According to NBC, the FBI projected ransomware payments to hit a billion dollars in 2016 (Note that stats seem to be hard to find, so I don’t know if the FBI thinks that number was reached). In 2015, they said the number was $24 million. That is a bit of a growth curve – 41x growth in one year. And, they expect it to get worse this year.
One reason it is getting worse is that kids can buy pre-built ransomware kits online. Those don’t require a whole lot of skill to deploy.
Symantec says that in a survey they conducted, 64% of the respondents said that they paid the ransom.
According to an IBM study, 70% of business respondents said that they paid the ransom. Half said that they paid more than $10,000 and 20% said that they paid more than $40,000. That’s pretty scary.
In a study conducted by Spiceworks for Bitdefender, an anti-malware software vendor, we get even more statistics. According to Spiceworks:
- One in five small and medium business was hit by a ransomware attack in the last 12 months
- Of those targeted, 38% paid the ransom
- The average ransom was a little over $2,400
- Less than 45% of the respondents got their data back
- 65% were able to mitigate the attack by restoring from backups
While I wouldn’t swear by any of these statistics, they certainly indicate a problem.
It used to be that the story was that hackers gave people back their data because they didn’t want people to think that it was a scam and not be willing to pay up. If word got out that even if you paid, you didn’t get your data back, most people would not pay. Apparently that rule has changed.
Individuals are not a great target for ransomers because they won’t pay very much, Large businesses have good defenses and also good backups. That means that the best target might be SMBs.
So, if you are run a small to medium size business, now is the time to make sure that you can weather a ransomware storm. Make sure that you have backups, preferably, multiple generations of backups because you might not discover the infection for a few days or more.
Make sure that you actively train your users on an ongoing basis to not fall for ransomware scams.
If you have a requirement for availability – that is, your customers depend on your systems to be operational – then you need to make sure that you can meet those availability requirements, even if get hit with a ransomware attack.
Plan in advance. Document your plan. Test your plan. Then hope you never have to use it. Unfortunately, if statistics are any indication, you may have to use it sooner than you planned.