Most Businesses Pay Ransomware Demands, IBM Finds (eweek.com) 69
According to an IBM Security report released on December 14, 70 percent of businesses impacted by ransomware end up paying the attackers. The amount varies but a majority of business respondents said they paid tens of thousands of dollars. eWeek reports: The 23-page IBM Security study surveyed 600 business leaders and 1,021 consumers in the U.S. 46 percent of business respondents reported that they had experienced ransomware in their organizations. Of the 46 percent that have been impacted by ransomware, 70 percent admitted that their organization paid the ransom. The amount paid to ransomware attackers varies, but of those business respondents that paid a ransom, 20 percent paid over $40,000, 25 percent paid between $20,000 and $40,000 and 11 percent paid between $10,00 to $20,000. On the consumer side, IBM's study found that the propensity to pay a ransom varies depending on whether or not the victim is a parent. 55 percent of consumers that identified themselves as being parents said they would pay a ransom to recover access to photos that had been encrypted, versus only 39 percent for consumers that don't have children. In an effort to help organizations respond quickly to ransomware threats, IBM's Resilient Incident Response Platform (IRP) is being enhanced with a new Dynamic Playbook for ransomware. Ted Julian, Vice President of Product Management and Co-Founder at Resilient, an IBM Company, explained that the basic idea behind the Dynamic Playbooks is to help provide organizations with an automated workflow or 'playbook' for how to deal with a particular security incident.
The unwritten part of the headline... (Score:5, Insightful)
Most companies dont have a backup regimen.
Re:The unwritten part of the headline... (Score:5, Interesting)
They paid . . . and immediately implemented more secure and more reliable backups, combined with updating all software (where possible) to latest and greatest available versions. Also, they paperweighted the vast majority of their servers with McAfee's product turned up to "insanely secure" - which is how they discovered that the bad guys had left multiple back doors in place so they could try again. I'll wager they're still trying to make sense of it all.
Re: (Score:2)
Oh, that's so annoying. Can make the systems run so slow that it's effective in thwarting the bad guys by making them fall asleep waiting for servers to respond. "Snorecurity". It's almost comparable to powering everything off. They won't hack a server with no power.
Security: A, Productivity: F
Makes me almost miss the good ol' days with VAX's, 2400 baud modems, and Commodore 64's. Wimpy hardware,
Re: (Score:2)
Oh, that's so annoying. Can make the systems run so slow that it's effective in thwarting the bad guys by making them fall asleep
1995 called. They want their your out-of-date stereotypes about security software back.
Re: (Score:2)
We must be running 1995 McAfee then.
Re: (Score:2)
Most of the businesses I'm familiar with struggle to this day with performance issues related to security software. You might notice that security breaches are commonplace despite all the wasted CPU cycles and read/writes. I honestly can't fathom why you'd be so dismissive of an issue that is costing many many millions of dollars in wasted power consumpt
Re: (Score:2)
They have McAfee, now they are secure for ever!
Re: (Score:3, Insightful)
Most companies dont have a backup regimen.
It would be more appropriate to say "Most companies don't have a disaster recovery plan" and/or don't test it out which is actually the most important part of a disaster recovery plan.
The problem with paying extortion [wikipedia.org] demands and ransomeware demands are extortion, only encourages these criminals to go after more lucrative targets with more sophisticated attack methods especially when their targets are willing to pay and pass on their incompetent loss of money to their customers or shareholders.
Re: (Score:2)
extortion, only encourages these criminals to go after more lucrative targets
That is not necessarily a bad thing. Many security breaches result in spam botnets or customer data leaks, that harm people not that were not responsible. The nice thing about ransomware is that the cost of bad security lands directly in the lap of the people that can actually do something about it.
Re: (Score:3)
...don't have a backup regimen, and use Microsoft Operating Systems.
Perfect storm.
Re:The unwritten part of the headline... (Score:4, Interesting)
This actually is exactly what happened to a friend recently. They're running a lot of Linux servers, but as they were doing some sort of changes they were temporarily moving data from the linux machines to windows environment which got ransomwared and they got screwed. They have backups, but they're not up to date.
To my knowledge they have no intention of paying the ransom.
This is a perfect example of management having their heads up their asses. It's not that they don't have competent people who'd be more than willing to improve backups and general security (in fact the friend in question working as a systems analyst has been whining ever since he joined the company that their security is way too lax), it's that the upper management does not seem to care because they do not perceive the risks involved correctly.
