Ransomware is as bad as ever, with companies continuing to pay for their data even though defensive measures are improving, finds a recent IBM security study.
The fight against ransomware continues, but it’s unclear how much progress is being made.
Ransomware is the security insider’s term for remote computer hijacking where files are encrypted until money is paid. IBM said this week that nearly a third of respondents in its recent industry survey still aren’t familiar with the term, even though ransomware malware began spreading through floppy disks as early as 1989.
“Seventy percent of businesses that were hit by ransomware actually ended up paying. That surprised me because I would expect businesses to have backups,” said Limor Kessem, an IBM security expert who authored the report. Businesses are most likely to pay the ransom for financial data in the range of $10,000 to $50,000, she added.
Not even backup data is foolproof, Kessem observed. Sometimes backup data is encrypted by the malware, it’s too old to contain recent important data, or it would simply take longer to restore than the business could wait, she noted.
Amazon, Europol, Intel, and Kaspersky Lab collaborate on an online ransomware decryption project called No More Ransom; Bitdefender, Check Point, Emsisoft, and Trend Micro recently joined them. But there are occasions when making an electronic ransom payment is poor decision making, not necessarily poor technology execution. “Companies don’t always have an incident response plan in place. They don’t always practice and prepare for this scenario,” Kessem said. IBM subsidiary Resilient Systems released a program called Dynamic Playbook to help companies with such planning.
Kessem, in her report, also noted: “According to U.S. government statistics, ransomware attacks quadrupled in 2016, with an average of 4,000 attacks per day. The [Federal Bureau of Investigation] reported that in just the first three months of 2016, more than $209 million in ransomware payments have been made in the United States—a dramatic 771 percent increase over a reported $24 million for the whole of 2015. The FBI estimates ransomware is on pace to be a $1 billion dollar source of income for cybercriminals this year.”
The FBI urges ransomware victims to report the crime. “While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the bureau said in a report this fall. “Victims may not report to law enforcement for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment. Additionally, those who resolve the issue internally either by paying the ransom or by restoring their files from back-ups may not feel a need to contact law enforcement.”
Moreover, the FBI noted, there’s no guarantee that ransomware thieves will return your data after you pay.
Much like Kevin Mitnick’s perspective on phishing, any individual or company can become a ransomware victim and have no choice. But has it ever happened at Big Blue? “I am glad to say no,” Kessem said. “Not that we are aware of,” another IBMer emphasized.