NEW Semperis Ransomware Study: Global Organizations Should Brace for Holiday Season Cyberattacks
Ransomware Risk Report: Embracing the Assume Breach Mindset

Victims Hit Multiple Times, 78% Paid Ransom

A global study of 900 IT and security professionals reveals that 74% of organizations targeted by ransomware were attacked multiple times, and 78% of victim organizations paid ransom, pointing to a cycle of breaches that cause escalating damage in revenue losses, operational cost, and—in some cases—human health and safety.

Get the report

We must assume an ever-present state of threat. This is not just the notorious cases that we hear about every quarter or so. This is happening all day, every day, to a range of companies.

Chris Inglis Strategic Advisor, Semperis & first US National Cyber Director, former Deputy Director of the NSA

Alarming attack frequency, severity, and consequences

Ransomware, once a sporadic menace, has evolved into an unrelenting adversary. Criminal groups orchestrate multiple strikes in rapid succession, exploiting vulnerabilities across organizations. Critical systems, including Microsoft Active Directory, are a top attack target.

The 2024 Ransomware Risk Report reveals concerning statistics for business, IT, and security leaders.

Get the report
83%
of responding organizations were victims of a ransomware attack in the past 12 months
74%
of ransomware victims were attacked multiple times
78%
of victims paid ransom (32% paid 4 times or more)
35%
of victims that paid ransom failed to receive decryption keys or were unable to recover their files and assets

When multiple attacks happen, they tend to happen in quick succession. These data points suggest that multiple criminal gangs are leveraging organizations’ vulnerabilities to detonate a second or third malicious attack—in some cases, simultaneously.

Simon Hodgkinson Semperis Strategic Advisor & former bp CISO

Coming to terms with ransomware

Companies are suffering successful ransomware attacks multiple times within the same year—resulting in closures, layoffs, loss of revenue and customer trust, and cancelation of cyber insurance.

74%

of companies were attacked by ransomware not once, but multiple times—54% on the same day, and most within the span of a week.

78%

of targeted organizations paid the ransom—72% paid multiple times, and 32% paid 4 times or more.

Mickey Bresman, Semperis CEO

The cost of what you pay to a ransomware group is not where the damage will end. And certain attacks aren’t money-driven; rather they aim to cause chaos and disruption.

Mickey Bresman Semperis CEO

Attacks cause data loss and business outages, even for victims with general backups

Ransomware attacks cause widespread and pervasive disruption, even for organizations that have general backups in place. Attackers are breaching systems through embedded operating systems, outdated technology that hasn’t had regular security updates, and long-forgotten backdoors.

Overall, complexity is rising, and you can only do so much in a day. Cloud computing has not lessened the burden or reduced operational complexity. You have to assume that malicious activity is happening in in your network, and you need the ability to find and undo it.

Guido Grillenmeier Semperis Principal Technologist (EMEA)

Can companies say “no” to ransomware?

Although 70% of respondents had an identity recovery plan in place, only 27% of respondents had dedicated, AD-specific backup systems. 61% of ransomware victims required more than a day to recover minimal IT functionality, extending business disruptions.

72%

of victims paid ransom multiple times

32%

paid ransom 4 times or more

Why did companies pay ransom?

Many respondents noted a desire to return to normal business as quickly as possible as a reason for paying ransom. Others, especially those in the IT/telecom industry, paid because they had cyber insurance to defray the costs. Still others considered the threat to patients, customers, their business, or their reputation to be worth the price of ransom. Unfortunately, ransom payment does not guarantee the receipt of usable decryption keys. Furthermore, attackers often use ransomware to deliver malware that can reinfect systems or cause other damage.

Threat to business, customers, or reputation
Access to cyber insurance
Quickly restore business operations
Systemic weakness make AD a soft target
Matter of life or death

The true cost of ransomware

In any complex organization, security budget, staffing, and resource decisions are a balancing act. However, in the case of ransomware, executive leadership might be making those decisions without a complete understanding of the potential costs after an attack. Ransom payment does not guarantee the receipt of usable decryption keys. Furthermore, attackers often use ransomware to deliver malware that can reinfect systems or cause other damage. A successful attack typically costs much more than a ransom payment.

Ransomware attacks cause collateral damage far beyond the ransom payment

The ransom payment itself is only the beginning of the costs incurred from a ransomware attack.

