Ransomware actors are resorting to extreme measures to pressure victims into paying demands, including threats of physical harm to business executives.
Over the past 12 months, executives were physically threatened in 40% of ransomware incidents, according to a new report by Semperis.
This tactic increased to 46% of cases impacting US-based firms.
On top of this, victims reported that threat actors threatened to file regulatory complaints against them if they refused to pay in around half (47%) of attacks.
This threat was common against US companies, occurring in 58% of cases. This is likely due to growing regulatory requirements around cyber incident reporting in the region, including the Securities and Exchange Commission (SEC) four-day disclosure rule for publicly listed firms.
Ransomware group BlackCat reported one of its victims to the SEC in a bid to pressure payment in 2023.
Attackers use these additional levers to pressure victims into paying demands in response to growing resistance to extortion.
In July, Cisco Talos observed the Chaos ransomware group using extra threats if demands were not paid, including conducting a DDoS attack on the victim and spreading news of the incident to the firm’s competitors and clients.
Chainalysis reported that ransomware payments fell by 35% year-over-year in 2024 amid a growing refusal by victims to pay demands, enabled by improved cyber resiliency.
The new Semperis study observed a slight year-over-year fall in ransomware victims that paid a demand. However, the proportion that paid was still high, at 69%.
Ransom payment rates were highest in the US, with 81% of victims paying up.
Ransomware Payments Do Not Guarantee Recovery
More than half (55%) of organizations that paid a demand did so multiple times, with 29% of those firms paying three or more times.
Additionally, 15% of ransomware victims that paid either did not receive decryption keys or received corrupted keys.
Mickey Bresman, CEO of Semperis, said the findings demonstrate that paying ransomware actors should never be the default option for victims.
“While some circumstances might leave the company in a non-choice situation, we should acknowledge that it’s a downpayment on the next attack. Every dollar handed to ransomware gangs fuels their criminal economy, incentivizing them to strike again. The only real way to break the ransomware scourge is to invest in resilience, creating an option to not pay ransom,” he commented.
Of those that paid a ransom in the past 12 months, 50% paid their extorters between $500,000 and $1m, while 42% paid $500,000 or less.
The remaining 8% paid over $1m to their attackers.
Read now: UK Confirms Ransomware Payment Ban for Public Sector and CNI
Many Victims Targeted on Multiple Occasions
The Semperis survey, published on July 31, found that 78% of organizations were targeted by ransomware during the past 12 months.
Organizations in Australia, New Zealand, Italy, Germany and the UK were most likely to be targeted, with over 81% affected in each of these regions.
Of those targeted, successful incidents occurred in 56% of cases. Around three-quarters (73%) of these victims suffered multiple attacks and 31% were attacked three or more times.
Follow-up attacks often occurred soon after the original incident – 17% simultaneously, 16% less than one day later, 37% one to six days later and 26% seven to 29 days following the first attack.
The top three ransomware-related business disruptions cited by victims were job losses (62%), data breaches (61%) and the cancellation of cybersecurity services or cyber insurance premiums (46%).
Around a quarter (23%) of ransomware victims took less than a day to return to normal operations, with 58% taking between one day and one week. Around a fifth (18%) took between one week and one month.
The report surveyed 1500 IT and security professionals working in multiple industries across North America, the UK, Europe and the Asia Pacific region during the first half of 2025.
