Ransomware: 70% of businesses attacked pay, IBM study finds

Despite law enforcement agencies telling businesses to stop paying the ransom, cybercriminals are expected to earn more than $1 billion from ransomware campaigns in the coming year.
By Jessica Davis
07:19 AM
Share

Seventy percent of businesses hit by ransomware paid the hackers to regain access to systems and data, according to IBM X-Force’s Ransomware report.

Of those attacked, 20 percent paid over $40,000 to retrieve data, while more than half paid more than $10,000.

Nearly 60 percent of business leaders said they would be willing to pay the ransom to regain access to financial records, intellectual property, business plans and consumer data, the report found. And depending on the data type, they’re willing to pay between $20,000 and $50,000 to get their data back.

Ransomware made up 40 percent of spam emails sent in 2016, another IBM X-Force report found. In fact, one in two business executives reported they have experienced a ransomware attack at the workplace.

[Also: Hack-proofing ID and access management]

Law enforcement agencies and many security leaders encourage organizations to not pay the ransom. But unlocking the data in the healthcare setting is crucial to keeping patients safe - so hospitals pay up.

But the only way to thwart ransomware is to stop feeding the system, said Fabian Woser, chief technology officer for Emsisoft, an anti-malware vendor. Every time a ransom is paid, it fuels the cybercriminals’ activities.

“Backups are the most cost effective way to prevent ransomware,” Woser said. It may still get attacked, but the files can be reimaged. While it may be expensive and organizations may lose a day of work, it’s the only way to ensure the data is still there after an attack.”

IBM researchers determined financial returns on ransomware are expected to grow to over $1 billion for cybercriminals in the next year, which means these types of extortion attempts will continue to expand.

Organization size often dictates preparedness - small to medium businesses are less prepared for a data attack than larger businesses. And medium to large organizations are more likely to have taken action in the last three months to protect data.

Further, 74 percent of large organizations require employees to regularly change passwords, versus 56 percent of small companies. And only 30 percent of small organizations offer IT security training.

Despite these numbers, about 66 percent of the report’s respondents are generally worried about hackers compromising data.

“Cybercriminals have no boundaries when it comes to their targets,” Limor Kessem, executive security advisor for IBM Security, said in a statement. “The digitization of memories, financial information and trade secrets require a renewed vigilance to protect it from extortion schemes like ransomware.” 

[Cybersecurity special report: Ransomware will get worse, hackers home in on healthcare, IoT to open new vulnerabilities]

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn