The cost of ransomware

In 2016, ransomware was on track to be a $1 billion business, even though the FBI recommends victims not pay their attackers but contact law enforcement instead. However, according to an IBM Security report released on December 14, 2016, 70 percent of businesses impacted by ransomware end up paying the attackers. The amount varies but shockingly, a majority of business respondents said they paid tens of thousands of dollars last year.

According to the detailed 23-page report, the IBM Security study surveyed 600 business leaders and 1,021 consumers in the U.S. with the following results:

• 46% of business respondents reporting that they had experienced ransomware in their organizations.
• Of the 46% that have been impacted by ransomware, 70% admitted that their organization paid the ransom.
• The amount paid to ransomware attackers varies, but of those business respondents that paid a ransom, 20% paid over $40,000, 25% paid between $20,000 and $40,000 and 11% paid between $10,00 to $20,000.

To pay or not to pay?

So the big question usually left unanswered in technical discussions of ransomware is, “Should you pay?” For many companies, the figures simply represent a reasonable amount to pay in order to get potentially sensitive data back from hackers. However, more times than not this can backfire as hackers begin realize they can extort money from a particular company and then repeatedly attack it, demanding payments each time. Additionally, according to FBI Cyber Division Assistant Direct James Trainor, paying a ransom doesn’t guarantee you’ll get your data back. Many times organizations never got a decryption key even after the ransom was paid.

So… What’s a company to do?

The most important thing you can do to avoid being in a ransomware situation is take precautions today! Some examples of precautionary measures are creating backup files, install proactive anti-virus, create a system of web and email filtering so that you avoid getting into a position where you ever need to pay.

If you do fall victim, then you must first consider the sensitivity of your data, your profile and the sophistication of the attacker before you pay since low sophistication in communication could mean low quality of encryption. This is a modern problem in malware, combining both sophisticated and basic tactics, and people are still falling prey despite the fact that there are fairly straightforward methods to avoid becoming a victim.

Under what circumstances should a company pay a ransom? How does your company plan to respond to cyberattacks if they fall victim? Share your opinions and thoughts below!