Sophos Cloud Optix
If you’ve ever wondered how ransomware payoffs can be soaring towards the billion-dollar mark in 2016, consider these formidable new findings from IBM: 46% of the executives it surveyed have encountered ransomware in the workplace, and of that group, “70% have paid to get data back”.
Do the math: that means some 32% of all executives in IBM’s survey have already paid ransomware to cybercriminals. Paid up how much? We’re not talking a bitcoin or two:
- 20% paid more than $40,000
- 25% paid $20,000-$40,000
- 11% paid $10,000-$20,000
Far more executives in mid-sized (57%) and large (53%) companies said they’d had personal experience with ransomware attacks; only 29% of executives from companies with fewer than 100 employees said so. As company size grew, awareness of ransomware did as well – and so did concern about data loss and willingness to take precautions. For example, 74% of large companies blocked access to at least some websites, compared with 56% of smaller companies; 58% provided IT security training to employees, compared with just 30% of smaller companies.
Roughly 60% of executives said they’d pay up if ransomware attackers prevented them from accessing any of the following: financial, customer, sales or HR records; corporate email; intellectual property; corporate cloud systems, business plans, R&D plans or source code. “Overall, 25% of business executives said, depending upon the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data” – which is roughly in line with what IBM’s survey says earlier business victims have already been paying.
IBM’s findings on the ubiquity of ransomware attacks isn’t too dissimilar from separate research reports released earlier in the year by Malwarebytes, and by the specialty data breach insurer Beazley. According to Insurance Journal, “Beazley’s clients were the targets of more attacks in July and August of 2016… than in all of 2015… Beazley projects it will respond to four times as many ransomware attacks in 2016 as it did last year.”
While Beazley’s research found smaller payoffs than IBM’s, the insurer noted that costs don’t end with the ransom: companies “must often also pay for an extensive review of their systems and data to ensure that the malware has been removed and data is clean”.
If you’re thinking that some folks are beginning to think of payoffs as a nearly inevitable “cost of doing business,” you’re not alone. That aligns perfectly with another phenomenon we’ve noticed: organizations who haven’t been hit yet, but are setting up bitcoin accounts “just in case”.
Back in June, Professional Security Magazine reported on a survey wherein Citrix found that “a third of UK companies are now building a ready stockpile of digital currency (for example, Bitcoin) in case of ransomware attack. Over 35% of large firms Citrix surveyed were “willing to pay over £50,000 to regain access to important intellectual property or business-critical data”.
Such payoff prep isn’t limited to ransomware: in October, the Guardian reported that “several of London’s largest banks are looking to stockpile bitcoins in order to pay off cyber criminals who threaten to bring down their critical IT systems” via massive DDoS attacks. It quoted Dr Simon Moores, chair of the annual international e-Crime Congress: “From a purely pragmatic perspective, financial institutions are now exploring the need to maintain stocks of bitcoin [should they] become the target of a high-intensity attack…”
We won’t be the first to observe that a demonstrated willingness to pay criminals sometimes attracts attacks like bears to honey. But rather than be forced to pay out, it’s much better to take all the steps you can to stop getting hit in the first place.
Those numbers would indicate that a lot of companies aren’t doing daily backups. A scenario like: company gets ransomware, files get encrypted, everyone shocked, committee meeting, create Bitcoin wallet, find someplace that will take your check for Bitcoins within the 72 hour window, pay ransom, get key, unencrypt files. I don’t see how that’s easier, or cheaper, than just doing daily backups and having security precautions in place.
At first, I’ve this thinking too about companies not having proper backup or DR. But I could imagine the real situation for a company attacked by ransomware is far more complex and difficult to restore.
Let’s take a hypothesis, the ransomware attack is not just a matter on “files” or data; it renders all servers and workstations and laptops (and probably network attached backups) not working at all. What these mean the IT department should have enough manpower to “resurrect” the servers and then users’ machines (workstations and laptops) for the company to operate as usual. I think it’s not difficult to understand a company, no matter it’s large corporate or small business, will have overwhelming tasks to do so. Large corporate will have a lot of servers and user machines to handle while a small business will have limited resources / manpower.
Hence, at least to me, to restore from ransomware attack is far more complex than I thought. 🙁
I did the math and can not see the evidence for the conclusions. The amount of surveyed companies does not represent a common scenario and is too biased. If from the 600 companies 200 claimed to have paid, and 40 more than 40K, than clearly this is not representing an average. I see that some companies try to get back to normal by risking the payment (they are better off playing lotto), but can’t see any reason to believe that this would work (or why they should not try it again). Without counts of false positives or unsuccessful payments there is no reason to believe the money will reach anyone able to undo the encryption. All I can get out of the report is that IBM did not receive enough feedback from their customers (or don’t have enough customers) to come up with better counts.
PS: the email counts are not right as well. If we look at a volume increase of 100-200% we can not count 10-40% of all as ransomware SPAM. This is most like representing the catch success by updating the pattern file.
There also may be a telling correlation in the paying percentage of executives who had time to answer trivial surveys from the same desks where they traipsed around the Internet looking for ransomware.
The fact that ransomware is easily created and signatures are rendered ineffective once a bit is changed makes it increasingly difficult to defend against. A good way to defend against it is heavy user awareness on what to look for. Preventative instead of corrective action favorable.
The bottom line of this is that , there is need for more regular users awareness training on how ransomware can find its way into the network .