Most US Businesses Will Pay After Ransomware Attack


Study finds disappointing admission that most small to medium businesses will pay up after ransomware attack

A new study from the United States has revealed a worrying admission about the actions of companies after they are struck with a ransomware attack.

More than half of executives (55 percent) at small-to-medium-sized businesses (SMBs) state they would pay hackers to recover their stolen data in ransomware attacks.

This directly contradicts the advice of nearly all security professionals, who urge firms not to pay but instead invest money in improving cyber defences and eduction, as well as ensuring that regular backups are carried out.

Ransomware payouts

The study comes from AppRiver for its quarterly ‘AppRiver Cyberthreat Index for Business Survey‘.

The study was conducted in April and it surveyed 1,035 cybersecurity decision makers in SMBs (fewer than 250 employees).

The standout finding was that 55 percent of executives at SMBs said they would pay hackers in order to recover their stolen data in ransomware attacks.

But perhaps more worryingly, that number jumps to 74 percent among larger SMBs that employ 150-250 employees, with nearly 4 in 10 (39 percent) going as far as saying they “definitely would pay ransom at almost any price” to prevent their data from being leaked or lost.

That said, 45 percent of SMB leaders have stated that they would refuse to pay, regardless of the ransom amount.

Those firms that are least willing to pay for hacked data are legal services and non-profit SMBs, with 67 and 60 percent respectively saying they will not engage with cybercriminals regardless of the ransom amount or value of the stolen data.

The survey also threw up a number of other interesting findings. For example 84 percent of all SMB executives say the use of social media apps and websites at the workplace or on a business device concerns them as a potential source of cyberthreats.

Facebook was the most concerning (77 percent) as a security risk at the work place, but other tech platforms were also frowned upon at work including Twitter (21 percent), YouTube (20 percent), Instagram (19 percent), WhatsApp (18 percent), Snapchat (15 percent), LinkedIn (13 percent) and Pinterest (3 percent).

“Cybersecurity is no longer just a technology issue; it amounts to an off-balance sheet liability being carried by every company that isn’t adequately protected,” said David Wagner, CEO of Zix Corp, which owns AppRiver. “Ransom scenarios, whether initiated through social media apps or any attack vector, have the potential to disrupt or destroy a business overnight.”

“The Q2 AppRiver Cyberthreat Index for Business Survey shows clearly that too many companies are willing to take a significant financial hit to possibly recover their data,” he added. “Our challenge as cybersecurity leaders is to help them understand how to properly invest fewer dollars on the front end and avoid the problem to start with.”

Expert advice

This sentiment about investing in cyber defences and not paying out when attacked, was echoed by security experts.

“Paying criminals is never something I’d personally recommend – after all, you don’t know who you’re dealing with and whether they can be trusted,” said Gavin Millard, VP intelligence at Tenable.

“While research suggests that those that choose to pay do receive a decryption code, what is certain is that the criminal is rewarded for their efforts so encouraged to continue this scourge,” said Millard.

“Instead, the money would be better invested preventing infection in the first place and, if that’s not possible, ensuring an infection doesn’t mean game over,” he added. “Rather than a sophisticated attack, or even a zero-day exploit, ransomware typically targets just a handful of well-known vulnerabilities so the best way to stay ahead of attacks is to practice basic security hygiene.”

“Continuously identifying and patching systems with vulnerabilities favoured by the exploit kits to deliver their payload, improving inbound content filtering and educating users to identify phishing emails, implementing anti-malware controls and backing up critical files should all be considered to make it far harder for the criminals to collect their bounty,” advised Millard.

“Should the worst case happen it’s about ensuring you can recover quickly,” he concluded. “This means identifying the data and systems that are critical for your organisation to continue to function. If they can’t be protected, ensure you have a robust non-attached backup solution that’s stored security. Systems and data can then be restored effortlessly meaning the business can shrug off the inconvenience and get back up and running quickly.”

Do you know all about security? Try our quiz!