Why Fewer Firms Pay Ransoms

Cyber attacks are on the rise, but fewer companies affected by extortion threats are opting to pay the ransoms demanded of them.

According to a recent study by the insurance broker Marsh, the percentage of companies breached that paid a ransom continued to decline; just 23% of affected firms paid a ransom to hackers last year, compared with 30% in 2022 and 63% in 2021. The study was not exclusive to banks.

Ransomware attacks rely on a type of malicious software that seizes control of a firm’s computer systems or data until a ransom is paid. They made up less than 20% of cyber attacks suffered by Marsh clients last year, but companies are especially concerned about this type of threat because of the potential for reputational damage. At the same time, firms are becoming more sophisticated in their approach to cybersecurity, and that is likely also influencing their willingness to pay ransoms.

“Organizations are just trying to do a better job, and not being beholden to an extortion threat is top of mind for running their business,” says Meredith Schnur, cyber practice leader at Marsh. “It all comes down to the pocketbook and reputation. Now they’re starting to treat cyber risk as a true reputational risk.”

Among those that did choose to cooperate with extortionists, the median ransom paid rose to $6.5 million, from $335,000 in 2022. But Schnur cautioned against reading too much into that figure, as it would be influenced by a handful of very large payments. The highest ransom paid in Marsh’s study last year was $30 million.

The financial services industry typically leads others in terms of cyber preparedness, but it’s not invulnerable. Recently, a criminal group calling itself LockBit launched a ransomware attack on $1 billion Evolve Bank & Trust in Memphis, Tennessee, and stole some customer data, including Social Security and bank account numbers, that it posted on the dark web.

In a statement updated on July 1, Evolve Bancorp confirmed the attack and said LockBit had posted that customer data online because the bank refused to pay the ransom. The bank said that it “stopped the attack within days,” contacted law enforcement and has seen no new unauthorized activity since the end of May.

Marsh’s findings on ransomware payments generally align with what others say they see in their own work, with some important distinctions. Cy Sturdivant, principal with Forvis Mazars, says that more banks are doing better at backing up their internal computer systems to an offline “air gapped” location, so they aren’t held hostage if hackers destroy systems and demand a ransom. Those attacks, specifically targeting a company’s computer systems, are on the decline in the banking industry, he says.

However, Sturdivant says he sees more attacks involving data exfiltration, where bad actors steal sensitive data belonging to a company. In those instances, it doesn’t necessarily matter if the affected firm has backed up its internal systems.

“Backups are getting better. Security is getting better. Encryption is getting better. Multifactor authentication is getting better,” he says. “But if they steal your data, and they ask for a ransom, it’s literally a matter of, ‘Do I pay or do I not pay?’”

That question can be a contentious one. Cyber insurance policies typically cover ransomware payments, so for a firm that pays up, the financial hit might not feel so painful.

But cybersecurity experts say there are other good reasons not to pay a ransom, aside from the question of cost. For one thing, payment of a ransom doesn’t guarantee the targeted bank will receive the code it needs to unlock its computer systems, or that a trove of sensitive data won’t be released onto the internet anyway. Ben LeClaire, a principal with Plante Moran, says that in some instances the targeted company has paid the ransom and saw the data released anyway, or never received the code to unlock its system.

Some believe that paying those ransoms only helps to perpetuate the growth of ransomware attacks worldwide.

“There’s a strong feeling that it fuels the activities of these hackers,” LeClaire says. “It wouldn’t be done if it wasn’t profitable.”

Ideally, a bank’s board should discuss its plan of action on ransomware before it ever becomes a reality. The bank should conduct regular tabletop exercises walking through detection, containment and next steps in the event of an attack.

Bankers should know what the insurance provider covers, too. In addition to covering the ransom payment, most cyber insurance providers will also have an expert panel that clients can consult in the event of an attack, Schnur says.

Directors can stay current on the threat landscape by pressing management on the type of attacks the bank currently faces, as well as potential future threats, LeClaire says. They might also ask about ongoing employee training, which can be one of the first lines of defense against cyber threats. The board should remember that it sets the tone at the top.

Sturdivant says, “Everything typically goes out the window when they’re under attack, and they’re responding from an emotional standpoint versus, ‘We knew this day would come, we’ve talked about it for years, we’ve done everything we can. I know we want to pay, but we’re just not going to.’”