Despite an explosion in cybersecurity tools and awareness campaigns, organizations around the world are still surrendering to ransomware attackers at an alarming rate. According to new research from Rubrik Zero Labs, 86% of organizations globally admitted to paying ransom demands following a cyberattack in the past year — a figure that underscores a harsh reality: recovery, not prevention, is where most defenses still crumble.
This finding comes from Rubrik’s 2025 report, “The State of Data Security: A Distributed Crisis,” which surveyed more than 1,600 IT and security leaders across ten countries, including the US, the UK, France, Germany, India, and Singapore. The report revealed that even as businesses embrace hybrid and multi-cloud infrastructure to boost agility, many remain fundamentally unprepared to recover from ransomware without giving in to extortion.
Backup systems under attack
A key insight from the report is that 74% of organizations said their backup and recovery infrastructure was partially compromised, while 35% reported a complete compromise. This targeting of recovery systems has become a hallmark of modern ransomware campaigns.
“Attackers are increasingly focused on neutralizing backup infrastructure before deploying encryption,” said Joe Hladik, head of Rubrik Zero Labs. “Techniques include credential theft and privilege escalation through tools like Mimikatz, or exploiting exposed interfaces that allow attackers to extract plaintext credentials.”
Hladik added that threat actors are also abusing legitimate backup software APIs to delete or modify snapshots — a technique observed in campaigns attributed to groups like FIN7 and ALPHV.
“Automated reconnaissance is also becoming more common,” Hladik said. “Attackers map out backup environments using Active Directory enumeration and tools like SharpHound, enabling them to prioritize disabling recovery systems.”
[ Learn how to protect your backups from ransomware. ]
Why is ransom still being paid?
Even with access to cyber resilience solutions — including immutable backups, air-gapped storage, and automated recovery — organizations often find themselves unprepared when an attack hits. According to Hladik, the reasons are not always technical.
“This remains one of the most frustrating dynamics in ransomware,” he said. “Backups may exist, but retention policies, access controls, or offline copies are often missing or outdated. Even when backups are available, slow or complex recovery processes can cause unacceptable downtime, leading executives to opt for ransom payment.”
He also noted the rise of double extortion tactics, where attackers exfiltrate sensitive data and threaten to leak it publicly if the ransom isn’t paid.
“This is why it’s imperative that organizations understand that resilience is not just having the right tools. It’s the operational readiness to use them under pressure. Tabletop exercises and SLA-driven recovery validation must be regular practice,” said Hladik.
While Rubrik’s own telemetry doesn’t collect ransom amounts, Hladik cited a recent industry study showing that the average ransom paid globally is around $479,000, with a median of $200,000. But those figures can climb rapidly, particularly in high-stakes sectors such as healthcare and financial services.
“In India alone,” Hladik added, “the average ransom has reached $4.8 million, with 62% of incidents involving demands exceeding $1 million. That’s a clear signal that attackers are tailoring demands based on geography, industry, and perceived urgency.”
Recovery timelines and leadership pressure
The urgency to recover quickly often drives ransom decisions. Hladik explained that delayed response is a critical factor in enabling attackers to escalate control over systems.
“Median dwell time remains high for many sectors — often over 10 days — giving adversaries ample time to disable defenses and backup jobs,” he said.
These delays raise the stakes, especially in industries where downtime can result in regulatory scrutiny, reputational damage, or even leadership changes. In some regions, Rubrik found a pattern of post-attack C-suite turnover or increased board-level involvement in cybersecurity decisions.
Identity as the primary attack vector
The report also highlights a shift in attacker behavior, with identity compromise emerging as the dominant entry point in ransomware incidents.
According to Rubrik’s telemetry, identity-based strategies now drive nearly 80 percent of all breaches. Attackers increasingly gain access using stolen credentials, escalate privileges, and move laterally across hybrid environments.
This trend is reinforced by Ashish Gupta, managing director of Rubrik India, who explained that identity systems — particularly legacy implementations of Active Directory — are now primary targets.
“Most large enterprises in India rely heavily on Microsoft Active Directory—not just for authentication, but also for DNS, DHCP, and PKI,” Gupta said. “This deep integration makes AD critical — and it often becomes the first point of attack because identity compromise gives the attacker a very broad attack surface.”
Globally, this dependency on legacy identity systems is being exploited by attackers who are quick to identify misconfigurations and delayed upgrades.
A strategic shift toward recovery readiness
Rubrik’s findings suggest that the path to reducing ransom payments lies not just in more tools, but in better preparedness. That includes isolating backup systems from domain access, securing APIs, implementing behavioral anomaly detection, and conducting regular threat-informed recovery drills.
“Organizations need to secure backup APIs and restrict privilege escalation paths,” said Hladik. “They also need to monitor backup access behavior for anomalies before encryption ever begins.”
Gupta added that what often holds organizations back is not just technical debt, but also leadership mindset.
“In many cases, this stems from a lack of leadership belief that investment in security-first infrastructure and software built on Zero Trust principles would yield high ROI,” he said. “When in reality, this gap creates an existential threat to their businesses.”
The road ahead, both experts agreed, is not just about buying new technology—it’s about rebuilding trust in recovery. That means implementing immutable, air-gapped backups, securing APIs, detecting anomalies in backup access, and above all, validating every aspect of the recovery process through real-world exercises.
No Responses