Ransomware payouts ‘heading for $1bn a year’

If you’ve ever wondered how ransomware payoffs can be soaring towards the billion-dollar mark in 2016, consider these formidable new findings from IBM: 46% of the executives it surveyed have encountered ransomware in the workplace, and of that group, “70% have paid to get data back”.

Do the math: that means some 32% of all executives in IBM’s survey have already paid ransomware to  cybercriminals. Paid up how much? We’re not talking a bitcoin or two:

  • 20% paid more than $40,000
  • 25% paid $20,000-$40,000
  • 11% paid $10,000-$20,000

Far more executives in mid-sized (57%) and large (53%) companies said they’d had personal experience with ransomware attacks; only 29% of executives from companies with fewer than 100 employees said so. As company size grew, awareness of ransomware did as well – and so did concern about data loss and willingness to take precautions. For example, 74% of large companies blocked access to at least some websites, compared with 56% of smaller companies; 58% provided IT security training to employees, compared with just 30% of smaller companies.

Roughly 60% of executives said they’d pay up if ransomware attackers prevented them from accessing any of the following: financial, customer, sales or HR records; corporate email; intellectual property; corporate cloud systems, business plans, R&D plans or source code. “Overall, 25% of business executives said, depending upon the data type, they would be willing to pay between $20,000 and $50,000 to get access back to data” – which is roughly in line with what IBM’s survey says earlier business victims have already been paying.

IBM’s findings on the ubiquity of ransomware attacks isn’t too dissimilar from separate research reports released earlier in the year by Malwarebytes, and by the specialty data breach insurer Beazley. According to Insurance Journal, “Beazley’s clients were the targets of more attacks in July and August of 2016… than in all of 2015… Beazley projects it will respond to four times as many ransomware attacks in 2016 as it did last year.”

While Beazley’s research found smaller payoffs than IBM’s, the insurer noted that costs don’t end with the ransom: companies “must often also pay for an extensive review of their systems and data to ensure that the malware has been removed and data is clean”.

If you’re thinking that some folks are beginning to think of payoffs as a nearly inevitable “cost of doing business,” you’re not alone. That aligns perfectly with another phenomenon we’ve noticed: organizations who haven’t been hit yet, but are setting up bitcoin accounts “just in case”.

Back in June, Professional Security Magazine reported on a survey wherein Citrix found that “a third of UK companies are now building a ready stockpile of digital currency (for example, Bitcoin) in case of ransomware attack. Over 35% of large firms Citrix surveyed were “willing to pay over £50,000 to regain access to important intellectual property or business-critical data”.

Such payoff prep isn’t limited to ransomware: in October, the Guardian reported that “several of London’s largest banks are looking to stockpile bitcoins in order to pay off cyber criminals who threaten to bring down their critical IT systems” via massive DDoS attacks. It quoted Dr Simon Moores, chair of the annual international e-Crime Congress: “From a purely pragmatic perspective, financial institutions are now exploring the need to maintain stocks of bitcoin [should they] become the target of a high-intensity attack…”

We won’t be the first to observe that a demonstrated willingness to pay criminals sometimes attracts attacks like bears to honey. But rather than be forced to pay out, it’s much better to take all the steps you can to stop getting hit in the first place.