious files can be analyzed in an isolated environment to detect ransomware payloads before they reach production systems.
  • Security awareness training: SOD can provide cybersecurity training courses to make employees more aware of ransomware risks.
  • Vulnerability assessment: Penetration testing and vulnerability assessment to identify and correct vulnerabilities in systems exploited by ransomware.
  • Advanced endpoint protection: Endpoint detection and response solutions suitable for preventing and detecting ransomware attacks on company computers and devices.

By collaborating with SOD, companies can improve their defenses against the growing ransomware threat.

Useful links:



More Articles…

Categories …


RSS darkreading

RSS Full Disclosure

  • BACKDOOR.WIN32.DUMADOR.C / Remote Stack Buffer Overflow (SEH) April 19, 2024
    Posted by malvuln on Apr 19Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: Contact: malvuln13 () gmail com Media: Threat: Backdoor.Win32.Dumador.c Vulnerability: Remote Stack Buffer Overflow (SEH) Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially […]
  • SEC Consult SA-20240418-0 :: Broken authorization in Dreamehome app April 19, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 19SEC Consult Vulnerability Lab Security Advisory < 20240418-0 > ======================================================================= title: Broken authorization product: Dreamehome app vulnerable version:
  • MindManager 23 - full disclosure April 19, 2024
    Posted by Pawel Karwowski via Fulldisclosure on Apr 19Resending! Thank you for your efforts. GitHub - pawlokk/mindmanager-poc: public disclosure Affected application: MindManager23_setup.exe Platform: Windows Issue: Local Privilege Escalation via MSI installer Repair Mode (EXE hijacking race condition) Discovered and reported by: Pawel Karwowski and Julian Horoszkiewicz (Eviden Red Team) Proposed mitigation:...
  • CVE-2024-31705 April 14, 2024
    Posted by V3locidad on Apr 14CVE ID: CVE-2024-31705 Title : RCE to Shell Commands" Plugin / GLPI Shell Command Management Interface Affected Product : GLPI - 10.X.X and last version Description: An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. […]
  • SEC Consult SA-20240411-0 :: Database Passwords in Server Response in Amazon AWS Glue April 14, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Apr 14SEC Consult Vulnerability Lab Security Advisory < 20240411-0 > ======================================================================= title: Database Passwords in Server Response product: Amazon AWS Glue vulnerable version: until 2024-02-23 fixed version: as of 2024-02-23 CVE number: - impact: medium homepage: found:...
  • [KIS-2024-03] Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability April 11, 2024
    Posted by Egidio Romano on Apr 10------------------------------------------------------------------------------ Invision Community
  • [KIS-2024-02] Invision Community <= 4.7.15 (store.php) SQL Injection Vulnerability April 11, 2024
    Posted by Egidio Romano on Apr 10-------------------------------------------------------------------- Invision Community
  • Multiple Issues in concretecmsv9.2.7 April 11, 2024
    Posted by Andrey Stoykov on Apr 10# Exploit Title: Multiple Web Flaws in concretecmsv9.2.7 # Date: 4/2024 # Exploit Author: Andrey Stoykov # Version: 9.2.7 # Tested on: Ubuntu 22.04 # Blog: Verbose Error Message - Stack Trace: 1. Directly browse to edit profile page 2. Error should come up with verbose stack trace […]
  • OXAS-ADV-2024-0001: OX App Suite Security Advisory April 11, 2024
    Posted by Martin Heiland via Fulldisclosure on Apr 10Dear subscribers, We&apos;re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published at […]
  • / Insecure Permissions (In memory IPC) April 11, 2024
    Posted by malvuln on Apr 10Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: Contact: malvuln13 () gmail com Media: Threat: Vulnerability: Insecure Permissions (In memory IPC) Family: Razy Type: PE32 MD5: 0eb4a9089d3f7cf431d6547db3b9484d SHA256: 3d82fee314e7febb8307ccf8a7396b6dd53c7d979a74aa56f3c4a6d0702fd098 Vuln ID: MVID-2024-0678...