Illumio & Ponemon Institute

51% of ransomware victims paid a ransom demand.

35% of organisations experienced brand damage as a consequence of a ransomware attack in 2024, up from 21% in 2021.

Of the 49% of ransomware victims that did not pay a ransom, the main reasons were: compromised data wasn't critical (49%), having an effective backup strategy (48%), company policy (47%), lack of trust in the provision of a decryption key (46%), and law enforcement advice (40%).

The primary reasons for not reporting these incidents were unwanted publicity (39%), being up against a payment deadline (38%), fear of retaliation (38%), and not believing the extortion demand was exorbitant (24%).

Only 28% of respondents said their organisations informed law enforcement when they were hit by ransomware.

Data exfiltration was the most common tactic used by ransomware groups to exert pressure (47%), followed by DDoS attacks (45%), data encryption (43%), and communicating with stakeholders/customers (34%).

The proportion of respondents reporting a significant revenue loss as a result of a ransomware attack nearly doubled from 22% in 2021 to 40% in 2024.

Motivations for paying a ransom included: Not wanting data leaked (47%), inability to afford downtime (47%), having cyber insurance (41%), and all of the above (40%).

Phishing was the most common way of delivering ransomware, accounting for 45% of incidents. This is a slight fall compared to 2021, when phishing was used in 48% of ransomware attacks. The next most common methods were remote desktop protocol (RDP) compromises (32%) and exploiting software vulnerabilities (19%).

In 2021, organisations spent an average of 190 hours and had 14 staff and third parties involved in containment and remediation, costing an average of $168,910.

58% of organisations hit by ransomware in 2024 were forced to shut down operations to recover. This is an increase from 45% in 2021.

Containment and remediation of a ransomware attack in 2024 took an average of 132 hours and involved an average of 17.5 staff and third parties, resulting in an average cost of $146,685.

40% said that the data was still leaked following payment.

52% of respondents said systems with unpatched vulnerabilities are targeted for lateral movement and privilege escalation, a significant rise from 33% in 2021.

32% revealed the attackers demanded further payment or threatened more attacks.

Only 13% of respondents said all impacted data was recovered after paying a ransom.