Ransomware attacks have been on the rise in recent years, inflicting significant damage on businesses and organizations around the world. One of the most concerning aspects of these attacks is that even when a ransom is paid, victims are not guaranteed to get their data back. This raises an important question: what percent of ransomware victims actually manage to recover their data after paying the ransom?
In the opening paragraphs, it is quick to summarize that the recovery rate for ransomware victims who pay the ransom is estimated to be between 20-30% on average based on available research and surveys. However, the exact recovery rate is difficult to pin down definitively, as it depends on many factors. These include the sophistication of the ransomware used in the attack, whether the attackers provide working decryption tools, and how quickly the ransom is paid. Nevertheless, current evidence suggests victims face long odds of recovering data after paying the ransom.
Background on Ransomware
Before digging into recovery rates, it is helpful to provide some background on what ransomware is and how it works. Ransomware is a form of malicious software that encrypts or locks up a victim’s files or systems, then demands a ransom payment to decrypt and restore access. It has emerged as a lucrative criminal enterprise, with ransom demands ranging from a few hundred to millions of dollars.
Some of the most damaging ransomware strains include WannaCry, NotPetya, and Ryuk. Ransomware is typically spread through phishing emails, compromised websites, or remote desktop connections. Once a system is infected, the ransomware encrypts files and often disables system recovery and backup tools to make decryption impossible without the attacker’s private key. A ransom note then appears demanding payment, usually in cryptocurrency.
Paying the ransom does not guarantee recovery, since attackers do not always provide working decryption tools. However, for many victims, paying the ransom can appear like the only option for getting their data back.
Estimates of Recovery Rates after Paying Ransom
So what do we know about the chances of recovering data after paying a ransomware ransom? Getting precise statistics is difficult, but surveys of ransomware victims and available research paint a gloomy picture. On average, it appears only 20-30% of organizations get their data back after payment.
According to one 2021 survey of nearly 1,300 security professionals globally, only 8% said they got back all their data after payment, while 29% said they got back no more than half their data. In other words, about 70-80% of victims did not fully recover their data despite paying the ransom.
Another 2021 survey of nearly 300 IT decision makers whose organizations suffered a ransomware attack found that just 30% were able to recover all their data after paying the ransom. However, the survey found larger organizations had better outcomes, with 46% managing full data recovery.
Researchers at CyberEdge Group reported similar findings from another 2021 survey of IT security professionals. They found that 29% of ransomware victims got back less than 20% of their encrypted data after payment. Only 23% reported getting back 90-100% of data.
These surveys indicate that on average, approximately 20-30% of victims successfully recover most or all their data after ransom payment. However, there are many caveats, as discussed next.
Factors Affecting Ransomware Recovery Rates
The likelihood of recovering encrypted data after payment depends on many variables, including:
– Type of ransomware: Some ransomware variants are programmed never to decrypt files even after payment, while others do provide working decryption tools.
– Timeliness of payment: The longer a victim waits to pay, the lower the chances of recovery, as attackers may stop responding.
– Quality of decryption tools: Attackers don’t always provide effective decryption tools. Tools may only work partially, or be so slow the recovery process gets dragged out.
– Use of backups: Having intact backups makes reliance on attacker-provided decryption tools less important. But many victims find backups were also encrypted or disabled.
– Negotiation: More favorable recovery rates may be negotiated if the victim has leverage over attackers. But most victims lack meaningful leverage.
– Organization size: Larger organizations appear more likely than smaller ones to get data back, perhaps due to greater resources.
These factors help explain the wide variance in reported recovery rates. For instance, one 2021 analysis of dozens of ransomware cases found recovery rates ranged from 0% to 100%. Victims of simpler “smash and grab” ransomware strains were less likely to recover data compared to those hit by “big game hunting” ransomware operated by cybercrime cartels.
Challenges Obtaining Accurate Statistics
While surveys provide useful information, there are also significant challenges in accurately determining recovery rates. Ransomware attacks frequently go unreported, so many cases are overlooked. Of those that are known, details on whether ransoms were paid and data recovered are closely held secrets.
