Ransomware gangs have been targeting businesses in the last few months, seeking bigger paydays than what they can extract from consumers. The plan has been highly successful, according to new data, which shows that 70 percent of businesses infected with ransomware have paid the ransom to get their data back.
Researchers at IBM Security’s X-Force surveyed executives at 600 businesses of all sizes and found that organizations hit with ransomware are choosing to pay out at a high rate. The data shows that 20 percent of compromised organizations have paid ransoms of more than $40,000, and 25 percent have paid between $20,000 and $40,000. Those numbers are far higher than what consumers typically pay, which is usually in the range of $500-$1,000, depending on the ransomware variant.
When targeting enterprises, ransomware gangs are aiming to paralyze organizations by encrypting financial records, customer databases, sales data, and other vital information. In the last year or so, a number of organizations have been hit with serious ransomware infections, including hospitals, universities, and others. Most recently, the San Francisco Municipal Transportation Authority was hit with a ransomware attack over Thanksgiving weekend, crippling desktops inside the agency and forcing officials to turn off fare gates and ticket machines.
“Cybercriminals using ransomware may fund multiple criminal enterprises.”
Getting the malware into these organizations isn’t as difficult as you might think, and is often done with a single email.
“In their attacks on networks, ransomware operators look for the servers that keep the company running and encrypt those pivotal resources rather than encrypting endpoints across the entire company,” the IBM ransomware report says.
“The point of entry is usually a phishing email with a malicious attachment, sent to an employee’s email inbox. In most cases, the attachment is a Microsoft Office document that will prompt the victim to activate macros. Clicking the macros activation button often comes as second nature to users who just want to make the alert at the top of the document disappear. The malware executes as soon as the user allows the macros to run. Ransomware can also come through any other attachment, or via exploit kits that facilitate infection without any special action by the user.”
The amount of money that enterprises have paid to get their data back shouldn’t come as too much of a surprise considering the alternative. Some organizations, such as SFMTA, have gone public with their ransomware infections and let customers and the public know what they were dealing with. But many others keep the compromises under wraps to avoid public humiliation and the loss of customer confidence. IBM’s survey data shows that 29 percent of executives at large businesses would pay more than $50,000 to financial records back, and 24 percent would pay that amount to recover sales records.
Law enforcement agencies, including the FBI, and security experts advise ransomware victims not to pay, for a number of reasons. First, there’s no guarantee that the attacker will hand over the decryption key, and second, the profits from ransomware help fund other cybercrime operations.
“Geographic safe havens and the low probability of apprehension embolden those who carry out ransomware attacks. Cybercriminals using ransomware may fund multiple criminal enterprises, from cybercrime gangs to organized crime networks to terror organizations. Cybercriminal enterprises would prefer every ransomware attack to result in financial gain, and individual cybercriminals believe this will be the case,” Limor Kessem, the author of the IBM report, says.