Ransomware Resilience: Why German Companies Pay Less Frequently

8 min. read

When the LockBit group demanded $50 million in ransom from Continental, the automotive supplier did not pay. When Akira paralyzed Südwestfalen-IT and pushed 72 municipalities back into the analog age, no one paid. And overall, German companies pay less often than the rest of the world: 42 percent compared with 56 percent globally. This is no coincidence. It is the result of a combination of BSI recommendations, GDPR reporting obligations, and a backup culture whose consistency is unique in Europe.

Why Germany Pays Less Often

According to the Sophos State of Ransomware 2024 (500 German companies surveyed), 42 percent of affected German companies paid a ransom – down from 44 percent the previous year. Globally, the rate is 56 percent. The Bitkom economic protection survey arrives at an even lower figure: only 12 percent of all German companies (including those not attacked) have met ransom demands.

The 14-percentage-point gap compared with the global average has four measurable causes.

First: The position of the BSI and BKA is unequivocal. The BSI explicitly advises against paying a ransom. The reasoning: there is no guarantee of receiving a working decryption key, payment funds criminal structures, and it does not prevent a repeat attack. In many other countries, there is no comparably clear and authoritatively communicated recommendation from a federal authority. In Germany, this creates normative pressure that has a measurable effect.

Second: The GDPR reporting obligation eliminates the motive for concealment. In ransomware attacks involving personal data, GDPR Article 33 requires notification to the supervisory authority within 72 hours. Paying a ransom does not release companies from this obligation. That removes a key motive for quiet payments: if the incident has to be reported anyway, there is no incentive to hide it by paying.

Third: Cyber insurance policies cap ransom reimbursements. According to BaFin, German insurers reimbursed ransom payments between 2020 and 2022 only in the low double-digit million-euro range. Only 25 percent of German cyber insurers pay ransoms without restrictions, while 56 percent set sublimits or conditions. In 2024, the GDV revised its model terms and conditions – ransom reimbursement remains a regulated exception, not automatic coverage.

Fourth: The backup culture is stronger than elsewhere. The BSI has established the 3-2-1 backup rule (three copies, two different media, one offline) as the standard. German companies invest above average in backup infrastructure – not out of conviction alone, but because ISO 27001, BSI IT-Grundschutz, and industry-specific standards such as TISAX require functioning backups as a mandatory component.

Sources: Sophos State of Ransomware 2024, Bitkom Economic Protection 2024, BSI Situation Report 2024

Continental: 50 million demanded, nothing paid

The Continental case from 2022 shows how German industrial companies deal with ransomware extortion. On July 1, 2022, an attacker gained access to the network through an employee’s browser download. For around four weeks, the attacker moved through the systems unnoticed. The result: around 40 terabytes of exfiltrated data. LockBit 3.0 offered the data on the dark web for 50 million US dollars.

Continental did not pay. In February 2023, the group informed tens of thousands of employees about the data theft, cooperated with authorities, and accepted the reputational costs. It was not the comfortable decision, but it was the right one: the data had already been exfiltrated, payment would not have reliably prevented publication, and it would have marked the company as a victim willing to pay.

Notably, Continental was not encrypted in the classic sense. The attack was pure data exfiltration followed by extortion – a trend that intensified massively in 2024. Attackers have realized that companies with functioning backups can survive encryption. That is why they are increasingly relying on data theft and threatening publication. Backups alone do not help against this attack vector. What is needed is Network Detection and Response (NDR), consistent network segmentation, and rapid incident response.

The fact that Continental was compromised unnoticed for four weeks highlights another core German problem: Mean Time to Detect (MTTD) is too long in many companies. Four weeks is enough time not only to exfiltrate 40 terabytes, but also to install backdoors, escalate access rights, and compromise the entire Active Directory. Investments in detection and monitoring are at least as important as investments in prevention – a lesson Continental learned the hard way.

