{"id":2910,"date":"2025-04-23T11:57:37","date_gmt":"2025-04-23T11:57:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2910"},"modified":"2025-04-23T11:57:37","modified_gmt":"2025-04-23T11:57:37","slug":"global-firms-succumb-to-ransomware-86-pay-up-despite-having-advanced-backup-tools","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2910","title":{"rendered":"Global firms succumb to ransomware: 86% pay up despite having advanced backup tools"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Despite an explosion in cybersecurity tools and awareness campaigns, organizations around the world are still surrendering to ransomware attackers at an alarming rate. According to new research from Rubrik Zero Labs, 86% of organizations globally admitted to paying ransom demands following a cyberattack in the past year \u2014 a figure that underscores a harsh reality: recovery, not prevention, is where most defenses still crumble.<\/p>\n

This finding comes from Rubrik\u2019s 2025 report, \u201cThe State of Data Security: A Distributed Crisis,\u201d which surveyed more than 1,600 IT and security leaders across ten countries, including the US, the UK, France, Germany, India, and Singapore. The report<\/a> revealed that even as businesses embrace hybrid and multi-cloud infrastructure to boost agility, many remain fundamentally unprepared to recover from ransomware without giving in to extortion.<\/p>\n

Backup systems under attack<\/h2>\n

A key insight from the report is that 74% of organizations said their backup and recovery infrastructure was partially compromised, while 35% reported a complete compromise. This targeting of recovery systems has become a hallmark of modern ransomware campaigns.<\/p>\n

\u201cAttackers are increasingly focused on neutralizing backup infrastructure before deploying encryption,\u201d said Joe Hladik, head of Rubrik Zero Labs. \u201cTechniques include credential theft and privilege escalation through tools like Mimikatz, or exploiting exposed interfaces that allow attackers to extract plaintext credentials.\u201d<\/p>\n

Hladik added that threat actors are also abusing legitimate backup software APIs to delete or modify snapshots \u2014 a technique observed in campaigns attributed to groups like FIN7 and ALPHV.<\/p>\n

\u201cAutomated reconnaissance is also becoming more common,\u201d Hladik said. \u201cAttackers map out backup environments using Active Directory enumeration and tools like SharpHound, enabling them to prioritize disabling recovery systems.\u201d<\/p>\n

[ Learn how to protect your backups from ransomware<\/a>. ]<\/p>\n

Why is ransom still being paid?<\/h2>\n

Even with access to cyber resilience solutions \u2014 including immutable backups, air-gapped storage, and automated recovery \u2014 organizations often find themselves unprepared when an attack hits. According to Hladik, the reasons are not always technical.<\/p>\n

\u201cThis remains one of the most frustrating dynamics in ransomware,\u201d he said. \u201cBackups may exist, but retention policies, access controls, or offline copies are often missing or outdated. Even when backups are available, slow or complex recovery processes can cause unacceptable downtime, leading executives to opt for ransom payment.\u201d<\/p>\n

He also noted the rise of double extortion tactics, where attackers exfiltrate sensitive data and threaten to leak it publicly if the ransom isn\u2019t paid.<\/p>\n

\u201cThis is why it\u2019s imperative that organizations understand that resilience is not just having the right tools. It\u2019s the operational readiness to use them under pressure. Tabletop exercises<\/a> and SLA-driven recovery validation must be regular practice,\u201d said Hladik.<\/p>\n

While Rubrik\u2019s own telemetry doesn\u2019t collect ransom amounts, Hladik cited a recent industry study<\/a> showing that the average ransom paid globally is around $479,000, with a median of $200,000. But those figures can climb rapidly, particularly in high-stakes sectors such as healthcare and financial services.<\/p>\n

\u201cIn India alone,\u201d Hladik added, \u201cthe average ransom has reached $4.8 million, with 62% of incidents involving demands exceeding $1 million. That\u2019s a clear signal that attackers are tailoring demands based on geography, industry, and perceived urgency.\u201d<\/p>\n

Recovery timelines and leadership pressure<\/h2>\n

The urgency to recover quickly often drives ransom decisions. Hladik explained that delayed response is a critical factor in enabling attackers to escalate control over systems.<\/p>\n

\u201cMedian dwell time remains high for many sectors \u2014 often over 10 days \u2014 giving adversaries ample time to disable defenses and backup jobs,\u201d he said.<\/p>\n

These delays raise the stakes, especially in industries where downtime can result in regulatory scrutiny, reputational damage, or even leadership changes. In some regions, Rubrik found a pattern of post-attack C-suite turnover or increased board-level involvement in cybersecurity decisions.<\/p>\n

Identity as the primary attack vector<\/h2>\n

The report also highlights a shift in attacker behavior, with identity compromise emerging as the dominant entry point in ransomware incidents.<\/p>\n

According to Rubrik\u2019s telemetry, identity-based strategies now drive nearly 80 percent of all breaches. Attackers increasingly gain access using stolen credentials, escalate privileges, and move laterally across hybrid environments.<\/p>\n

This trend is reinforced by Ashish Gupta, managing director of Rubrik India, who explained that identity systems \u2014 particularly legacy implementations of Active Directory \u2014 are now primary targets.<\/p>\n

\u201cMost large enterprises in India rely heavily on Microsoft Active Directory\u2014not just for authentication, but also for DNS, DHCP, and PKI,\u201d Gupta said. \u201cThis deep integration makes AD critical \u2014 and it often becomes the first point of attack because identity compromise gives the attacker a very broad attack surface.\u201d<\/p>\n

Globally, this dependency on legacy identity systems is being exploited by attackers who are quick to identify misconfigurations and delayed upgrades.<\/p>\n

A strategic shift toward recovery readiness<\/h2>\n

Rubrik\u2019s findings suggest that the path to reducing ransom payments lies not just in more tools, but in better preparedness. That includes isolating backup systems from domain access, securing APIs, implementing behavioral anomaly detection, and conducting regular threat-informed recovery drills.<\/p>\n

\u201cOrganizations need to secure backup APIs and restrict privilege escalation paths,\u201d said Hladik. \u201cThey also need to monitor backup access behavior for anomalies before encryption ever begins.\u201d<\/p>\n

Gupta added that what often holds organizations back is not just technical debt, but also leadership mindset.<\/p>\n

\u201cIn many cases, this stems from a lack of leadership belief that investment in security-first infrastructure and software built on Zero Trust principles would yield high ROI,\u201d he said. \u201cWhen in reality, this gap creates an existential threat to their businesses.\u201d <\/p>\n

The road ahead, both experts agreed, is not just about buying new technology\u2014it\u2019s about rebuilding trust in recovery. That means implementing immutable, air-gapped backups, securing APIs, detecting anomalies in backup access, and above all, validating every aspect of the recovery process through real-world exercises.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Despite an explosion in cybersecurity tools and awareness campaigns, organizations around the world are still surrendering to ransomware attackers at an alarming rate. According to new research from Rubrik Zero Labs, 86% of organizations globally admitted to paying ransom demands following a cyberattack in the past year \u2014 a figure that underscores a harsh reality: […]<\/p>\n","protected":false},"author":0,"featured_media":2885,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2910","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2910"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2910"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2910\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2885"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2910"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2910"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2910"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}