News

Report: Paying Ransomware Attackers Doesn't Ensure Data Recovery

• By Chris Paoli
• 05/18/2022

Paying the demands of ransomware attackers for hijacked organizational data does not come with a guarantee that organizations will recover that data.

According to the "2022 Ransomware Trends Report" released by backup and data recovery firm Veeam this week at its VeeamON conference, 24 percent of organizations that paid the amount demanded by ransomware attackers ended up not recovering their stolen data.

The report, compiled by surveying 1,000 global IT leaders. also found that 19 percent of those affected by ransomware were able to recover their data through their own means and without having to pay off the attackers. According to Veeam, this shows that ransomware attacks, when countered, are possible to reverse.

It also indicates that most organizations don't have the tools or know-how to try to recover their hijacked data before they end up paying for their data back.

"One of the hallmarks of a strong Modern Data Protection strategy is a commitment to a clear policy that the organization will never pay the ransom, but do everything in its power to prevent, remediate and recover from attacks," said Danny Allan, CTO at Veeam. "Despite the pervasive and inevitable threat of ransomware, the narrative that businesses are helpless in the face of it is not an accurate one."

Allan added that IT should routinely test their data protection solutions and protocols and ensure that employees are well-versed in spotting possible ransomware attacks.

When data is eventually recovered after remediation through payment, data recovery took an average of 18 days. And, in some cases, longer. Some organizations (22 percent) reported it took one to two months to fully recover the data, and 3 percent said they were down for two to four months.

While some of that time was spent decrypting the encrypted stolen data, much of the downtime could be attributed to deep scans of restored systems to confirm they were "clean" from any ransomware remnants.

According to the report, phishing e-mails and malicious links and Web sites continue to be the top (44 percent) ransomware entry points, with infected patches and software coming right behind with 41 percent of all ransomware attacks by those surveyed. Here are the remaining entry point sources:

• Compromised credentials and spraying attacks (35 percent).
• Insider threats (32 percent).
• Zero-day vulnerabilities (26 percent).

The good news is that according to those surveyed, only 1 percent of those who experienced a ransomware attack were not able to identify the entry point. Veeam credits the improvements in monitoring tools and a concerted effort toward ransomware prevention by many IT shops for the high success in identifying the source of ransomware.

As for what attackers go for when a system is infiltrated, the report finds that backup repositories were targeted 94 percent of the time. Further, specific production platforms or application types were targeted in 80 percent of successful ransomware attacks, making ransomware prevention not just a duty of IT security.

"This alone should drive broader conversations within IT, so cyber security isn't just the delegated to the security team; database administrators should also help ensure that database servers are secure and administrators should help ensure hypervisors are patched, that Windows updates are routinely run, etc.," read the report.