1. Valuing Data in the Age of
Ransomware
BUSINESS AND CONSUMER PERCEPTIONS OF DIGITAL EXTORTION
Limor S Kessem
June 2016
Executive Security Advisor
IBM Security
2. 2 IBM Security
Agenda
• What is Ransomware?
• Consumer Perceptions and Experience
• Business Perceptions and Willingness to Pay
• How to Respond to a Ransomware Attack
3. 3 IBM Security
How Did This Even Start?! The Major Milestones
1989
The AIDS Trojan
2005
Misleading Apps
2008
Fake AV
2011
Lockers
“Police Trojans”
2013
Cryptolockers
Drive by
Download
2013
Android
Ransomware
7. 7 IBM Security
Consumers are confident in their ability to protect computers and
mobile devices but aren’t necessarily taking action to do so
BUT
Overall, consumers are confident that they
can protect personal data on their devices
75% are confident they can
protect data on a personal
computer
67% are confident they can
protect data on a mobile device
6 in 10
Have not taken action in
the past three months to
protect their devices
from being hacked
8. 8 IBM Security
Those taking preventative action are in the minority; avoiding risky
attachments is most common preventative action
71% avoided
opening suspicious
attachments/links in
emails/texts
59% change their
passwords regularly
48% avoided using
or logging into
public Wi-Fi access
points
4 in 10 Have taken action in the past three months
to protect their devices from being hacked
9. 9 IBM Security
Mobile devices and laptops most important devices to protect, also two
most feared for data hacks
60% laptop
64% mobile
47% desktop
32% modem
29% tablet
28% home
security
system
5% wearable
device
8% car
navigation
10% home
devices
16% home wifi
camera
IMPORTANCE OF PROTECTING
DEVICES FROM DATA HACKSLESS MORE
2.Which of the following PERSONAL or HOME electronic devices (whether you use one or not), do you think are most important for people to protect from being hacked? Please
select the THREE you think are the most important. 6. Generally, how afraid are you that your data will be held for ransom, or access will be blocked on a…
10. 10 IBM Security
“Value” of data differs slightly with financial records worth the most
Regardless of data type, roughly 37% would pay over $100 to get data back
Willing to pay $500 or more
8% 20%
Financial Info
Gaming data
PasswordsMusic
Personal emails
Browser
history
14%
Social network data
Online purchase data
DVR Data
Mobile phone data
Other digital photos
Family digital photos
Personal computer access
Health records
11. 11 IBM Security
Consumers: Say they won’t pay, then pay nine fold that amount
Over half of
consumers would
be unwilling to give
a hacker money in
order to get their
data back
Of those who would
pay, they generally
are not willing to
pay more than $100
Consumers are most
willing to pay for
financial data, with a
slim majority of 59%
indicating they would
likely pay
$900
Average ransomware demand
Per current day ransomware variants in the wild
Reality
Check:
41%
Success rate boasted by CryptoLocker
University of Kent research
12. 12 IBM Security
Average Ransomware Fee Can Be Rather High
Cerber:
1 – 2 BTC
Petya:
1.3 BTC
1 BTC =
~ $900 US
Locky:
1 - 2 BTC
Popcorn
Time:
1 BTC
CTB-
Locker:
3 BTC
7ev3n-
HONE$T:
$5,000
13. 13 IBM Security
Consumer response in the event of a data attack varies
Friends/family members are
consistently ranked among the top-2
sources a consumer would go to in
the event of a data attack
Police topped the list in the case of
a home computer (25%) being
hacked but was less likely for the
other cases
In general consumers are
extremely likely (88%) to turn
to someone for help if data is
stolen from one of their
devices
If data is stolen from a smart TV
consumers are more likely to go to a
local electronic store (24%)
If data is stolen from a work/school
computer consumers are most
likely to turn to their work IT
department (40%)
15. 15 IBM Security
Business executives are aware of ransomware but lack deeper
knowledge
15
Business
Executives have
heard of
ransomware
3 in 5
Are very
knowledgeable
about the topic
1 in 5
BUT
62% of those who work for larger
sized companies have heard of
ransomware.
VS
55% of those who work for
smaller sized companies
16. 16 IBM Security
SBs are less “data attack” prepared than larger businesses
74% of large
companies
require employees
to regularly change
passwords
74% of large
companies block
some websites
from being used in
the workplace
58% of large
companies offer
training on
workplace IT
security
56% of small
companies
require employees
to regularly change
passwords
56% of small
companies block
some websites
from being used in
the workplace
Only 30% of small
companies offer
training on
workplace IT
security
Large
companies
Small
companies
53% of SBs
77% of medium sized
companies
76% of large companies
Taken action in past
three months to protect
electronic data
17. 17 IBM Security
The majority of executives worry about corporate data hacks
63%
of Business
Executive
Worry About
Data Hacks
Business Executives are most concerned
about financial data being hacked
72% worry about
financial records
68% worry about
email servers/
systems
66% worry about
customer and
sales records
65% worry about
cloud system
access
Less confidence
in ability to
protect
employee vs
company owned
devices
VS
.
-13% pts.
18. 18 IBM Security
Business Executives willing to pay ransom for data recovery
Regardless of
data type,
roughly
60%
of BEs would
pay something
to get data back
from hackers
62%
62%
61%
60%
60%
60%
58%
58%
Financial Records
Customer & Sales Records
Corporate Email System/Server
Intellectual Property
HR Records
Corporate Cloud System
Business Plans
R&D Plans
19. 19 IBM Security
“Value” of data differs slightly with financial records worth the most
Regardless of
data type,
roughly
25%
would pay
$20,000-
$50,000 to get
data back
Willing
to pay
$50K
or
more
15%
9%
Financial Records
Business Plans
R&D Source Code
IP
Corp Email/Cloud HR Records12%
Customer and Sales Records
20. 20 IBM Security
The Larger Companies Experienced Ransomware Before
Ransomware Experience
29% of those who work
at smaller companies
have experience with
ransomware attacks
57% of those who work at
medium sized companies
have experience with
ransomware attacks
53% of those who work at
large sized companies have
experience with ransomware
attacks
21. 21 IBM Security
Previous ransomware experience fairly common; generally willing to
pay to resolve
21
Nearly one in two
of business
executives have
experience with
ransomware attacks
in the workplace
Of those with
experience, 7 in
ten paid to
resolved the
hack
Over half of
those paid over
$10,000…20%
paid over
$40K
22. 22 IBM Security
Responding to an attack: while many companies have taken protective
measures, most know they would benefit from expert consultation
7 in 10 Respondents stated their company has taken action
to protect its electronic data from being hacked
The most useful resources in preventing a hack
58% want best practices to
protect data security was
the most useful
56% stated security expert
consultants are the most
useful
24. 24 IBM Security
This is a People Problem
• Blanket user education: from receptionist to CEO
• Launch high visibility, company-wide awareness
campaigns
• Train C-level executives
• Talk to board level stakeholders
• Use planned phishing campaigns to learn
what your users need to know most
25. 25 IBM Security
Read the full IBM Ransomware guide to learn more
Visit the Ransomware landing page
to review the infographic and register
to receive the client engagement
guide
Visit ibm.com/security/services
to learn how IBM Security Services
can help protect your organization
26. 26 IBM Security
Preparation
IBM’s Ransomware Response Guide is
largely occupied by the Preparation
phase of the Incident Lifecycle.
Once the organization has been hit by
ransomware, few options remain.
Sources: NIST 800-61R2, IBM’s Ransomware Response Guide