Südwestfalen-IT: The Anatomy of a Total Outage

On October 30, 2023, the Akira ransomware group hit Südwestfalen-IT – the municipal IT service provider for more than 70 municipalities and district administrations in North Rhine-Westphalia. The attack vector: a VPN solution without multi-factor authentication, allegedly compromised via brute force.

The outcome was devastating: 1,463 servers were affected, 871 had to be completely rebuilt, and 592 were restored. 1.6 million citizens were affected, and around 20,000 municipal workstations went down. Citizens’ offices could not issue identity documents, vehicle registrations were impossible, and social benefits could not be processed. Recovery took a full year – by October 2024, 98 percent of services were available again.

The direct additional costs for SIT alone: at least 2.8 million euros. Hochsauerlandkreis put its costs at around 1.5 million euros for the first four months. The Siegen-Wittgenstein district is planning 1.4 million euros for 2025 alone. As far as is known, no ransom was paid.

The case shows two things at once: German organizations do not pay even under extreme pressure – that is the good news. But the cost of non-payment is substantial when the backup and recovery infrastructure is not state of the art. A VPN solution without multi-factor authentication should never have been in production in 2023. The IT industry had known this for years, and mandatory MFA had long been anchored in BSI recommendations.

Südwestfalen-IT is also a warning sign for the municipal IT landscape as a whole. According to the BSI, 80 percent of all reported cyberattacks target SMEs – and municipal IT service providers are often de facto SMEs carrying the responsibility of a large corporation. They operate critical infrastructure for hundreds of thousands of citizens, but have neither the budget nor the staff of a DAX-listed company. NIS2 is intended to close this gap, but whether 30,000 newly regulated companies will actually be compliant by 2026 remains an open question.

NIS2: Ransomware resilience becomes law

Since December 6, 2025, Germany’s NIS2 Implementation Act has been in force – with no transition period. More than 30,000 companies across 18 sectors (from 50 employees or 10 million euros in revenue) must now implement a series of measures aimed directly at ransomware resilience.

The list of obligations reads like a BSI ransomware protection concept: immutable and encrypted backups (immutable backups as an explicit requirement), network segmentation, MFA for administrative accounts, risk analysis and risk management, supply chain security and training for management. Security incidents must be reported within 24 hours – stricter than the GDPR’s 72-hour deadline.

For ransomware resilience, NIS2 means a push for quality: what used to be best practice is now law. Companies that have already implemented BSI IT-Grundschutz or ISO 27001 are well prepared. Everyone else now has to invest – not because they want to, but because management faces personal liability if compliance fails. A case like Südwestfalen-IT – VPN without MFA – would under NIS2 be not only an operational failure, but a personal liability risk for management. This fundamentally changes the dynamics in the boardroom: cybersecurity investments are no longer optional IT budgets, but mandatory spending to avoid personal liability.

The 24-hour reporting obligation has another disciplining effect: companies must set up their incident detection in such a way that they can actually identify and classify an incident within 24 hours. At Continental, detection took four weeks. Under NIS2, that would be a compliance failure, because the reporting obligation can only take effect if detection works. This forces companies to invest in security operations centers (SOCs) and automated anomaly detection – exactly the areas that, in ransomware cases, make the difference between a prevented attack and a total outage.

What German companies are doing better – and where things still fall short

Better: The payment rate is falling. The BSI recommendation against paying has become established as a normative guideline. The GDPR reporting obligation makes cover-ups pointless. The insurance industry enforces discipline through sublimits and requirements. And NIS2 turns backup investments into a compliance obligation. This is a four-layer system that is more effective as a whole than any individual measure.

Worse: The threat situation is intensifying nonetheless. 309,000 new malware variants per day, 78 new vulnerabilities every day, 22 APT groups active in Germany. 80 percent of all reported cyberattacks hit SMEs, which often have implemented neither BSI baseline protection nor ISO 27001. And recovery times are no shorter than they are globally: According to Sophos, typical downtime in Germany is one month, with 92 percent of victims experiencing business interruptions.

