British organisations were hit by nearly 5,000 ransomware attacks last year – equivalent to 14 each day – and coughed up more than £210m to hackers, fuelling concerns that victims are far more willing to hand over money than risk public embarrassment, lost data and potential penalties from regulators.
The claim, made by US cyber security firm Emsisoft, follows uproar over how cloud computing and software company Blackbaud has handled its recent ransomware incident, which affected at least 125 UK organisations, including the National Trust, the Labour Party, Crisis, Sue Ryder, and Young Minds.
Emsisoft estimates that cybercriminals who use ransomware as a tool for making money are now making approximately £19bn annually from the practice worldwide. Some of them are so successful, they have started to post job ads on the Dark Web.
Most of the ransoms British firms paid out in 2019 were settled in cryptocurrency, which can be difficult to trace to individuals. In most cases, the perpetrators were based in Eastern Europe.
The US topped the list of countries which have paid out the most to hackers, shelling out $1.3bn (£1bn), followed by Italy, Germany, Spain and France. The UK was sixth.
Last year, the FBI advised organisations and individuals not to pay ransoms to hackers in exchange for decryption keys. The agency said that paying a ransom encourages criminals to target more people.
In the US, at least 128 federal and state entities, educational institutions and healthcare providers were impacted by ransomware during the first and second quarter of 2020.
However, globally, ransomware attacks on public sector entities fell sharply between January and April this year as the Covid-19 crisis worsened, although it provided no reason for the drop. Even so, the number of incidents has again started to rise as lockdown has been lifted over the past few weeks.
Emsisoft chief technology officer Fabian Wosar said: “2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
Back in 2018, nearly half of all UK tech bosses said they were prepared to pay a ransom fee to hackers to avoid reporting a data breach and risking a fine under GDPR, despite the potential reputational and financial damage such actions would incur.
This was despite the fact that taxi-hailing app Uber had just been hit by fines totalling nearly £900,000 after admitting it paid off hackers rather than divulge its own data breach to customers and the authorities.
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Clients demand answers as cloud giant admits breach
UK universities are bottom of the class on data security
Pitney Bowes hit as Maze ransomware strikes again
Ransomware car crash hits digital transformation giant
Uber fined £900,000 over ‘complete disregard’ for data
Half of UK firms would pay ransom to avoid GDPR fine
TNT Express rocked as cyber attack wipes out $300m
WPP hit as new ransomware attack wreaks global havoc
UK firms ‘leaving themselves wide open to ransomware’