When hit with ransomware, most businesses pay up

A recent study from IBM Security suggests nearly 70 percent of business victims paid hackers to recover data compromised in a ransomware attack.
Written by Natalie Gagliordi, Contributor

Since 2013, the use of ransomware -- malware that encrypts and scrambles data, allowing hackers to demand payment for the key -- has been steadily on the rise. In fact, a new study from IBM Security suggests the tactic increased 6,000 percent this year compared with 2015, with roughly 40 percent of all spam emails containing ransomware.

For businesses, ransomware extortion has skyrocketed as cyberattackers grow less selective with their targets and more opportunistic. While the FBI urges victims to not pay ransoms and instead contact law enforcement, IBM found that nearly 70 percent of business victims paid hackers to recover data. Out of those businesses, 50 percent paid more than $10,000 and 20 percent paid more than $40,000.

The result is nearly $1 billion in extorted income for cybercriminals, according to IBM.

"The digitization of memories, financial information and trade secrets require a renewed vigilance to protect it from extortion schemes like ransomware," wrote Limor Kessem, executive security advisor at IBM Security. "Cybercriminals are taking advantage of our reliance on devices and digital data creating pressure points that test our willingness to lose precious memories or financial security."

As part of the survey, IBM also found nearly 60 percent of all business executives admit a willingness to pay ransom to recover data, particularly if the data involves financial records, customer records, intellectual property and business plans. Overall, 25 percent of business executives said they'd be likely to pay between $20,000 and $50,000 to regain access to their corporate data.

For small businesses the ransomware attack rate is much lower than mid-size businesses and enterprises, but they still remain a vulnerable target. IBM found that just 29 percent of small businesses have experience with ransomware attacks and only 30 percent offer security training to their employees.


Editorial standards