Ransomware
May 12 is World Anti-Ransomware Day. On this memorable day, established in 2020 by both INTERPOL and Kaspersky, we want to discuss the trends that can be traced in ransomware incidents and serve as proof that negotiations with attackers and payments in cryptocurrency are becoming an increasingly bad idea.
Low quality of decryptors
When a company’s infrastructure is encrypted as a result of an attack, the first thing a business wants to do is to get back to normal operations by recovering data on workstations and servers as quickly as possible. From the ransom notes, it may seem that, after paying the ransom, the company will receive a decryptor app that will quickly return all the information to its original state and allow resuming work processes almost painlessly. In practice, this almost never happens.
First, some extortionists simply deceive their victims and don’t send a decryptor at all. Such cases became widely known, for example, thanks to the leak of internal correspondence of the Black Basta ransomware group.
Second, the cybercriminals specialize in encryption, not decryption, so they put little effort into their decryptor applications; the result is that they work poorly and slowly. It may turn out that restoring data from a backup copy is much faster than using the attackers’ utility. Their decryptors often crash when encountering exotic file names or access-rights conflicts (or simply for no apparent reason), and they do not have a mechanism for continuing decryption from the point where it was interrupted. Sometimes, due to faulty logic, they simply corrupt files.
Repeated attacks
It’s common knowledge that a blackmailer will always be able to keep on blackmailing; blackmailing with ransomware is just the same. Cybercriminal gangs communicate with each other, and “affiliates” switch between ransomware-as-a-service providers. In addition, when law enforcement agencies successfully stop a gang, they’re not always able to arrest all of its members, and those who’ve evaded capture take up their old tricks in another group. As a result, information about someone successfully collecting a ransom from a victim becomes known to the new gang, which tries to attack the same organization – often successfully.
Tightening of legislation
Modern attackers not only encrypt, but also steal data, which creates long-term risks for a company. After a ransomware attack, a company has three main options:
- publicly report the incident and restore operations and data without communicating with the cybercriminals;
- report the incident, but pay a ransom to restore the data and prevent its publication;
- conceal the incident by paying a ransom for silence.
The latter option has always been a ticking time bomb – as the cases of Westend Dental and Blackbaud prove. Moreover, many countries are now passing laws that make such actions illegal. For example:
- the NIS2 (network and information security) directive and DORA (Digital Operational Resilience Act) adopted in the EU require companies in many industries, as well as large and critical businesses, to promptly report cyber incidents, and also impose significant cyber resilience requirements on organizations;
- a law is being discussed in the UK that would prohibit government organizations and critical infrastructure operators from paying ransoms, and would also require all businesses to promptly report ransomware incidents;
- the Cybersecurity Act has been updated in Singapore, requiring critical information infrastructure operators to report incidents, including ones related to supply-chain attacks and to any customer service interruptions;
- a package of federal directives and state laws in the U.S. prohibiting large payments (more than $100,000) to cybercriminals, and also requiring prompt reporting of incidents is under discussion and has been partially adopted in the United States.
Thus, even having successfully recovered from an incident, a company that secretly paid extortionists risks receiving unpleasant consequences for many years to come if the incident becomes public (for example, after the extortionists are arrested).
Lack of guarantees
Often, companies pay not for decryption, but for an assurance that stolen data won’t be published and that the attack will remain confidential. But there’s never any guarantee that this information won’t surface somewhere later. As recent incidents show, disclosure of the attack itself and stolen corporate data can be possible in several scenarios:
- As a result of an internal conflict among attackers. For example, due to disagreements within a group or an attack by one group on the infrastructure of another. As a result, the victims’ data is published in order to take revenge, or it’s leaked to help in destroying the assets of a competing gang. In 2025, victims’ data appeared in a leak of internal correspondence of the Black Basta gang; another disclosure of victims’ data was made when the DragonForce group destroyed and seized the infrastructure of two rivals, BlackLock and Mamona. On May 7, the Lockbit website was hacked and data from the admin panel was made publicly available – listing and describing in detail all the group’s victims over the past six months.
- During a raid by law enforcement agencies on a ransomware group. The police, of course, won’t publish the data itself, but the fact that the incident took place would will be disclosed. Last year, Lockbit victims became known like this.
- Due to a mistake made by the ransomware group itself. Ransomware groups’ infrastructure is often not particularly well protected, and the stolen data can be accidentally found by security researchers, competitors, or just random people. The most striking example was a giant collection of data stolen from five large companies by various ransomware gangs, and published in full by the hacktivist collective DDoSecrets.
Ransomware may not be the main problem
Thanks to the activities of law enforcement agencies and the evolution of legislation, the portrait of a “typical ransomware group” has changed dramatically. The activity of large groups typical of incidents in 2020-2023 has decreased, and ransomware-as-a-service schemes have come to the fore, in which the attacking party can be very small teams or even individuals. An important trend has emerged: as the number of encryption incidents has increased, the total amount of ransoms paid has decreased. There are two reasons for this: firstly, victims increasingly refuse to pay, and secondly, many extortionists are forced to attack smaller companies and ask for a smaller ransom. More detailed statistics can be found in our report on Securelist.
But the main change is that there’ve been more cases where attackers have mixed motives; for example, one and the same group conducts espionage campaigns and simultaneously infects the infrastructure with ransomware. Sometimes the ransomware serves only as a smokescreen to disguise espionage, and sometimes the attackers are apparently carrying out someone’s order for information extraction, and using extortion as an additional source of income. For business owners and managers, this means that in the case of a ransomware incident, it’s impossible to fully understand the attacker’s motivation or check its reputation.
How to deal with a ransomware incident
The conclusion is simple: paying money to ransomware operators may be not the solution, but a prolongation and deepening of the problem. The key to a quick business recovery is a response plan prepared in advance.
Organizations need to implement detailed plans for IT and infosec departments to respond to a ransomware incident. Special attention should be given to scenarios for isolating hosts and subnets, disabling VPN and remote access, and deactivating accounts (including primary administrative ones), with a transition to backup accounts. Regular training on restoring backups is also a good idea. And don’t forget to store those backups in an isolated system where they cannot be corrupted by an attack.
To implement these measures and be able to respond ASAP while an attack has not yet affected the entire network, it’s necessary to implement a constant deep monitoring process: large companies will benefit from a XDR solution, while smaller businesses can get high-quality monitoring and response by subscribing to an MDR service.
Tips