IBM security researchers found that when cybercriminals seize valuable information using ransomware, if the price is right, victims will pay.
The firm's “Ransomware: How Consumers and Businesses Value Their Data” study surveyed 600 business leaders and more than 1,000 consumers in the U.S. to determine the value each placed on different types of data.
The study found that for consumers, 50 percent reported they would not pay a ransom to get their data back however, 55 percent of those surveyed who were parents would pay to get their photos back compared to 39 percent of non-parents. The study found that US$100 (£80) was the maximum price victims were willing to pay to get their information back.
When asked what type of data they would be willing to pay to get back, 54 percent indicated they would likely pay to regain to their financial data.
“When realistic scenarios were brought up, like losing access to financial records or digitised memories, they believed they would pay up to $100,” IBM Security Executive Security Advisor Limor Kessem told SC Media via emailed comments. “This estimate is pretty low considering ransomware demands can vary and go up to US$2,000 (£1600) depending on the malware and the time the victim delays in paying.”
In addition, only one third of the consumers even knew what ransomware was, even though 75 percent of respondents were convinced they could protect personal data on their PC, yet 59 percent didn't take any action to secure their endpoints or data, Kessem said.
The malware proved even more lucrative with business executives who said they would be more likely to pay a ransom to get back corporate financial records, customer records, intellectual property and business plans. The study found 70 percent of companies that were victimised by ransomware paid to resolve the incident. Of those who paid, 50 percent paid more than US$10,000 (£8000) and 20 percent paid more than $40,000 (£32,000).
“The real pain point to organisations was protecting employee-owned devices used for work (BYOD) such as tablets and smartphones,” Kessem said. “Leaders are most afraid those devices will be hacked, thereby putting the organisation at risk.”
She went on to say that business executives are less confident in their organisation's ability to protect data on personal BYOD devices used for work versus company owned devices.
The study found small businesses, in particular, were ripe targets for ransomware attacks primarily due to a lack of training on workplace IT security best practices. The study found that only 30 percent of small businesses surveyed offer security training to their employees, compared to 58 percent of larger companies.
However, size does matter when it comes to being victimised. About 29 percent of the small businesses surveyed had experienced a ransomware attack compared to 57 percent of medium size businesses, according to the report.
“Malware almost always depends on social engineering and tricking people into opening malicious attachments or clicking a link leading to a malware download,” Kessem said. “Businesses can reduce risk by providing ongoing, regular training to employees and bolster email security both via education and an email security solution.”
Kessem also noted the study revealed a 6,000 percent rise in spam carrying ransomware this year indicating that threats like this have become popular with attackers.