Ransomware costs not limited to ransoms, research shows

Ransomware costs are hard to quantify. Many companies that have been targeted and have paid the ransom avoid law enforcement and public disclosure. But financial consequences involve more than just ransoms, according to new data from the Ponemon Institute. The independent study, sponsored by Carbonite, surveyed 618 individuals in small to medium-sized companies.

Researchers found that 51% of the organizations surveyed had experienced ransomware attacks. These companies reported four ransomware attacks on average and -- among those that paid -- an average payment of $2,500 per attack. Close to half of the companies paid (48%) and slightly more did not (52%).

Respondents whose organizations opted not to pay ransoms cited several reasons: full backup of systems and data (42%), company policy not to pay ransoms (16%) and fear ransom would not result in a decryption key (15%).

But even among companies that opted out of ransoms, there was financial fallout. Other ransomware costs included investment in security technology (33%), money lost from downtime (32%) and loss of customers (32%).

According to survey respondents, ransomware infiltrated their organization through phishing and social engineering (43%) and insecure or spoofed websites (30%), malvertising (15%) and social media (8%).

More than half (55%) of respondents said that the compromised devices were used for personal and business use. Compromised devices also infected other devices on the network (42%) and the cloud (21%), the survey showed.

While 53% of those surveyed indicated that their organization would pay a ransom if sensitive data was at risk, 57% indicated that they thought their organization was too small to be a target of ransomware attacks. Only 46% considered prevention of ransomware (and ransomware costs) a high priority, according to the Ponemon report.