“The 60 percent recovery rate reflects several technical and operational realities that regularly arise when responding to incidents,” James John, incident response manager at cybersecurity firm Bridewell, tells CSO. “First, ransomware operators vary significantly in their sophistication. Established groups like LockBit or ALPHV usually provide working decryption programs because they have a ‘good reputation’ to maintain. In contrast, smaller operators often deploy faulty encryption implementations or simply disappear after payment.”
Decryption programs are often slow and unreliable, John adds. Such tools could contain errors or corrupt or render files inaccessible. “Large-scale decryption in corporate environments can take weeks and often fails with damaged files or complex database systems,” said the security specialist. “There are cases in which the decryption process itself also damages data.”
Daryl Flack, partner at British managed security provider Avella Security, sees it similarly: “Criminals often use faulty or incompatible encryption tools. Many companies lack the infrastructure to properly restore data, especially if backups are incomplete or systems are still compromised.”