The first week of January, my daughter called to say she couldn’t get into her college website to make changes to her spring schedule. Assuming servers were probably struggling to keep up with increased traffic, I told her to keep trying. However, it soon became apparent what the issue was. An email arrived from the college stating they were a victim of a malicious cyber-attack that disrupted computer, online, email, and voice mail systems. They also explained that after consulting with outside experts and law enforcement they decided to pay a ransom of $28,000 in bitcoin. Once the criminals received the payment, a ‘key’ was delivered and the college started the lengthy process of ‘unlocking’ hundreds of thousands of files. It took more than a week for all their systems to get back to normal.
It surprised me that ransomware had hit so close to home, but it shouldn’t have. According to CNN, in 2016, the FBI estimated that ransomware would be a $1 billion a year crime. I wondered who else had been touched by ransomware? With RSA Conference 2017, the world’s largest security conference approaching, I had an opportunity to find out. We surveyed 170 cyber security professionals at the conference in San Francisco about ransomware and its impact on their business. Here’s what they had to say.
Ransomware Survey Results
Thirty-two percent said their company had experienced a ransomware incident (Figure 1). And much like the attack at the college, 11 percent said it took longer than a week to regain access to their systems after the attack (Figure 2).
Figure 1: Percent of companies that have been impacted by a ransomware incident.
Figure 2: Length of time that organizations hit by a ransomware attack were unable to provide system access to customers and employees.
More than half (59 percent) of those surveyed said that the cost of downtime due to lack of access to systems for customers and employees was the biggest business impact of a ransomware attack (Figure 3).
Figure 3: Impact of ransomware on the business. 96% of organizations experienced some amount of negative business impact.
Twenty-nine percent said that if their company suffered a ransomware attack which resulted in downtime, they would be losing between $5,000 and $20,000 a day. Twenty-seven percent thought that the amount could be over $20,000 a day (Figure 4).
Figure 4: Estimated cost of downtime due to a ransomware attack.
While talking with Imperva chief product strategist, Terry Ray about the effects of ransomware, he noted, “Whether companies choose to pay the extortion or not, the real cost of ransomware is downtime and lost productivity. “Even if victims have backup files or are willing to pay the ransom, the cost associated with productivity downtime adds up quickly. What’s more, the availability of ransomware-as-a-service, combined with high profits for the attackers, means ransomware attacks are likely to escalate in 2017.”
When asked the hypothetical question, “Would you pay the ransom?”, nearly 80 percent of those surveyed said no. Yet, it makes you wonder, what would the cyber security pros actually do if the ransomware demand popped up on one of their computers? Obviously, my daughter’s college chose to pay. But who knows how much the incident cost them overall once they factored in downtime.
The best protection is to avoid being infected by ransomware in the first place. For more information on prevention, read the Insider’s Guide to Defeating Ransomware. Slides of the survey results can be viewed here.