Ransomware attacks are becoming more frequent and more devastating – but paying up is no guarantee that data will be returned.

This is among the findings from Cybereason’s third annual ransomware study, commissioned to better understand the true impact of ransomware to businesses.

This global study reveals ransomware attacks are becoming more frequent, effective and sophisticated:

* 56% of organisations surveyed suffered more than one ransomware attack in the last 24 months.

* It still ‘doesn’t pay to pay’ as almost 80% of organisations who paid the ransom were hit a second time.

* 82% were hit again within a year.

* 63% were asked to pay again

The report, ‘Ransomware: The True Cost to Business 2024’, further revealed that of the organisations who opted to pay a ransom in return for their encrypted systems, only 47% received their data and solutions back uncorrupted.

These findings emphasise why it does not pay to pay ransomware attackers, and organisations should instead focus on detection and prevention tactics to end ransomware attacks before material damage occurs.

Cybereason’s global field CISO Greg Day says this year’s research shows that, while most businesses have a ransomware strategy in place, many are incomplete. “They’re either missing a documented plan, or the right people to execute it. As a result, we see that many organisations are paying the ransom.

“Likewise whilst many have cyber insurance, too many simply don’t know if, or to what degree it covers them for ransomware attacks. This is problematic on several levels. It’s no guarantee that attackers won’t sell your data on the black market, that you’ll even get your full files and systems back, or that you won’t be attacked again.”

Further key findings of the study include:

* Attackers are evolving and the supply chain shows weakness – 56% didn’t detect a breach for 3-12 months, with 41 percent of the attackers getting in via a supply chain partner.

* Attacker demands increase at every stage – 78% were breached a second time, with 63% being asked to pay more.

* The true cost is staggering – 46% estimate total business losses of $1-million to $10-million and 16% estimate total business losses of over $10-million. Not to mention the loss of revenue, brand damage and layoffs that followed.

* Businesses don’t have the right tools – Less than half said their businesses are adequately prepared for the next attack. While 87% of organisations increased spend, only 41% feel they have the right people and plans in place to manage the next attack.