Ransomware: Which Industries Are Most Likely to Pay

A recent study by Cybereason, Ransomware: The True Cost to Business 2022, revealed that 73% of respondents had experienced a ransomware attack in the last 24 months. Of those respondents, 28% said their organizations paid the ransom. A separate survey of cybersecurity leaders conducted by WSJ Pro Research found that 42.5% of respondents said they would consider paying a ransom.

Of those leaders who said their organizations would consider paying, 74% worked in the construction industry, 51% worked in the technology industry, and 43% worked for an energy company or utility.

Industries Most Likely to Pay a Ransom

1. Construction (74%)
2. Tech firms (51%)
3. Energy, oil and utilities (43%)
4. IT (around 33%)
5. Retail (around 33%)
6. Business and Professional Services (around 33%)
7. Government (18%)

Source: WSJ Pro Research

Research from CyberSaint tells a similar story: the provider of cybersecurity and IT risk and compliance software found that 43% of survey respondents at energy companies and utilities said their organizations paid ransoms, and more than one-third of respondents across the IT, retail, and business and professional services sectors said their organizations did the same.

Perhaps not surprisingly, many of these industries that are more likely to pay are also more likely to be targeted by ransomware actors. According to research from Nordlocker, the top industries hit by ransomware include:

1. Manufacturing
2. Construction
3. Transportation/Logistics
4. Technology
5. Healthcare
6. Financial Services
7. Public Sector
8. Business Services
9. Retail
10. Consumer Services
    
    

In our own research, Cybereason found the industry verticals most likely to have been affected by a ransomware attack included legal (92%), financial services (78%), manufacturing (78%), and human resources services (77%).

What makes some sectors more likely to pay a ransom than others? For construction companies, a ransomware attack may mean plans are lost, and therefore, work on large contracts grinds to a halt, putting immediate deadlines and downstream projects in the company’s portfolio at risk.

For tech firms, a ransomware attack could compromise highly sensitive and competitive assets like intellectual property, product plans, or customer information. The stakes are even higher for utilities and healthcare providers, where ransomware attacks can cause power failures or prevent medical care. In these and other industries, the reasons to pay are compelling.

But so are the reasons not to pay.

What Happens When You Pay the Ransom

In general, companies pay ransoms to prevent business disruption and expedite data recovery, but our research finds that those and other negative outcomes tend to occur anyway:

• Your data could still be corrupted . Ransomware operators rarely play fair. The FBI found that ProLock’s decryptor (you know, the one you pay for) was a Trojan-horse gift and could corrupt files larger than 64MB, as reported by BleepingComputer. The Cybereason report showed that half of organizations that paid a ransom got their data back intact, while 46% found some or all of it corrupted.
• You could be violating federal laws. There are potential legal ramifications for paying the ransom. The S. Treasury Department’s Office of Foreign Assets Control (OFAC) has a cyber-related sanctions program, and it’s illegal to “do business” with anyone on that list – ransomware operators included.
• You could be setting up your organization for another attack. According to our research, of those organizations that paid the ransom, 80% got hit again and 68% were hit within the same month, only this time for a higher amount. In the case of REvil, the hackers approached extorted victims shortly after payment and demanded more money in a double extortion scheme, this time to not leak the exfiltrated data. Some leak it anyway.

Ransomware attacks may be inevitable, but they’re also preventable. Only Cybereason remains undefeated in the fight against ransomware, securing the highest-ever scores in MITRE ATT&CK testing. The Cybereason Defense Platform detects and automatically ends ransomware attacks in their earliest stages, long before ransomware detonates on an endpoint, so you don’t have to worry about losing data or paying ransoms and getting hit again.