Ransomware is a formidable threat, with headlines frequently citing staggering statistics regarding the costs of a single attack or data breach.

According to IBM’s latest Cost of Data Breach report, the average figure currently stands at $4.88 million – up ten percent year over year. However, there are many instances of firms suffering much more significant financial damage in the aftermath of an attack.  

Just this year, UnitedHealth’s CEO revealed that the American multinational health insurance and services company had paid attackers a $22 million ransom, for example.  

One-off incidents featuring astronomical sums such as these will always make headlines. However, what’s less commonly discussed is the ongoing frequency with which firms are hit by ransomware attacks.  

Ransomware incidents are rarely isolated events. There’s no guarantee that a single attack will be the end of the story. In fact, either the same threat actor or a different one could target your organisation again – be it months, weeks, or even days later.

Of course, there’s no predicting when a firm might be faced with an attack, or how frequently. However, new data does indicate that many enterprises are grappling with ransomware on a regular basis.

Ransomware strikes multiple times a year 

According to a recent survey of nearly 1000 IT and security leaders, Semperis found that the vast majority (85%) of organisations have been targeted by ransomware in the past 12 months, with nearly half (45%) being targeted three times or more. 

While these figures might be surprising, what is equally alarming is the success rates associated with these attacks. Indeed, our data shows that in over half of companies surveyed (54%), ransomware attacks were successful on more than just one occasion. 

It’s a concerning outlook given the potential costs that can arise both during and after an attack. 

First, we have the ransom itself. Indeed, our survey revealed that 78% of UK companies that had been breached opted to pay a ransom, with 73% paying multiple times. Further, of those that paid multiple times, three quarters did so more than twice.

In the case of UK companies, we also found that 62% of those that had paid a ransom had stumped up a figure between £200,001 and £480,000.  

Given the success rates of attackers, and frequency with which companies are opting to pay large sums, it is of little surprise that global ransomware payments exceeded $1 billion for the first time in 2023.

However, it’s not just the price of ransomware payments themselves that enterprises have to worry about. What is often perhaps more impactful is the other hidden costs associated with attacks. 

Downtime is a significant contributor to these challenges, with our survey revealing that 63% of UK companies needed more than a day to restore their systems to optimal functionality, with one in eight requiring at least a week.  

This is far more than a mere inconvenience. Every second of an outage translates to lost revenue, eroded customer trust, and lasting damage to an organisation’s reputation. From declining sales to customers questioning a company’s reliability, the impacts can be substantial.  

In addition, regulators are now imposing significant fines for firms that fail to implement adequate controls to prevent data breaches from occurring.  

In August 2024, for example, the Information Commissioner’s Office (ICO) announced that it had provisionally fined Advanced Computer Software Group more than £6 million following a ransomware attack that occurred back in August 2022, disrupting NHS and social care services in England. Critically, the ICO determined that the provider had failed to implement measures to protect the personal information of over 82,000 people.

Recovery is just as important as prevention

With the threat of ransomware being one that many UK firms are not only confronted by, but also falling victim to several times a year, it is clear that a mindset shift is needed – one that works to prioritise protection against ransomware on an ongoing basis.

Specifically, firms must always assume that a breach is imminent. They must be on continual alert, always ready for the success of not one, but multiple breaches.

That means that they should continue to invest in measures that aim to prevent ransomware attacks from being successful in the first place. However, it also means that they must focus on establishing effective protocols that ensure they are able to say no to ransom demands and recover swiftly and effectively should an attack be successful.

Unfortunately, it is this latter area that is often overlooked. Our survey reveals that only about one-quarter of respondents maintain dedicated AD-specific backup systems.

As Gartner has noted, adding a dedicated tool for the backup and recovery of Active Directory accelerates and simplifies recovery from cyberattacks. Conversely, without this, companies may be left feeling that they have little choice other than to pay their attackers.

Therefore, it’s vital for firms to invest in both prevention and recovery strategies equally. By taking a more balanced approach, organisations will be in a much better position to say no to ransom demands should threat actors find a way to breach the first line of defence.

Dan Lattimer Area VP UK & Ireland Semperis