View All R&D Articles

Paying Ransom Doesn’t Restore Data for 25% of Ransomware Victims

May 31, 2023

A new study indicates that paying for ransomware isn’t a reliable option for disaster recovery.

Veeam’s 2023 Data Protections Trends Report found that a shocking 85% of organizations had faced at least one cyberattack in the last year. Among ransomware victims, the vast majority agreed to pay the ransom — but 25% of those victims did not recover their data after paying their attackers.

As we’ve discussed in other articles, ransomware creators have strong incentives to create effective malware. However, they don’t have much of a reason to provide working decryptors; once they’ve received their payment, the “work” is over. 

Many attacker-supplied decryptors only work for limited types of data, and some decryptors don’t work at all. Of course, victims don’t have much recourse — and given that paying ransoms may be illegal, the safest approach is to not pay. 

For businesses, ransomware attacks can be devastating.

Modern ransomware variants often target backup systems, limiting options for disaster recovery. In some cases, ransomware lays dormant for weeks or months to ensure that backup tapes and other archival systems are compromised by the malware. 

Fortunately, some common ransomware variants have been cracked, and free decryptors are available for variants like CoinVault, Xorist, Shade, and Rakhni.

But if an open-source decryptor isn’t available, businesses must find another solution. Often, that means rebuilding the affected system, which is costly: By one estimate, the average cost of a ransomware attack in the United States was $9.4 million in 2022.

That number may be a low estimate: Globally, ransomware attacks cost businesses about $20 billion in 2021, and the threat continues to grow. 

Related: Ransomware Attack Data Recovery: 4 Factors to Consider

Ransomware Recovery and Investigation Services from

An effective ransomware recovery strategy has several key components:

  • The ransomware must be isolated. Attack vectors must be appropriately identified and verified to prevent additional attacks. 
  • The affected systems must be restored, either by decrypting the infected files or rebuilding from a backup/archive.
  • Future attacks must be prevented via ongoing monitoring and reassessment of security controls.

If you’re dealing with a ransomware infection, can help. Our experts have decades of combined experience with ransomware, and through investments in research & development, we provide a comprehensive solution for avoiding — and recovering from — ransomware attacks. 

To learn more, call 1-800-237-4200 and ask to speak with a ransomware specialist or submit a case online.