Two in five companies that pay cybercriminals for ransomware decryption fail to recover data as a result, according to a survey of 1,000s SMEs by insurance provider Hiscox.
The survey also revealed that ransomware remains a major threat, with 27% of businesses surveyed reporting an attack in the past year. Of those affected, 80% — which includes both insured and uninsured businesses — paid a ransom in an attempt to recover or protect critical data.
But only 60% successfully recovered all or part of their data as a result, Hiscox’s Cyber Readiness Report found.
A QBE Insurance report earlier this month on cybercrime and cloud-based threats revealed that ransomware incidents nearly tripled year-on-year in Q1 2025, reaching 1,537 in Q1 2025 compared to 572 in the same quarter last year. CrowdStrike’s 2025 State of Ransomware Survey released this month also found that 93% of ransomware-paying victims had data stolen anyway.
Flawed ransomware encryption often frustrates recovery
Hiscox’s statistics on the plight of ransomware victims highlight just one of myriad difficulties organizations face when attempting to recover from ransomware attacks, industry experts say.
“The 60% recovery rate reflects several technical and operational realities encountered regularly in incident response,” James John, incident response manager at cybersecurity firm Bridewell, tells CSO. “Firstly, ransomware operators vary significantly in sophistication. Whilst established groups like LockBit or ALPHV typically provide functional decryptors, as they have a ‘reputation’ to maintain, smaller operations often deploy flawed encryption implementations or simply disappear after payment.”
Decryptors are frequently slow and unreliable, John adds.
“Large-scale decryption across enterprise environments can take weeks and often fails on corrupted files or complex database systems,” he explains. “Cases exist where the decryption process itself causes additional data corruption.”
Even when decryptor tools are supplied, they may contain bugs, or leave files corrupted or inaccessible. Many organizations also rely on untested — and vulnerable — backups. Making matters still worse, many ransomware victims discover that their backups were also encrypted as part of the attack.
“Criminals often use flawed or incompatible encryption tools, and many businesses lack the infrastructure to restore data cleanly, especially if backups are patchy or systems are still compromised,” says Daryl Flack, partner at UK-based managed security provider Avella Security and cybersecurity advisor to the UK Government.
Additional recovery pressures
Modern ransomware attacks now routinely involve double or triple extortion whereby attackers threaten to leak stolen data or launch distributed denial of service (DDoS) attacks even after payment.
This fundamentally changes the calculus on what victims can expect in cases where they decide to make a ransomware payment, which more often than not fails to resolve many of the problems arising from a ransomware attack.
“Paying only addresses the encryption element, not the broader compromise,” Bridewell’s John notes.
Moreover, a ransomware incident puts an organization under enormous pressure, with legal, operational, and reputational issues all converging, often within a matter of hours.
These factors, combined with the inherent uncertainty of dealing with criminals, help explain why paying the ransom so often falls short of achieving full data recovery.
Lillian Tsang, senior solicitor in Harper James’ data protection and privacy team, warns that even when a decryption key is received, some data may already be permanently damaged, altered, or stolen.
“That creates operational challenges but also raises data protection concerns, particularly where personal data is involved,” Tsang explains. “If records are lost or compromised, this can amount to a personal data breach under UK GDPR, which brings reporting obligations and the potential for regulatory scrutiny.”
Paying a ransom doesn’t give a business any legal recourse if the criminals fail to deliver and, worse, “payment can create further risk if funds are unknowingly transferred to a sanctioned group,” Tsang warns.
Financial resilience and legal issues
How a ransomware attack plays out in practice is illustrated by an account from an executive at Kantsu, a midsize Japanese logistics company. Kantsu President Hisahiro Tatsujo told CIO.com about the company’s efforts to restore operations following a ransomware attack.
Kantsu — which did not pay a ransomware — was obliged to ask financial institutions for loans to cover the cost of recovering its operations because, although it was insured, its insurance firm had to go through a claims process before making a payout. The incident illustrated how enterprises need a financial as well as an operational plan to successfully recover from ransomware attacks.
Moreover, when systems are disrupted by ransomware attacks, legal obligations kick in almost immediately with requirements to notify regulators and affected individuals, especially if personal data is affected by a breach.
“One of the biggest challenges is making rapid, high-stakes decisions with only fragments of information,” says Harper James’ Tsang. “Senior leaders have to weigh the legal risks of payment, the impact on business continuity, and the potential consequences for individuals, often with limited technical clarity.”
Forewarned is forearmed
Some experts advise maintaining a retainer with an incident response firm as part of disaster recovery plans that anticipate the all-too-real possibility of a ransomware attack.
“Having a retainer with a reputable incident response or negotiation firm — one equipped to handle cryptocurrency transactions — is crucial,” says Jeremy Samide, CEO at Blackwired, a cybersec company focused on direct threat intelligence. “Such firms manage negotiations, have access to multiple crypto types (e.g., Bitcoin, Monero, Zcash), and can execute transfers securely if payment becomes the only path to recovery.”
Samide adds: “Preparation doesn’t mean capitulation — it means being ready for every scenario.”
Harper James’ Tsang cautions against setting aside funds to pay criminals in the event of ransomware attacks.
“Setting aside funds to pay a ransom is increasingly viewed as problematic,” Tsang says. “While payment isn’t illegal in itself, it may breach sanctions, it can fuel further criminal activity, and there is no guarantee of a positive outcome.”
A more secure legal and strategic position comes from investing in resilience through strong security measures, well-tested recovery plans, clear reporting protocols, and cyber insurance, Tsang advises.
“Cyber insurance is crucial for ransomware attacks because not only does it provide financial protection, but it can also give organizations access to specialized support that can significantly reduce damage and downtime,” Tsang explains.
Cyber insurance policies often offer active crisis management, with provisions that can cover:
- Immediate incident response and forensic investigation
- Containment and remediation of infected systems
- Negotiation and legal coordination with attackers
- Data recovery and business continuity support
“Insurance can’t prevent an attack — but it can soften the blow, bring structure to chaos, and ensure that organizations don’t navigate ransomware crises alone,” says Blackwired’s Samide.
But cyber insurance still comes with caveats, other experts caution.
“Insurance premiums are rising, and insurers now expect a stronger baseline of cybersecurity measures — multi-factor authentication, patch management, and tested backups — before offering or renewing coverage,” says Avella Security’s Flack. “This shift encourages organizations to adopt better security practices as part of their risk management approach.”
Cyber recovery
Cyber recovery following a ransomware attack needs to be treated similarly to disaster recovery with a fully defined, in-house recovery plan, fully documented, where uncompromised data can be restored confidently, experts advise.
“When enterprises are hit by ransomware, one of the first and most pressing challenges is assessing the full scope of the attack — identifying which data has been compromised, which systems are affected, and whether existing backups can be trusted,” Jim McGann, CMO at Index Engines, explains. “Even when backups are available, verifying their integrity is a major hurdle, as they may contain corrupted or altered files that could reintroduce the threat during recovery.”
“Enterprises now need in-house recovery plans that include forensic-level data validation of data, not just restoration,” McGann advises.