Most Businesses Pay Ransomware Demands, IBM Finds

According to an IBM Security report released on December 14, 70 percent of businesses impacted by ransomware end up paying the attackers. The amount varies but a majority of business respondents said they paid tens of thousands of dollars. eWeek reports: The 23-page IBM Security study surveyed 600 business leaders and 1,021 consumers in the U.S. 46 percent of business respondents reported that they had experienced ransomware in their organizations. Of the 46 percent that have been impacted by ransomware, 70 percent admitted that their organization paid the ransom. The amount paid to ransomware attackers varies, but of those business respondents that paid a ransom, 20 percent paid over $40,000, 25 percent paid between $20,000 and $40,000 and 11 percent paid between $10,00 to $20,000. On the consumer side, IBM's study found that the propensity to pay a ransom varies depending on whether or not the victim is a parent. 55 percent of consumers that identified themselves as being parents said they would pay a ransom to recover access to photos that had been encrypted, versus only 39 percent for consumers that don't have children. In an effort to help organizations respond quickly to ransomware threats, IBM's Resilient Incident Response Platform (IRP) is being enhanced with a new Dynamic Playbook for ransomware. Ted Julian, Vice President of Product Management and Co-Founder at Resilient, an IBM Company, explained that the basic idea behind the Dynamic Playbooks is to help provide organizations with an automated workflow or 'playbook' for how to deal with a particular security incident.

The one "good" thing about the hijackers

[SensitiveMale]

with ransomware is if you pay the ransom, they unlock your data.

It seems weird to say it is a business, but as long as the criminals don't screw over the victims, the victims know they can pay and not lose anything.

Re:The unwritten part of the headline...

[mmell]

I worked for one that didn't pay - they had excellent backups and completely mediated the issue in under a week. I also worked for one that did pay . . . unfortunately, all they had was backups of encrypted files, so they didn't feel like they had a choice!

They paid . . . and immediately implemented more secure and more reliable backups, combined with updating all software (where possible) to latest and greatest available versions. Also, they paperweighted the vast majority of their servers with McAfee's product turned up to "insanely secure" - which is how they discovered that the bad guys had left multiple back doors in place so they could try again. I'll wager they're still trying to make sense of it all.

It

[Shepanator]

I have a close friend who works for a large law firm, they were hit with ransomware for a few million dollars. From a business sense, they had no choice but to pay it. The ransomers were threatening to release all of their clients' data, so the executives all got together and paid it amongst themselves, hushing up the whole thing in the process. If they didn't pay, their business would have been over, even if they didn't face litigation from (ex) clients they would have all left in droves. The next month the company's IT budget had quadrupled, so there's a happy ending.

Re:The unwritten part of the headline...

[Kiuas]

don't have a backup regimen, and use Microsoft Operating Systems.

This actually is exactly what happened to a friend recently. They're running a lot of Linux servers, but as they were doing some sort of changes they were temporarily moving data from the linux machines to windows environment which got ransomwared and they got screwed. They have backups, but they're not up to date.

To my knowledge they have no intention of paying the ransom.

This is a perfect example of management having their heads up their asses. It's not that they don't have competent people who'd be more than willing to improve backups and general security (in fact the friend in question working as a systems analyst has been whining ever since he joined the company that their security is way too lax), it's that the upper management does not seem to care because they do not perceive the risks involved correctly.

As someone from a management background education-wise I believe this is incredibly incompetent leadership. The whole reason companies hire experts is (or should be) that you listen to the feedback of said experts. If the guy most in-tune with your systems is telling you for a couple years that you're essentially begging to get screwed over, ignoring his warnings and prioritizing cutting costs is something that should get you fired. Unfortunately this is a case where the manager in question has known the founder of the company for who knows how long, so he pretty much has a permanent position due to nepotism, and right now it's costing them a lot of money, customers and also competent people (my friend is currently looking for new job, and I can't blame him).