I have warned about the Cryptolocker ransomware before, but now we have some hard numbers about the percentage of people that are forced to pay up when a workstation or server has been infected.
This type of file-ransom has been an incredibly effective way for cyber criminals to make boatloads of money, and other gangs are following their bad example. They are making hundreds of millions of dollars with relative ease. And how much is this costing the average company that gets infected?
A brand new survey by the University of Kent shows about 10 percent of the 1,502 respondents have been affected by Cryptolocker or similar variants, and 41 percent of those ended up paying the ransom. Other strands of this type of ransom malware scored a 30 percent pay-up ratio.
In the U.S. the average amount paid is $300, in the U.K. it's 300 pounds, and for Europe it's 300 Euros. Apparently the bad guys don't care about exchange rates. You can also pay 2 Bitcoins, if they have not been already stolen out of your wallet by another cyber gang or your Bitcoin exchange went bust. There's a new twist that was added recently. If you miss the first deadline, you get a second chance, but the price is now 10 Bitcoins, which gets very expensive.
"If the results reported on the rate of CryptoLocker victims who pay a ransom are to be strengthened by further research, these figures would be extremely troubling, netting criminals behind the ransomware hundreds of millions. This would encourage them to continue with this form of cybercrime, potentially prompting other criminal gangs to jump into an extremely profitable cybercrime market," commented Dr Julio Hernandez-Castro, one of the authors of the research.
Now, keep in mind that the Cryptolocker gang (widely assumed to be Russian mob) is fully automated and operates on an industrial scale. There are also some criminal "boutique shops" that operate on an individual company strike-force basis. An example is a Gold Coast, Australia medical practice where the hackers encrypted the patient database, and asking for a relatively low amount of $4,000 which shows they have gotten smart and go for a high-volume, low-yield scheme to increase their chance of a payout.
Epidemic infections like these should really serve as a heads-up for any organization to get effective security awareness training for all employees, from the CEO down to the mailroom. Particularly organizations dealing with customer credit cards or financial data, personally identifiable information or personal health information should deploy training ASAP because when you deal with information like this, ignorance is not an excuse.