A new survey of ransomware attacks serves up an old conclusion: Crime still does pay.
Security firm Semperis posted its latest Ransomware Risk Report on Thursday, and not much of that 32-page PDF should make for encouraging reading. Among companies that responded to this survey, getting targeted by ransomware attacks seems borderline inevitable, with 81% of US firms and 78% of those in all regions surveyed (North America, Europe and the UK, and Asia-Pacific) saying that it happened to them in the last 12 months.
Attackers maintain excellent batting averages, succeeding in 59% of attacks against US companies and 56% of those against all companies surveyed. And they will probably cash in, via Bitcoin or another cryptocurrency: 81% of successfully attacked US companies paid a ransom at least once in the last 12 months, with 35% saying they had done so twice, 15% three times, and 8% four or more times.
That was not the highest payoff percentage worldwide, with 83% of Asia/Pacific respondents saying they had paid ransoms. The lowest share was in Europe, at 50%.
Eight-figure payouts like the $75 million cited in a July 2024 report from the security firm Zscaler get a lot of attention, but the Semperis report suggests that most payments stop at six figures.
In the US, 51% of respondents paid from $500,000 to $1 million total over the last 12 months, 38% paid $500,000 or less, and 11% more than $1 million. Worldwide, the shares were 50% at $500,000 to $1 million, 42% at $500,000 or less, and 8% at more than $1 million.
The survey found that 15% of those victims got robbed a second time when they either didn’t get decryption keys to free the data that was scrambled by a ransomware payload or received corrupted keys, with 3% more finding that attackers had posted or otherwise illegally used the data they stole.
“Paying ransoms should never be the default option,” says Semperis CEO Mickey Bresman. “While some circumstances might leave the company in a no-choice situation, we should acknowledge that it’s a down payment on the next attack.”
Some ransomware attacks also come with side helpings of hurt: “47% of attacks leveraged threats to file regulatory complaints against the victims, while 40% involved physical threats against staff,” the report observes.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Most companies needed one day to a week to return to normal operations after a ransomware attack; 62% in the US and 58% in all regions. About equal fractions needed either less than a day (19% US and 23% everywhere surveyed) or from a week to a month (20% US and 18% all regions).
Prepare for an Attack Now
With the survey reporting that 83% of attacks involved a compromise of corporate identity infrastructure, those targeted organizations have a bigger cleanup job: “infiltrating Active Directory (AD), Entra ID, or Okta enables attackers to establish persistence, move laterally, and elevate privileges for greater reach once in the environment,” the report notes.
It also cites “sophisticated and frequent threats” and “legacy systems and technical debt” as top challenges for organizations after identity-system attacks.
Semperis worked with the consultancy Censuswide to conduct this survey in the first half of 2025, reaching what the report describes as “1,500 IT and security professionals across multiple industries, including education, finance, healthcare, government, energy, manufacturing and utilities, IT and telecommunications, and travel and transportation.”
Recommended by Our Editors
The report advises organizations to ready themselves for changing attacks by seeking “opportunities to automate defense, response, and recovery functions” (of course there’s an AI angle), securing their identity infrastructure with tools to detect and recover from intrusions, testing and training their ransomware-response plans, and inspecting business relationships for supply-chain attack risks.
The report also offers a few pep talks in the form of quotes from the security experts Semperis assembled to contribute to the report. For example, its first page features former Cybersecurity & Infrastructure Security Agency (CISA) director Jen Easterly saying “I do believe that we can make ransomware a shocking anomaly,” followed by her advising readers “to prepare your business for disruption” by keeping software patched, adding multi-factor authentication, and maintaining backups.
That is good advice, and until Wednesday Easterly—an Army veteran and West Point graduate—was set to share it as a department chair at the US Military Academy. But then the Trump administration rescinded her appointment after far-right activist Laura Loomer denounced the hiring, apparently outraged over Easterly’s work to dispel election disinformation.
“Unfortunately, the opportunity to serve again at my alma mater was rescinded—a casualty of casually manufactured outrage that drowned out the quiet labor of truth and the steady pulse of integrity,” Easterly wrote Thursday in a LinkedIn post.
Ransomware is an enormous problem, and the government does not help it when it punishes security professionals for telling the truth, like it did with Easterly’s CISA predecessor, Chris Krebs.
About Rob Pegoraro
Contributor
Read the latest from Rob Pegoraro
