Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

Ransomware costs not limited to ransoms, research shows

The financial fallout from ransomware involves more than bitcoins, one study found. Targeted companies invest in security technology and fear loss of reputation and customers.

Ransomware costs are hard to quantify. Many companies that have been targeted and have paid the ransom avoid law enforcement and public disclosure. But financial consequences involve more than just ransoms, according to new data from the Ponemon Institute. The independent study, sponsored by Carbonite, surveyed 618 individuals in small to medium-sized companies.

Ransoms paid versus not paid

Researchers found that 51% of the organizations surveyed had experienced ransomware attacks. These companies reported four ransomware attacks on average and -- among those that paid -- an average payment of $2,500 per attack. Close to half of the companies paid (48%) and slightly more did not (52%).

Respondents whose organizations opted not to pay ransoms cited several reasons: full backup of systems and data (42%), company policy not to pay ransoms (16%) and fear ransom would not result in a decryption key (15%).

But even among companies that opted out of ransoms, there was financial fallout. Other ransomware costs included investment in security technology (33%), money lost from downtime (32%) and loss of customers (32%).

According to survey respondents, ransomware infiltrated their organization through phishing and social engineering (43%) and insecure or spoofed websites (30%), malvertising (15%) and social media (8%).

More than half (55%) of respondents said that the compromised devices were used for personal and business use. Compromised devices also infected other devices on the network (42%) and the cloud (21%), the survey showed.

While 53% of those surveyed indicated that their organization would pay a ransom if sensitive data was at risk, 57% indicated that they thought their organization was too small to be a target of ransomware attacks. Only 46% considered prevention of ransomware (and ransomware costs) a high priority, according to the Ponemon report.  

Article 5 of 6

Next Steps

How companies avoid paying ransoms

What you need to know about Ransomware as a service

Study: Ransomware attacks have doubled

This was last published in March 2017

Dig Deeper on Threats and vulnerabilities

Get More Information Security

Access to all of our back issues View All