{"id":5526,"date":"2025-10-24T07:00:00","date_gmt":"2025-10-24T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5526"},"modified":"2025-10-24T07:00:00","modified_gmt":"2025-10-24T07:00:00","slug":"ransomware-recovery-perils-40-of-paying-victims-still-lose-their-data","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5526","title":{"rendered":"Ransomware recovery perils: 40% of paying victims still lose their data"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Two in five companies that pay cybercriminals for ransomware decryption fail to recover data as a result, according to a survey of 1,000s SMEs by insurance provider Hiscox.<\/p>\n

The survey also revealed that ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% \u2014 which includes both insured and uninsured businesses \u2014 paid a ransom in an attempt to recover or protect critical data.<\/p>\n

But only 60% successfully recovered all or part of their data as a result, Hiscox\u2019s Cyber Readiness Report<\/a> found.<\/p>\n

A QBE Insurance report<\/a> earlier this month on cybercrime and cloud-based threats revealed that ransomware incidents nearly tripled year-on-year in Q1 2025, reaching 1,537 in Q1 2025<\/strong> compared to 572 in the same quarter last year. CrowdStrike\u2019s 2025 State of Ransomware Survey released this month also found that 93% of ransomware-paying victims had data stolen anyway<\/a>.<\/p>\n

Flawed ransomware encryption often frustrates recovery<\/h2>\n

Hiscox\u2019s statistics on the plight of ransomware victims highlight just one of myriad difficulties organizations face when attempting to recover from ransomware<\/a> attacks, industry experts say.<\/p>\n

\u201cThe 60% recovery rate reflects several technical and operational realities encountered regularly in incident response,\u201d James John<\/a>, incident response manager at cybersecurity firm Bridewell, tells CSO. \u201cFirstly, ransomware operators<\/a> vary significantly in sophistication. Whilst established groups like LockBit or ALPHV typically provide functional decryptors, as they have a \u2018reputation\u2019 to maintain, smaller operations often deploy flawed encryption implementations or simply disappear after payment.\u201d<\/p>\n

Decryptors are frequently slow and unreliable, John adds.<\/p>\n

\u201cLarge-scale decryption across enterprise environments can take weeks and often fails on corrupted files or complex database systems,\u201d he explains. \u201cCases exist where the decryption process itself causes additional data corruption.\u201d<\/p>\n

Even when decryptor tools are supplied, they may contain bugs, or leave files corrupted or inaccessible. Many organizations also rely on untested \u2014 and vulnerable \u2014 backups. Making matters still worse, many ransomware victims discover that their backups were also encrypted as part of the attack.<\/p>\n

\u201cCriminals often use flawed or incompatible encryption tools, and many businesses lack the infrastructure to restore data cleanly, especially if backups are patchy or systems are still compromised,\u201d says Daryl Flack<\/a>, partner at UK-based managed security provider Avella Security and cybersecurity advisor to the UK Government.<\/p>\n

Additional recovery pressures<\/h2>\n

Modern ransomware attacks now routinely involve double or triple extortion whereby attackers threaten to leak stolen data<\/a> or launch distributed denial of service (DDoS) attacks even after payment.<\/p>\n

This fundamentally changes the calculus on what victims can expect in cases where they decide to make a ransomware payment, which more often than not fails to resolve many of the problems arising from a ransomware attack.<\/p>\n

\u201cPaying only addresses the encryption element, not the broader compromise,\u201d Bridewell\u2019s John notes.<\/p>\n

Moreover, a ransomware incident puts an organization under enormous pressure, with legal, operational, and reputational issues all converging, often within a matter of hours<\/a>.<\/p>\n

These factors, combined with the inherent uncertainty of dealing with criminals, help explain why paying the ransom so often falls short of achieving full data recovery.<\/p>\n

Lillian Tsang<\/a>, senior solicitor in Harper James\u2019 data protection and privacy team, warns that even when a decryption key is received, some data may already be permanently damaged, altered, or stolen.<\/p>\n

\u201cThat creates operational challenges but also raises data protection concerns, particularly where personal data is involved,\u201d Tsang explains. \u201cIf records are lost or compromised, this can amount to a personal data breach under UK GDPR, which brings reporting obligations and the potential for regulatory scrutiny.\u201d<\/p>\n

Paying a ransom doesn\u2019t give a business any legal recourse if the criminals fail to deliver and, worse, \u201cpayment can create further risk if funds are unknowingly transferred to a sanctioned group,\u201d Tsang warns.<\/p>\n

Financial resilience and legal issues<\/h2>\n

How a ransomware attack plays out in practice is illustrated by an account from an executive at Kantsu, a midsize Japanese logistics company. Kantsu President Hisahiro Tatsujo told CIO.com about the company\u2019s efforts to restore operations following a ransomware attack<\/a>.<\/p>\n

