attacco ransomware Piergiorgio Venuti

Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.

Estimated reading time: 5 minutes

The devastating impact of ransomware on businesses

Ransomware has become one of the most damaging cyber threats to businesses in recent years. Cyber criminals target company networks, encrypt important files, and demand a ransom to provide the decryption key. The dilemma of whether or not to pay the ransom is something every affected company has to face.

According to the 2021 Clusit report, ransomware attacks in Italy grew 105% compared to 2020, confirming themselves as the leading type of malware. The consequences of these attacks can be devastating, with systems locked, operations interrupted, and data encrypted. 66% of affected companies declared the impact ranged from moderate to catastrophic.

Recovery times after a ransomware attack are long: 48% of companies took at least 3 days to return to normal, but in some cases the disruptions continued for weeks. This causes significant productivity losses and missed earnings.

Why companies choose to pay the ransom

Despite the risks, about 30% of affected companies opt to pay the ransom. The motivations are:

  • Quickly obtaining the keys to resume operations as soon as possible
  • Avoiding immediate reputational impact by promptly paying the demand
  • Lack of reliable backups to restore systems
  • Presence of insurance policies covering the ransom
  • Perception that it is the only way to regain access to data

Often companies are not aware of the risks associated with payment, namely:

  • Having no guarantee of obtaining decryption keys
  • Financing further attacks thus incentivizing criminals
  • Incurring other costs and impacts post-payment

Cost/benefit analysis: is it worth paying the ransom?

ransomware attack

Before making a decision it is important to thoroughly evaluate the costs and benefits of paying the ransom:

Potential benefits:

  • Speed of system recovery and business continuity
  • Lesser immediate reputational impact

Potential risks and costs:

  • No guarantee of obtaining working keys
  • Financing organized crime
  • Violation of international sanctions
  • Post-attack costs: forensic analysis, system restoration, communications
  • Legal impacts and regulatory compliance
  • Long-term reputational damages

Most analysts agree that the potential damages outweigh the actual benefits. Companies should invest more in ransomware prevention.

Increasing trend despite the risks

Despite these assessments, ransomware ransom payments are on the rise. In 2021 attackers globally earned about $603 million, of which $350 million in the United States alone.

This shows that a certain percentage of companies still prefer to pay, driven by the need to quickly restore operations. But experts agree that this strategy only risks further fueling the ransomware threat.

How widespread is ransom payment by geographic area?

The propensity of companies to pay ransom can vary significantly by geographic region:

  • North America: about 33%
  • United Kingdom: 46%
  • Germany: 15%
  • Nordic countries: 10%
  • Australia: 42%
  • India: 28%
  • Singapore: 19%
  • Brazil: 35%
  • Chile: 13%
  • Argentina: 19%

In some countries the authorities strongly discourage and deter any payment, influencing the choices of affected companies. Also the overall cyber maturity of a country can affect it.

Ransomware-as-a-Service: a growing criminal business

Much of the growth in ransomware attacks is due to the spread of Ransomware-as-a-Service (RaaS) models. Criminal groups develop and manage the malware and infrastructure, then rent access to affiliates for a percentage of the attacks’ proceeds.

RaaS has made ransomware attacks within reach of even less skilled criminals. This has led to a proliferation of the threat. Dismantling this model requires an international commitment by law enforcement and governments.

The importance of investing more in prevention

The best strategy for addressing the growing ransomware threat is to invest more heavily in prevention, detection, and incident response. Companies should:

  • Implement strong multi-layered security defenses
  • Perform regular complete backups and test their restoration
  • Adequately train staff on cybersecurity
  • Have tested incident response plans in place
  • Always keep entire software fleet updated
  • Closely monitor network for suspicious activity

Cyber insurance and actively collaborating with law enforcement in case of an attack are also advisable.

Government support against attacks

Government authorities and law enforcement are trying to counter the ransomware threat with initiatives on multiple fronts:

  • Awareness campaigns towards citizens and companies
  • Platforms for sharing threat intelligence
  • Specialized units dedicated to fighting cybercrime
  • International cooperation for joint investigations and operations
  • Sanctions against organizations and states supporting ransomware
  • Discouraging or banning ransom payments

However, efforts need to be intensified, given the global scale the phenomenon has taken on and the vast resources available to the attackers.

