Study finds 70% of US firms paid ransomware criminals
IBM Security announced yesterday results from a US study that found that 70 per cent of businesses infected with ransomware paid a ransom to regain access to business data and systems.
In comparison, more than 50 per cent of consumers surveyed said they would not pay to regain access to personal data or devices apart from for access to financial data.
Ransomware is an extortion technique used by cybercriminals where data on computers and other devices is encrypted and held for ransom until a specified amount of money is paid.
The IBM X-Force study, “Ransomware: How Consumers and Businesses Value Their Data”, surveyed 600 business leaders and more than 1,000 consumers in the United States to determine the value placed on different types of data. Some key findings from consumers include the following.
Ransomware was one of the leading cybersecurity threats in 2016, with the US Federal Bureau of Investigation estimating that in the first three months of this year, cybercriminals made a reported US$209 million (Bt7.2 billion).
This would put criminals on pace to make nearly $1 billion in 2016 from their use of the malware. In fact, according to IBM X-Force research, ransomware made up nearly 40 per cent of all spam e-mails sent in 2016, demonstrating a significant increase in the spread of the extortion tool.
Demonstrating ransomware’s success with businesses, nearly half of business executives surveyed have experienced ransomware attacks in the workplace. The study found 70 per cent of these executives said their company had paid to resolve the attack, with half of those paying more than $10,000 and 20 per cent paying more than $40,000.
As part of the survey, nearly 60 per cent of all business executives indicated they would be willing to pay ransom to recover data. The data types they were willing to pay for included financial records, customer records, intellectual property and business plans.
Overall, 25 per cent of business executives said that depending on the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data.
Small businesses remain a ripe target for ransomware.
Only 29 per cent of small businesses surveyed have experience with ransomware attacks, compared with 57 per cent of medium-size businesses. While cybercriminals may not view these businesses as offering a big payday, a lack of training on workplace information-technology security best practices can make them vulnerable.
The study found that only 30 per cent of small businesses surveyed offered security training to their employees, compared with 58 per cent of larger companies.
Half of consumers participating in the survey indicated they would be unwilling to pay a hacker to regain access to their data.
When presented with specific data types, their willingness to pay began to increase.