As someone from a management background education-wise I believe this is incredibly incompetent leadership. The whole reason companies hire experts is (or should be) that you listen to the feedback of said experts. If the guy most in-tune with your systems is telling you for a couple years that you're essentially begging to get screwed over, ignoring his warnings and prioritizing cutting costs is something that should get you fired. Unfortunately this is a case where the manager in question has known the founder of the company for who knows how long, so he pretty much has a permanent position due to nepotism, and right now it's costing them a lot of money, customers and also competent people (my friend is currently looking for new job, and I can't blame him).
Re: (Score:2)
"This is a perfect example of management having their heads up their asses."
Yes, it probably is.
"As someone from a management background education-wise I believe this is incredibly incompetent leadership"
Humm... but not so sure about that.
On one hand, from a purely business PoV, maybe having their proverbial IT asses wide open has been a net positive given what they have saved all this time in both direct and indirect costs and also costs of opportunity. What if I lose 100000$ to a hacker if all this time
Re: (Score:2)
They do indeed say that, but it is not exactly as straightforward. It can be argued that the raw up-front cost of securing the system is more expensive than the work you have to do to recreate lost data, though certainly this is not always the case.
But the problem is that this hypothetical damage to the company from such a hack is really
Re: (Score:2)
"If they would come up with solid math taking into consideration the projected indirect effects on future sales and brand, then maybe I'd give them a pass."
I, of course, see your point, but playing devil's advocate, see what you do: you ask for a financial analysis (that you yourself accepted to be very difficult to do, if not impossible) on a non-expenditure while you don't ask for it on an expenditure. Does it even make sense?
I mean, you didn't ask for an investment analysis on security (adding controls,
The one "good" thing about the hijackers (Score:5, Interesting)
with ransomware is if you pay the ransom, they unlock your data.
It seems weird to say it is a business, but as long as the criminals don't screw over the victims, the victims know they can pay and not lose anything.
Re: (Score:1)
Paying ransom should be a felony.
The crooks would love that. They'd get your ransom and then they could extort more money from you so they don't tell the cops you paid the random.
Re: (Score:2)
Your idea should only apply to you.
Re: (Score:2)
Paying ransom should be a felony.
You want to put people in prison for being the victim of a serious crime? Sounds a little harsh.
And stupid.
Re: (Score:2)
Actually the term Ransomware [wikipedia.org] is also known as Cyberextortion which is a criminal offence so if you as a CEO of a firm give in to extortion demands you are effectively guilty of Collusion [wikipedia.org] which is a criminal offence and if convicted can result in incarceration although in many cases just having the payment being made public is punishment enough since Customers and Shareholders alike don't like their money being used to pay criminals..
Actually, no. Not at all.
Re: (Score:3)
If nobody paid, the problem would solve itself.
Sure. But as long as we are discussing totally unworkable fantasies, I would also like to point out that if no one had unprotected sex, we could eliminate STDs, and if all the armies in the world disbanded, we would have world peace.
In the meantime, wear a condom, do backups.
Re: (Score:2)
That's only because the amount that the terrorists demand for the same return of their captives is normally beyond the means of the captives families, and obviously the government doesn't generally give much of a damn about them, so they don't pay. If Terrorists did what the ransomware guys do, which is to price the ransom at the level of the "families" (being companies, in this case, obviously) can afford, and to automatically catch large numbers of "victims" (data, since this is a computer situation), in
Re: (Score:2)
Maybe not so fantastical. Recently, the Prime Minister of Canada had to stand up and explain the government's stance on paying ransom. Two or three Canadians had been held for ransom and just been executed by terrorists in Indonesia (I think) because he didn't pay the ransom and wouldn't help the families pay it either. He said that paying ransom would just be putting a target on all Canadians overseas. He is against any country paying ransom but, of course, he only makes the rules for one.
I would have been more impressed if he instead paid the ransom amount as a bounty for the kidnapper's heads.
Re: (Score:2)
Making it unmeasureable because the victims don't dare report it does not make it go away. In fact, it makes is easier to commit the crime, by far.
Is that your goal? To make it easier to get away with that sort of criminal act? Do you have some personal interest in making it easier and safer to be a criminal? Do you have some vested personal interest in keeping the authorities from knowing about such crimes?
Re: (Score:2)
You are an idiot. And a psychopath, who should be put into a cage, and left there. Forever. Subhuman animals like you are precisely the sort who run that kind of criminal enterprise.
