Nearly 70% of ransomware victims surveyed by IBM said they paid between $10K and $40K to retrieve their data.
A new IBM report on the economics of ransomware should give cybercriminals plenty to cheer about this holiday season.
The report is based on a survey of over 1,000 US adults and 600 business executives from small, medium, and large firms. One in two of the respondents said their organization had been the victim of a ransomware attack in the last year. About 70% of those hit said they paid ransoms ranging from $10,000 to $40,000 to get their data back.
Six out of 10 respondents said they’d be willing to do the same to recover data in a similar situation. Some 25% professed their willingness to shell out between $20,000 and $50,000 if it would help them regain access to locked data like financial and customer data, intellectual property, and business plans.
Somewhat unsurprisingly given the nature of the data involved, businesses tended to be slightly more willing to pay ransom money than consumers. When consumers were asked how they would respond to a ransomware extortion attempt, one in two said they would be unwilling to pay.
That number, however, dropped slightly when individuals were asked about their willingness to pay to get specific types of data back. For instance, 54% indicated they would give money to get financial data back, while 55% said they’d do the same in situations where personally valuable data like family photos are involved. Parents in general tended to be more willing to accede to a ransom demand compared to those without children.
IBM's findings highlight the success that cybercriminals appear to be having with ransomware and helps explains why the threat has grown so rapidly this year.
A report from Intel Security’s McAfee Labs this week shows that the number of ransomware samples at the end of the third quarter of 2016 totaled around 3.9 million, an 80% increase from the beginning of this year.
In addition to the sharp increase in volume, ransomware samples also got progressively more sophisticated through the year and exhibited a variety of destructive behaviors including partial and full disk encryption, website encryption and use of exploit kits for delivery, the McAfee report noted.
According to IBM’s X-Force group, which conducted the research, ransomware accounted for a staggering 40% of all spam emails this year. It estimates that criminals are on track to make close to $1 billion this year from ransomware. The estimate is based on an FBI report earlier this year about criminals making nearly $210 million from ransomware in the first quarter.
Limor Kessem, executive security advisor for IBM Security, says some of the survey findings were surprising. The high percentage of business that said they had actually paid when they got attacked, for instance, was unexpected, Kessem says.
“Seventy percent is rather alarming and could be indicative of a very dire need to overhaul incident response,” she says. Equally surprising was the relatively high ransom amounts they paid and their willingness to do so if they had to deal with a ransomware attack.
The massive increase in ransomware-laden spam was also unexpected and points to the growing popularity of the tool among criminals.
“Payment definitely encourages attackers and feeds back into financing their schemes,” she says. Law enforcement has been unanimous in advocating against paying criminals, she notes. So some have chosen alternate routes like reporting ransomware incidents to law enforcement, attempting to resolve the attacks with professional help or negotiating down the ransom amounts.
“Paying is an option that many people have taken. Often, it’s in cases where no other option can be found, but in no way is it encouraged or recommended,” she says.