The vast majority of companies hit by ransomware attacks were able to stop the attacks by either preventing the malware from getting to their files, by successfully decrypting the files, or by restoring the files from backups, according to a report released today.
In a Vanson Bourne survey of 500 cybersecurity decision makers conducted last month, 48 percent said their organizations had been hit by at least one ransomware attack in the last 12 months, with the average victim hit six times.
In 27 percent of the cases, the attacker couldn't encrypt any files. In 45 of the attacks, some files were encrypted, but the companies were able to decrypt them on their own. In 25 percent of the cases, the company was able to replace the encrypted files from backups.
Only in 3 percent of the cases were the companies unable to restore the encrypted files.
Paying the ransom usually solved the problem, but the attackers often came back to ask for more money first, said Jeremiah Grossman, chief of security strategy at SentinelOne, which sponsored the report.
And for companies, the amounts the attackers asked for were significantly higher than for home computers.
Grossman warned that the sample size was very small, but of the 10 respondents who answered the question about how much they paid, most said that the total was between $37,000 and $49,000.
By comparison, home users typically spend between $500 and $2,000 on a ransomware payments, based on other surveys, he said.
But attackers typically ask for the lower amounts in indiscriminate, wide-spread attacks, he said.
"Now the attacks seem to be targeted," he said. "The bad guys are going after more money."
The ransomware is also getting more sophisticated.
In some ransomware, the key used to encrypt the files is the same as the key that decrypts them, and is embedded in the malware. Another mistake that hackers sometimes make is using the same key for all their ransomware infections, so once one victim pays and gets the key, all other victims can then use the key to decrypt their files.
"I personally think that era, the era of unlockers, is short lived," Grossman said. "Some of the bad guys are still in amateur mode but we can expect the malware families to grow in sophistication and effectiveness. The bad guys will move almost universally to asynchronous encryption."
That's where one key is used to encrypt the files, and a different key is used to decrypt them.
More of the ransomware will also use different keys for each victim, he added.
"Every time you pay a ransom, you embolden the bad guys and give them resources," he said. "So you'll expect to see more ransomware, and more research and development going into ransomware to make it more effective."
This summer, SentinelOne, which makes endpoint protection products, offered a ransomware guarantee of up to $1 million per enterprise -- and $1,000 per infected endpoint -- if the ransomware gets past their security product.
But the $1,000 amount was based on earlier data, mostly of home user infections, Grossman said.
That amount might be raised, he said, since attackers are asking for higher amounts from corporate victims.
So far, he added, SentinelOne hasn't had to make any payouts to its customers.
"But the program is only three or four months old," he added. "It takes time to explain it to customers. We expect to have some payouts in the future -- there just hasn't been enough time for those to come in yet."