Ransomware is Good Business. No Wonder It’s Not Dying.

Ransomware has become a pervasive and persistent threat, making headlines almost daily as businesses, hospitals, and even governments fall victim to its crippling effects. In 2024 alone, reported ransomware attacks worldwide reached 5,289, a 15% increase from the previous year, according to the U.S. Office of the Director of National Intelligence. Yet, this figure likely understates the true scale, as many incidents go unreported, swept under the rug to avoid reputational damage or regulatory scrutiny. The dirty secret fueling this epidemic? Ransom payments—often negotiated down from millions to hundreds of thousands—are keeping the ransomware economy thriving. As one tech expert bluntly put it, “Ransoms are being paid left, right, and center.” This blog explores why ransomware remains a lucrative business for cybercriminals and what companies can do to break the cycle.

The Ransomware Racket: A Booming Industry

Ransomware is a type of malware that encrypts a victim’s files, systems, or networks, rendering them inaccessible until a ransom—typically in cryptocurrency—is paid. The rise of Ransomware-as-a-Service (RaaS) has democratized cybercrime, allowing even low-skill attackers to deploy sophisticated attacks using pre-built tools. Groups like Akira, Royal, and BlackCat have become household names in the cyber underworld, with attacks targeting everyone from small businesses to critical infrastructure. For instance, in July 2024, U.S. organizations like Susan B. Allen Memorial Hospital in Kansas, IT firm Ingram Micro, and Cookeville Regional Medical Center in Tennessee were hit hard.

The financial incentive is staggering. In the first half of 2023, crypto payments to ransomware attackers reached $449.1 million, a $175.8 million jump from the same period in 2022. The average ransom in 2024 was $2.73 million, nearly a million more than in 2023, with 97% of organizations that paid recovering their data—encouraging further payments. Hackers often start with exorbitant demands, only to settle for lower sums after negotiation, a tactic that keeps the cycle profitable. As one expert noted, “It’s not uncommon for a demand in millions to be reduced to a couple of hundred thousand. It happens all the time.”

High-profile cases illustrate the devastating impact. The Einhaus Group, a German mobile device insurance firm, collapsed in 2024 after paying a $230,000 ransom that failed to restore operations fully, leading to insolvency. Similarly, KNP Logistics Group in England shut down in September 2023, losing 730 jobs after a ransomware attack by the Akira group crippled its systems. These incidents highlight how ransomware doesn’t just disrupt operations—it can destroy entire businesses.

Why Ransomware Thrives

Several factors make ransomware a “good business” for cybercriminals:

• Low Risk, High Reward: Cryptocurrency payments, often via Bitcoin, provide anonymity, making it difficult for authorities to trace funds. The International Counter Ransomware Initiative (CRI) notes that crypto wallets underpin most ransomware transactions, fueling illicit activities globally.
• Underreporting Fuels Secrecy: Many companies hide attacks to avoid bad publicity, regulatory fines, or customer backlash. As one expert stated, “They will try and brush it under the carpet… disguise it as some other expense.” This secrecy prevents collective action and emboldens attackers.
• AI-Powered Precision: Artificial intelligence is increasingly used to identify high-value targets and exploit vulnerabilities faster. Over-reliance on commercial cloud servers, often with built-in “back doors” for government access, creates exploitable gaps that cybercriminals leverage.
• Payment Fuels the Cycle: James Babbage, director general (Threats) at the UK’s National Crime Agency, told the BBC, “It is the paying of ransoms which fuels this crime.” Each payment incentivizes further attacks, as 80% of organizations that pay face another attack soon after, with 46% receiving corrupted data despite paying.

Breaking the Ransomware Cycle: Recommendations for Businesses

To combat this growing threat, companies must adopt proactive cybersecurity measures and resist the temptation to pay ransoms. Here are actionable steps to protect your organization:

1. Implement Robust Backup Systems: Adopt a 3-2-1 backup strategy—three copies of data, on two different media, with one offsite and immutable. Regular, secure backups can eliminate the need to pay ransoms, as seen in cases where companies restored operations without engaging attackers. Test backups frequently to ensure recoverability.
2. Deploy Multi-Factor Authentication (MFA): MFA significantly reduces the risk of unauthorized access, even if credentials are stolen. Weak passwords, as in the KNP Logistics case, are a common entry point for ransomware.
3. Train Employees on Cyber Hygiene: Phishing, RDP vulnerabilities, and unpatched software are top ransomware vectors. Regular training on recognizing phishing emails and social engineering tactics can close these gaps. The Akira attack on KNP began with a night shift worker missing early warning signs.
4. Conduct Regular Security Audits: Routine vulnerability assessments and penetration testing can identify weaknesses before attackers do. The 2023 attack on ION Cleared Derivatives, which forced financial firms to process trades manually, exposed the risks of unaddressed vulnerabilities.
5. Develop an Incident Response Plan: A tested incident response plan minimizes downtime and ensures coordinated action during an attack. Include steps for isolating systems, notifying authorities, and communicating with stakeholders. The City of Atlanta’s 2018 ransomware attack, which left police and first responders reliant on paper records, underscores the need for preparedness.
6. Avoid Paying Ransoms: Paying ransoms perpetuates the problem and offers no guarantee of data recovery. The Einhaus Group’s payment failed to prevent collapse, and authorities seized the funds, further complicating recovery. The CRI’s 50 member countries, including the U.S., have pledged that government institutions “should not” pay ransoms, signaling a push toward stricter policies.
7. Invest in Advanced Threat Detection: Endpoint protection platforms (EPPs) and intrusion detection systems can identify and neutralize threats early. The 2023 attack on the Scottish Environment Protection Agency, where the Conti group stole 1.2GB of data, could have been mitigated with real-time monitoring.
8. Review Cybersecurity Insurance: Ensure policies cover ransomware incidents and meet requirements like MFA or regular backups. The 2023 Clorox attack, which incurred $380 million in losses with only $100 million covered, highlights the importance of clear coverage terms.

A Call to Action Against Ransomware

Ransomware is a thriving business because victims keep paying, and cybercriminals face little resistance. The British government’s July 2024 proposal to ban ransom payments for public sector organizations is a step forward, but private companies remain the primary targets, accounting for 46% of global cyberattacks in the U.S. alone. As Brett Callow of Emsisoft noted, “If governments really want to stop organizations paying ransoms, they’ll need to legislate.” Until then, businesses must take responsibility for their own defenses.

By adopting these recommendations, companies can reduce their vulnerability and disrupt the ransomware economy. The choice is clear: invest in prevention now or risk becoming another statistic in the ransomware boom. Ransomware may be good business for criminals, but it doesn’t have to be for your organization.

For expert guidance on fortifying your cybersecurity, visit BlackBeltSecure.com.