“The cost of the ransom payment is not the sum total of the actual damage,” says Semperis CEO Mickey Bresman. “Certain attacks aren’t money-driven; rather they are aimed at causing chaos and disruption. In addition, the money that you pay is being used for other criminal activities, like human trafficking, drugs, and weapons.”

Chris Inglis noted that a ransomware attack is not a one-time or limited-time event that you can quickly address and then move on from.

“This is a life-changing event that has enduring, lingering effects. Loss of customer trust, loss of cyber insurance, regulatory prosecution … that scrutiny never goes away.”

Systemic weakness make AD a soft target
Business disruption
Temporary or permanent closings
Brand damage
Loss of revenue or customers
Fines, lawuits, and cyber insurance cancellation
Over 80% of all breaches involve credential abuse
Layoffs and resignations

Few companies maintain dedicated identity protection

The identity system, particularly Active Directory, is now the security perimeter for enterprise organizations. The digitization of the modern enterprise has eliminated the idea of a defensible perimeter, creating a complex landscape for security professionals—and a broad attack surface for cyber criminals. Without AD-specific, malware-free backups, and a tested cyber-specific recovery plan, recovery will be prolonged, increasing the chance that the organization will decide to pay ransom to restore business operations.

At the center of this whole discussion is business viability: the ability of the company to achieve its aspirations and its commitments on behalf of its shareholders and customers. Attackers are trying to hold that at risk so that they can then convince you to buy them out. If they can achieve a successful attack on identity, then they own privilege, and they can then use that privilege to their benefit.

Chris Inglis Semperis Strategic Advisor & First US National Cyber Director

Everything relates to the core of access. Once an attacker gets Tier 0 access, you have limited time to protect the remaining infrastructure.

Jeff Wichman Senior Director of Incident Response

Every minute that the identity system is down is extremely painful. I chatted with a customer who tested the Active Directory (AD) recovery plan with the systems that they had in place. They concluded that mitigation of an attack will take them seven days. That’s not acceptable, because it means that everything else in the organization will be down for seven days as well.

Mickey Bresman Semperis CEO

It’s not surprising to me that the majority of ransomware targets the identity system. If an attacker wants to create the maximum impact to extort money, they want to take control of your environment—and they will absolutely want to own Active Directory. Once Active Directory is compromised, the threat actors hold the keys to your kingdom.

Simon Hodgkinson Semperis Strategic Advisor & former bp CISO

Why aren’t organizations prioritizing ransomware defense?

Organizations face multiple challenges in putting a layered ransomware defense strategy in place. Most respondents reported that their biggest hurdle to resilience was lack of support from the board of directors.

Chris Inglis notes that effective cybersecurity requires a three-pronged approach comprising corporate doctrine, skill building, and technology. First step: Explain the value of identity-first security in business terms

“Technology can help us analyze and assess what’s happening, moment by moment,” Inglis says. “It can help us respond more quickly and recover more quickly. But the thing that is most wanting now is a collective realization that we all have a part to play. That starts with the board, not with the IT shop. The board is accountable; the SEC has made that clear. Regulations are increasingly making it clear: cybersecurity is a business issue.”

Lack of board support
Budget contraints
Outdated or legacy systems
Staffing shortages
Cybersecurity regulations

People tend to put their resources and effort into endpoint protection. But threat actors will get past the endpoint. And once they’re inside the network, they go through the whole identity system. What defense do you have when that happens? Because once they own your identity system, they have all the power. If your identity system goes down, none of your other solutions will work.

Sean Deuby Semperis Principal Technologist (North America)

More resources

Learn more about how to prevent, detect, and respond to identity-based attacks.

Meet Silver SAML: Golden SAML in the Cloud

Meet Silver SAML: Golden SAML in the Cloud

  • Blog
LDAP Injection Attack Defense: AD Security 101

LDAP Injection Attack Defense: AD Security 101

  • Blog
Semperis DSP: Enhance AD and Entra ID Protection from Cyber Threats

Semperis DSP: Enhance AD and Entra ID Protection from Cyber Threats

  • Blog
Active Directory Attacks: 5 Common AD Attack Methods

Active Directory Attacks: 5 Common AD Attack Methods

  • Blog
View all