Some other challenges include:
– Incomplete or biased samples: Surveys rely on voluntary participation and frequently have small sample sizes. Participants with the worst outcomes may be more motivated to respond.
– Honesty of responses: Victim organizations may be reluctant to admit paying ransoms or overstate recovery success.
– Definition of recovery: Is full recovery of all data required, or just recovery of critical data to resume operations?
– Data gaps: Ransoms may be paid but outcomes remain unknown if victims stop responding to researchers.
These factors make statistics on ransom payment success speculative. However, across multiple surveys and datasets, the recovery rate for ransomware victims appears low, generally between 20-30% on average.
Case Study Examples of Ransomware Recovery Outcomes
Looking at real-world examples provides additional insight into the ransom payment dilemma:
– The city of Riviera Beach, Florida paid hackers $600,000 in Bitcoin after a 2019 attack froze its systems. It received decryption tools to regain access to its encrypted data.
– Consulting firm The Hackett Group paid attackers an undisclosed sum in ransom but only recovered about 25-30% of encrypted data, losing millions in revenue.
– LG Electronics was hit by the DoppelPaymer ransomware in 2020 but refused to pay the $5 million ransom. It could not recover about 1TB of data.
– Pemex, Mexico’s state oil company, was crippled by DoppelPaymer ransomware in late 2019. After refusing to pay, it took nearly a month to restore systems and data.
These cases reinforce that even after paying ransoms, recovery is uncertain. But not paying also comes with massive costs from business disruption and data loss.
Should Ransoms be Paid?
For victims, deciding whether to pay ransoms is a complex calculus. Ethical considerations around rewarding criminal behavior must be weighed against economic costs if operations remain halted. While public policy advice is often “don’t pay ransoms”, the realities faced by victimized organizations are far less black and white.
Still, the low likelihood of recovering data after payment makes capitulating to ransom demands highly risky. Organizations should consider:
– Trying to negotiate more favorable terms of payment and proof of decryption capabilities.
– Exploring alternatives like restoring from backups before considering payment.
– Involving cybersecurity experts and law enforcement to improve odds of successful recovery.
Paying ransoms should only be an absolute last resort after exhausting all other options. And even then, victims must set expectations low for the chances of getting data back.
Improving Ransomware Resilience
Ultimately, reducing reliance on attacker-provided decryption tools requires improving defenses before an attack occurs. Organizations should:
– Institute strong cybersecurity awareness training to prevent infections through phishing, malware, or other vectors.
– Maintain layered backups stored offline and immutable to ransomware encryption. Test backups regularly for viability.
– Use technologies like email filtering, endpoint detection and response (EDR), and intrusion prevention systems (IPS) to block known ransomware.
– Segment networks to limit lateral movement and isolate high-value data.
– Have an incident response plan ready in case of ransomware infection to enable rapid containment and recovery.
– Keep offline backups of critical data and systems for quick restoration after an attack.
Effectively combating ransomware takes substantial resources and planning. But restoring from comprehensive backups makes organizations far less dependent on paying ransoms and hoping decryption tools work properly.
Conclusion
The decision of whether to pay ransomware ransoms is difficult for victimized organizations. However, available data suggests that on average, only 20-30% of ransomware victims manage to recover their encrypted data after payment. The likelihood of recovering data depends heavily on the type of ransomware, timeliness of payment, quality of decryption tools, whether backups are available, and effective negotiation.
While statistics are challenging to pin down conclusively, real-world examples underscore the minimal guarantee of getting data back even after paying ransoms. Organizations should focus efforts on improving security and backups to avoid getting into the situation of having to make the fraught payment decision at all. But if impacted by ransomware, comprehensive backup restoration is likely the best path for data recovery rather than relying on tools from threat actors. Paying ransoms should only be a last resort with full expectation that odds of complete data recovery are low.