American businesses are being hit by ransomware at an unprecedented rate — and execs are far more likely to be targeted.
A new study looked at 540 companies with a combined 3 million employees in the U.S., Canada, Germany and the UK. Nearly 40% of the businesses had been hit by ransomware over the last year. Ransomware encrypts computer files and keeps them locked until money is paid.
“For this sizable a group to say they have been impacted, this has spread like wildfire,” said Marcin Kleczynski, whose company Malwarebytes makes anti-malware software and sponsored the study.
Whereas individuals have traditionally been the primary targets, “criminals woke up and realized they can make more money hitting businesses,” he said.
The impact has been significant.
“Small to medium businesses are really being hurt from this,” says Adam Meyers, VP of Intelligence at cybersecurity firm CrowdStrike. The criminals “start a timer and if you don’t pay, the ransom demand goes up.”
The majority of ransom demands range from a few hundred to a few thousand dollars with several companies paying upwards of $10,000 or more. The survey found cybercriminals demanded $150,000 from about 1% of those attacked. Most companies will not confirm what they paid or even if they paid for fear it could hurt their business if people find out data has been compromised.
The surge in attacks is due in part to the easy accessibility of ransomware on the Dark Web — there are more than 100 different types, according to Symantec, a cybersecurity firm that has seen a dramatic increase in attacks on companies consistent with the new findings. Criminals with little knowledge of computers are buying the malware and getting into the extortion game.
Even if you do pay, the proliferation of hackers means you remain vulnerable. “Just because you paid one gang, doesn’t mean another won’t go after you,” said Kleczynski.
Malwarebytes surveyed companies with as few as five and as many as 70,000 employees between June 2015 to June 2016. Of those affected, 30% say they lost revenue. 20% said they had to temporarily shut down.
Email was the primary means of attack, with 46% of computers infected by employees unwittingly clicking on a bogus email attachment or a malicious link.
Nearly 70% of the infected computers, laptops servers belonged to C-Suite executives and upper managers who are most likely to have sensitive and confidential files. Nearly 80% of the U.S. organizations breached had high-value data held for ransom.
“They are banking on the fact that people do not have recent back-ups of their computer and so they’ll have to pay to retrieve their files,” says Michael Osterman, whose firm Osterman Research conducted the survey. “It’s worth it to senior executives to pay $500-$1,000 dollars.”
According to the study, companies in healthcare and financial services were hit most often, followed by those in the manufacturing sector and government agencies like police departments.
“Doctors’ offices, hospitals, and other organizations have critical data for people’s health and safety,” says Meyers of CrowdStrike. “They’re the ones who are going to be the softest targets.”