How Much Do Businesses Pay for Stolen Data?

One day early this year, employees at a hospital in Hollywood found their computers completely unusable. The hospital’s system had been taken over by malware, forcing doctors and nurses to resort to pen and paper to register new patients and keep records. The cyberattack came with a digital ransom note: Pay $17,000 in Bitcoins, an unidentified hacker demanded, or consider the data gone forever.

After a little more than a week, the hospital paid up. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” the hospital’s CEO said at the time. “In the best interest of restoring normal operations, we did this.”

The hospital’s price tag may seem high, but paying thousands to unlock ransomed data is actually quite common.

Last week, IBM released the results of a survey that looked at people’s attitudes toward ransomware. Among 600 U.S. business executives, nearly half said they’d experienced attacks. And fully 70 percent of those who’d been attacked said they paid to get their data back.

Compared to the ransoms those companies paid, the Hollywood hospital’s payment wasn’t remarkable: 45 percent of companies that paid ransoms coughed up more than $20,000 to get their files back, and 20 percent paid hackers more than $40,000.

Businesses’ drive to retrieve their data after a ransomware attack makes them a soft target for hackers looking to make a quick buck, or ten thousand. Unlike individual computer users, whom IBM found are generally willing to give up data in order to avoid paying, losing data can cost a company a lot of money. Compared to the prospect of losing hundreds of thousands of dollars worth of data, a $20,000 payment seems pretty worthwhile.

The FBI warns against paying for ransomed data—partly because there’s no guarantee that the cybercriminal who broke into a computer network will follow through on their promise, and partly because paying up encourages hackers to keep hitting more targets. But paying a ransom for one’s own data isn’t illegal, and there’s often a strong incentive to do anything that might restore valuable databases.

Tougher defenses, better-educated employees, and secure data backups might put a dent in the rising tide of malware that tries to extract money from its victims. “Ransomware won’t change until we do,” wrote Limor Kessem, the lead author of the IBM report. It’s easy enough for an unskilled hacker to deploy ransomware—and hard enough for law enforcement to track perpetrators—that making the attacks less worthwhile may be the only thing that will slow them down.