Enterprises in the UK were struck by approximately 5,000 attacks using ransomware in 2019, resulting in pay-outs adding up to almost £210 million, according to experts at US-based cybersecurity company Emsisoft. The firm has commented that organisations are becoming more willing to pay requested ransoms to avoid information loss, possible penalties from data regulators and public embarrassment.
Emsisoft’s estimates indicate that hacker groups who employ ransomware as a method for acquiring funds are now making around £19 billion yearly. They added that some ransomware operators that have had so much success in their extortion campaigns that they are now posting their own job listings on Dark Web forums.
Companies paying requested ransom demands
Research conducted by Emsisoft revealed that the majority of ransoms paid out by UK firms in 2019 were handed over in cryptocurrency. Cryptocurrencies like Bitcoin are notoriously difficult to trace, making them a preferred choice for ransomware operators when receiving payment. Emsisoft’s findings also suggest that many of the cybercriminals receiving ransoms from UK companies were located across eastern Europe and Russia.
Out of the security firm’s list of nations conceding to ransom demands, the UK was rated sixth. The US ranked highest on the list, paying a total of $1.3 billion to operators, with Italy second and Germany third, followed by Spain and then France.
Following a recent ransomware attack that impacted dozens of software service users, including UK charities and universities, US firm Blackbaud disclosed it had paid out a ransom to cybercriminals. The company stated that the hackers had reassured it that if the ransom was paid, all data stolen would be destroyed.
US fitness technology brand Garmin was also recently attacked, and reportedly paid millions of dollars to hackers for a decryption key.
Opposition to firms paying ransoms
The data uncovered by Emsisoft has arrived amidst outcries from politicians in the UK demanding more rigid laws regarding whether or not ransom payments should be made. Unless it is found to be linked with acts of terrorism, paying out a ransom in the UK is currently not an illegal offence. However, not all MPs agree.
David Davis, former Cabinet Minister, told The Times newspaper:
“It should be illegal. Companies are just being irresponsible in paying these people off.”
In the USA, those hit by ransomware attacks in the first half of 2020 include around 128 state and federal entities, healthcare providers and educational institutions.
Chief Technology Officer at Emsisoft, Fabian Wosar, commented that in terms of ransomware attacks, 2020 does not need to be a repeat of 2019:
“Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
Since 2019, US-based law enforcement agencies like the FBI have been advising that institutions, organisations and individuals should never pay ransoms in return for decryption keys, stating that this course of action only encourages cybercriminals to continue operating.