Security Experts:

40 Percent of Companies Will Pay the Ransom

Thirty-nine percent of enterprises were hit by ransomware last year, according to new figures from Osterman research commissioned by endpoint security firm Malwarebytes. Of those, 40% paid the attackers in order to retrieve their data. These statistics come from a new survey designed to explore the effect of ransomware on business: The State of Ransomware.

540 CISOs, CIOs and IT directors from companies with an average of 5400 employees in the US, Canada, UK and Germany took part. Given their critical reliance on IT, the worst affected sectors were healthcare and financial services. But what really stands out from this research is the difference between different nations. For example, 54% of organizations in the UK were impacted by ransomware last year; while only 16% were impacted in Germany.

FireEye Ransomware Response
Effective Ransomware Responses - Get the White Paper from FireEye Now

One of the reasons for the disparity may have something to do with differences in confidence in different regions. Although Europol is attempting to coordinate decryption possibilities through its 'nomoreransom' website, the most common perception remains that once infected, it is unlikely that files can be recovered without the attackers' decryption key. "Some strains are known to have flaws that enable victims to break the encryption," commented Mikael Albrecht, a security expert with F-Secure, "but most do not."

The figures also show that the UK is harder hit than the US, and takes longer to recover. "Fifty-eight percent of organizations in the U.S. were able to limit the spread to fewer than one percent of the endpoints. At the other end of the spectrum, 10 percent of the organizations we surveyed in the United Kingdom experienced ransomware spreading to every endpoint on the network."

It is tempting to wonder if these figures suggest that US companies are better prepared for ransomware attacks than their UK counterparts. Albrecht wouldn't conjecture. "How openly are companies reporting incidents? This is an area that is very hard to measure scientifically and any presented numbers should be taken with a grain of salt."

Other security specialists tend to agree. Independent expert Graham Cluley commented, "I suspect most companies hit by ransomware (whether they were able to deal with it themselves, or by paying) would not rush to announce what had happened, so the statistics may be unreliable." ESET senior research fellow David Harley added, "I wonder how much we can trust any statistics in this area: by the nature of the problem, we’re not going to get full disclosure from affected companies."

According to the Malwarebytes survey, 75% of Canadian organizations chose to pay; 58% of UK organizations did so; 22% of German companies -- but just 3% of US organizations chose to pay up. This is all the more surprising given the disparity in advice from European and US law enforcement. A Europol spokesperson recently told SecurityWeek, "We firmly believe in the Don't Pay advice because by paying you are supporting criminal activity."

"Well, it's what they have to say," commented Luis Corrons, technical director at PandaLabs. But he added, "Big companies usually have backups -- they might decide to pay because sometimes it may be easier or even cheaper to pay the ransom. Small companies are a different story; when all your data has been encrypted and you do not have a proper backup, not paying could translate into closing your business."

Nevertheless, there is evident support among the experts for Europol's position. "Security researchers work hard to identify all the flaws they can and then create decryptors for victims – which often work," said Jerome Segura, Lead Malware Intelligence Analyst at Malwarebytes. "Of course, that isn’t 100 percent guaranteed but by bringing experts and resources together, there will be more decryption keys available – and that’s a good thing."

In the US, FBI advice is less equivocal: "it's up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay." It appears from the Malwarebytes figures that organizations do not necessarily follow official advice.

"You can’t blame people – or companies – to prefer paying up to economic suicide," said ESET's Harley, "any more than you can blame them for giving their wallets to people who threaten them with knives. In fact, since we’re talking about corporates rather than individuals, it might be seen as being more responsible to pay up rather than destroy the livelihoods of all staff, including those right at the bottom of the hierarchy who are generally less likely than the Board of Directors to survive the damage to their finances."

Malwarebytes survey is fascinating as much for the questions it poses as for the answers it provides. Why is there so much disparity between the different geographic regions? Why is the UK more badly affected than the US, and why can the US recover more swiftly? Is it down to different attack groups and methods, or different national attitudes towards security?

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.