Globally, there is a worrying countertrend: according to Sophos, the use of backups for recovery fell in 2025 to a four-year low of 53 percent worldwide. This is not because backups have become worse, but because attackers specifically compromise backup systems before encrypting production systems. Immutable backups – unchangeable and physically or logically separated from the production network – are the only reliable answer to this, and are now mandatory under NIS2.

Another bright spot: 53 percent of ransomware victims worldwide recovered within one week in 2025 – a significant increase from just 35 percent the previous year (Sophos 2025). This shows that investments in recovery capabilities are having an effect, even as the threat landscape is becoming more complex at the same time. For German companies, this means that the combination of regulatory pressure (NIS2), official guidance (BSI), and insurance incentives (BaFin/GDV) is creating an ecosystem that systematically promotes ransomware resilience. This is no coincidence, but a politically intended and regulatorily enforced outcome.

German recovery costs, at around 1.6 million euros, are below the global average of 2.73 million dollars (Sophos 2024). This is a measurable economic advantage of higher resilience. Companies that do not pay and can recover faster save not only the ransom itself, but also the follow-on costs: lower insurance premiums, less reputational damage, and shorter business interruptions.

Five measures for real ransomware resilience

1. Implement immutable backups. The 3-2-1 rule is no longer enough when attackers deliberately compromise backup systems. Immutable backups that are physically or logically separated from the production network are the only reliable last line of defense. NIS2 makes them mandatory.

2. MFA everywhere – without exception. The Südwestfalen IT attack would have been prevented with MFA on the VPN solution. Every administrative access point, every remote access route, and every privileged account must be protected by a second factor. This is not a recommendation; it is a NIS2 requirement.

3. Test recovery regularly. A backup that has never been tested is not a backup. A full restore should be simulated at least once per quarter, including the question: How quickly can we resume business operations?

4. Detect data exfiltration. The Continental case shows that encryption is no longer the only attack vector. Network Detection and Response (NDR) and Data Loss Prevention (DLP) must detect unusual data outflows before 40 terabytes have left the network. Investing in detection is at least as important as investing in prevention – because no perimeter is perfect, and the question is not whether an attacker gets in, but how quickly they are discovered.

5. Create and rehearse an incident response plan. Do not wait until an actual emergency to decide who calls whom and which systems are restored first. The BSI first-aid document for IT security incidents is a good foundation, but every company needs a tailored plan with clear roles, communication channels, and escalation levels. A tabletop exercise should take place at least once a year, in which management works through a ransomware attack – including the question of whether payment would be made and under what circumstances. This decision has to be made before the attack, not under time pressure at three o’clock in the morning.

Frequently asked questions

How often do German companies pay ransomware ransoms?

According to Sophos State of Ransomware 2024, 42 percent of affected German companies pay; globally, the figure is 56 percent. The Bitkom survey puts the figure at 12 percent (basis: all companies, not just those attacked). The payment rate in Germany has been falling for several years.

What does ransomware cost German companies?

According to Sophos, average recovery costs are around 1.6 million euros (excluding ransom). Total damage caused by cybercrime in Germany amounts to 178.6 billion euros per year (Bitkom 2024). 31 percent of companies report direct ransomware damage.

Why do German companies pay less often than companies in other countries?

Four factors: the clear BSI/BKA recommendation against payment, the GDPR reporting obligation (which makes concealment pointless), restrictive cyber insurance conditions, and a stronger backup culture shaped by BSI IT-Grundschutz and ISO 27001.

What does NIS2 require for ransomware protection?

Immutable encrypted backups, network segmentation, MFA for administrative accounts, risk analysis, supply chain security, management training, and a 24-hour reporting obligation for incidents. These obligations have applied without a transition period since December 2025.

Does cyber insurance cover ransom payments in Germany?

To a limited extent. Only 25 percent of German cyber insurers pay ransom without restrictions. 56 percent impose sublimits or conditions. BaFin reports that ransom payments by insurers overall were only in the low double-digit million-euro range (2020-2022).

Featured image source: Pexels / Brett Sayles (px:5480781)

About the author: Tobias Massow

More articles by Tobias Massow