Kantsu \u2014 which did not pay a ransomware \u2014 was obliged to ask financial institutions for loans to cover the cost of recovering its operations because, although it was insured, its insurance firm had to go through a claims process before making a payout. The incident illustrated how enterprises need a financial as well as an operational plan to successfully recover from ransomware attacks.<\/p>\n

Moreover, when systems are disrupted by ransomware attacks, legal obligations kick in almost immediately with requirements to notify regulators and affected individuals, especially if personal data is affected by a breach.<\/p>\n

\u201cOne of the biggest challenges is making rapid, high-stakes decisions with only fragments of information,\u201d says Harper James\u2019 Tsang. \u201cSenior leaders have to weigh the legal risks of payment, the impact on business continuity, and the potential consequences for individuals, often with limited technical clarity.\u201d<\/p>\n

Forewarned is forearmed<\/h2>\n

Some experts advise maintaining a retainer with an incident response firm as part of disaster recovery plans<\/a> that anticipate the all-too-real possibility of a ransomware attack.<\/p>\n

\u201cHaving a retainer with a reputable incident response or negotiation firm \u2014 one equipped to handle cryptocurrency transactions \u2014 is crucial,\u201d says Jeremy Samide<\/a>, CEO at Blackwired, a cybersec company focused on direct threat intelligence. \u201cSuch firms manage negotiations<\/a>, have access to multiple crypto types (e.g., Bitcoin, Monero, Zcash), and can execute transfers securely if payment becomes the only path to recovery.\u201d<\/p>\n

Samide adds: \u201cPreparation doesn\u2019t mean capitulation \u2014 it means being ready for every scenario.\u201d<\/p>\n

Harper James\u2019 Tsang cautions against setting aside funds to pay criminals in the event of ransomware attacks.<\/p>\n

\u201cSetting aside funds to pay a ransom is increasingly viewed as problematic,\u201d Tsang says. \u201cWhile payment isn\u2019t illegal in itself, it may breach sanctions, it can fuel further criminal activity, and there is no guarantee of a positive outcome.\u201d<\/p>\n

A more secure legal and strategic position comes from investing in resilience through strong security measures, well-tested recovery plans, clear reporting protocols, and cyber insurance, Tsang advises.<\/p>\n

\u201cCyber insurance is crucial for ransomware attacks because not only does it provide financial protection, but it can also give organizations access to specialized support that can significantly reduce damage and downtime,\u201d Tsang explains.<\/p>\n

Cyber insurance<\/a> policies often offer active crisis management, with provisions that can cover:<\/p>\n

Immediate incident response and forensic investigation<\/p>\n

Containment and remediation of infected systems<\/p>\n

Negotiation and legal coordination with attackers<\/p>\n

Data recovery and business continuity support<\/p>\n

\u201cInsurance can\u2019t prevent an attack \u2014 but it can soften the blow, bring structure to chaos, and ensure that organizations don\u2019t navigate ransomware crises alone,\u201d says Blackwired\u2019s Samide.<\/p>\n

But cyber insurance still comes with caveats, other experts caution.<\/p>\n

\u201cInsurance premiums are rising, and insurers now expect a stronger baseline of cybersecurity measures \u2014 multi-factor authentication, patch management, and tested backups \u2014 before offering or renewing coverage,\u201d says Avella Security\u2019s Flack. \u201cThis shift encourages organizations to adopt better security practices as part of their risk management approach.\u201d<\/p>\n

Cyber recovery<\/h2>\n

Cyber recovery following a ransomware attack needs to be treated similarly to disaster recovery with a fully defined, in-house recovery plan, fully documented, where uncompromised data can be restored confidently, experts advise.<\/p>\n

\u201cWhen enterprises are hit by ransomware, one of the first and most pressing challenges is assessing the full scope of the attack \u2014 identifying which data has been compromised, which systems are affected, and whether existing backups can be trusted,\u201d Jim McGann<\/a>, CMO at Index Engines, explains. \u201cEven when backups are available, verifying their integrity is a major hurdle, as they may contain corrupted or altered files that could reintroduce the threat during recovery.\u201d<\/p>\n

\u201cEnterprises now need in-house recovery plans that include forensic-level data validation of data, not just restoration,\u201d McGann advises.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Two in five companies that pay cybercriminals for ransomware decryption fail to recover data as a result, according to a survey of 1,000s SMEs by insurance provider Hiscox. The survey also revealed that ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% \u2014 […]<\/p>\n","protected":false},"author":0,"featured_media":5527,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5526"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5526"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5526\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5527"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}