Conclusions: better prevent than pay

In summary, the best strategy for dealing with ransomware remains heavily investing in prevention, rather than indulging attacker demands by paying ransoms. A culture of cybersecurity, robust technological defenses, and active collaboration with authorities are the most effective tools to counter this evolving threat.

SOD (Secure Online Desktop) can provide various useful services to prevent the problem of ransomware attacks:

  • Backup and disaster recovery: SOD can offer managed data backup services, both on-premise and cloud-based, to guarantee system restoration in case of a ransomware attack.
  • Virtualized servers: The use of virtualized servers hosted by SOD makes it harder for ransomware to encrypt data, thanks to isolation between virtual machines.
  • Threat monitoring and detection: SOD can monitor client company networks and detect suspicious activity to identify potential ongoing ransomware attacks.
  • Sandboxing: Suspicious files can be analyzed in an isolated environment to detect ransomware payloads before they reach production systems.
  • Security awareness training: SOD can provide cybersecurity training courses to make employees more aware of ransomware risks.
  • Vulnerability assessment: Penetration testing and vulnerability assessment to identify and correct vulnerabilities in systems exploited by ransomware.
  • Advanced endpoint protection: Endpoint detection and response solutions suitable for preventing and detecting ransomware attacks on company computers and devices.

By collaborating with SOD, companies can improve their defenses against the growing ransomware threat.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS Unknown Feed

RSS Full Disclosure

  • Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection June 3, 2025
    Posted by Stefan Kanthak on Jun 03Hi @ll, user group policies are stored in DACL-protected registry keys [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] respectively [HKEY_CURRENT_USER\Software\Policies] and below, where only the SYSTEM account and members of the "Administrators" user group are granted write access. At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded with exclusive (read, write and...
  • CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 June 3, 2025
    Posted by Sanjay Singh on Jun 03Hello Full Disclosure list, I am sharing details of a newly assigned CVE affecting an open-source educational software project: ------------------------------------------------------------------------ CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0 ------------------------------------------------------------------------ Product: CloudClassroom PHP Project Vendor:...
  • ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page June 3, 2025
    Posted by Ron E on Jun 03An authenticated attacker can inject JavaScript into the bio field of their user profile. When the profile is viewed by another user, the injected script executes. *Proof of Concept:* POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 Host: --host-- profile_info={"bio":"\">"}
  • ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path June 3, 2025
    Posted by Ron E on Jun 03An authenticated user can inject malicious JavaScript into the user_image field of the profile page using an XSS payload within the file path or HTML context. This field is rendered without sufficient sanitization, allowing stored script execution in the context of other authenticated users. *Proof of Concept:*POST /api/method/frappe.desk.page.user_profile.user_profile.update_profile_info HTTP/2 […]
  • Local information disclosure in apport and systemd-coredump June 3, 2025
    Posted by Qualys Security Advisory via Fulldisclosure on Jun 03Qualys Security Advisory Local information disclosure in apport and systemd-coredump (CVE-2025-5054 and CVE-2025-4598) ======================================================================== Contents ======================================================================== Summary Mitigation Local information disclosure in apport (CVE-2025-5054) - Background - Analysis - Proof of concept Local information disclosure in systemd-coredump...
  • Stored XSS via File Upload - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS via File Upload #1: Steps to Reproduce: 1. Login with low privilege user and visit "Profile" > "Edit […]
  • IDOR "Change Password" Functionality - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ IDOR "Change Password" Functionality #1: Steps to Reproduce: 1. Login as user with low privilege and visit profile page 2. Select […]
  • Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS "Send Message" Functionality #1: Steps to Reproduce: 1. Login as normal user and visit "Profile" > "Message" > […]
  • Authenticated File Upload to RCE - adaptcmsv3.0.3 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Authenticated File Upload to RCE #1: Steps to Reproduce: 1. Login as admin user and visit "System" > "Appearance" > […]
  • Stored XSS in "Description" Functionality - cubecartv6.5.9 June 3, 2025
    Posted by Andrey Stoykov on Jun 03# Exploit Title: Stored XSS in "Description" Functionality - cubecartv6.5.9 # Date: 05/2025 # Exploit Author: Andrey Stoykov # Version: 6.5.9 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ Stored XSS #1: Steps to Reproduce: 1. Visit "Account" > "Address Book" and choose "Edit" 2. In the "Description" parameter […]

Customers

Newsletter

{subscription_form_1}