Re: (Score:2)
You are an idiot, and precisely the sort of subhuman psychopath who runs that kind of criminal enterprise. You belong in a cage, like an animal, forever.
Re: (Score:2)
Paying ransom should be a felony.
You want to put people in prison for being the victim of a serious crime? Sounds a little harsh.
And stupid.
Why? The DoJ does it to suspects all the time.
Re: (Score:3)
Paying ransom should be a felony.
That would just force it underground by disincentivizing victims from reporting the crime, and make it even harder for law enforcement to catch the crooks. Not every problem is a nail that needs to be hammered.
Re: (Score:2)
Paying ransom should be a felony.
That would just force it underground by disincentivizing victims from reporting the crime, and make it even harder for law enforcement to catch the crooks. Not every problem is a nail that needs to be hammered.
It is touching that you believe law enforcement has any interest in catching the ransomers.
Re: (Score:2)
Re: (Score:2)
Some of them actually have shockingly good customer service. They will be very patent and courteous, and one ransomware application even included a tech support ticketing system...
It makes sense. Unlike a government charted corporation, they have to rely on their reputation for repeat customers. They cannot rely on rent seeking enforced by the government.
Re: (Score:1)
I saw nothing in TFA that indicated the success rate of recovery for those who pay.
Re: (Score:2)
Actually, it's one where failure collapses the entire business model. Because right now the criminals are offering LOTS of support - they know the people may not know what bitcoin is so they will walk people through how to getting the payment down on the phone, even offering discounts and such.
Because they know the only way people will pay is if they trust th
I paid the money (Score:4, Funny)
But then I realized that I could have just downloaded the same porn again for free. I asked for my money back and the ransomers said no.
Re: (Score:1)
But the models get uglier every day unless you pay. (Hmmm, a marriage simulator?)
Re: Headline on eWeek article is wrong (Score:1)
It (Score:3, Interesting)
Re: (Score:1)
The ransomers were threatening to release all of their clients' data, so the executives all got together and paid it amongst themselves, hushing up the whole thing in the process.
So here we have lawyers getting together and contributing out of their own pocket to pay the ransomers rather than taking the money out of company funds. In the eyes of the average person this could be considered commendable however in lawyer speak this is Collusion [wikipedia.org] and is a criminal offence.
The next month the company's IT budget had quadrupled, so there's a happy ending.
So in this case, two wrongs made a right although you do have to ask if the IT department was doing its job properly in the first place since one of the first things any competent IT manager should do (besides findi
Re: (Score:1)
One could suppose that the ransoming was carried out by the IT department with the end goal of having their budget increased. Where money exploitations are concerned though, conspiracy theories abound.
So you get to be screwed or really screwed (Score:2)
Re: It (Score:2)
Re: (Score:2)
The next month the company's IT budget had quadrupled, so there's a happy ending.
Was the quadrupled IT budget used to pay back the executives? Wouldn't ransomwear expenses be part of the IT budget anyway?
*sigh* (Score:3)
> In an effort to help organizations respond quickly to
> ransomware threats, IBM's Resilient Incident
> Response Platform (IRP) is being enhanced with a
> new Dynamic Playbook for ransomware.
Here's my playbook:
Step 1: Have backups.
Step 2: Set up backups so they don't blindly overwrite good old data with newly-encrypted data.
We got infected once. (Score:1)
We got infected once on a computer in the IT support department. So the user had had a bit more access that the regular user which ment that more files got encrypted.
People with full administrative access however, are not given that through their regular user account.
But we were running snapshots every hour on all drives so we decided to roll back to before the infection. The whole problem were resolved fairly quickly in a few hours.
We discovered the problem before finding the user so we put all shares offl
Once you pay the Dane-geld ... (Score:1)
... you never get rid of the Dane.
Rudyard Kipling, referring to the warrior/terrorist-Danes of a millennium or so ago, not the Danes of the early-20th century.
Oblg. (Score:2)
Total Cost of Ownership (Score:2)
I wonder if those companies factor that into their total cost of running Windows.
Business: "So, Windows licensing for our organization is $25,000 this year. Our Windows liability extortion costs due to Windows insecurity are $40,000 this year, and an extra $15,000 a year for security software that pretends to plug Windows' massive blunders."
Microsoft: "So, can we tell the press that your total cost of ownership for Windows is twenty dollars?"
Business: "WTF?!"
Microsoft: "Here's a cool twenty dollar bill if
Wat? (Score:2)