More than 50 percent of small and midsized businesses have fallen victim to ransomware, and of those, 48 percent paid a ransom, according to a survey released today by Ponemon Institute and Carbonite.
The average company had four ransomware attacks last year, paid an average ransom of $2,500 per incident, and spent 42 hours dealing with the attack.
"We're nowhere near the end of the ransomware threat," said Norman Guadagno, chief evangelist at Carbonite, which provides continuous automated cloud backup services.
Of those who did not pay up, 42 percent said that having a full and accurate backup was the reason.
And only 13 percent said their preparedness to prevent ransomware was "high."
"People say, 'I know I should back up, have anti-virus, use strong passwords' -- but they don't do it," said Guadagno.
Only 46 percent of respondents said that prevention of ransomware attacks was a high priority for their company.
One reason could be that they don't think the hackers will bother with them.
According to the report, 57 percent of respondents said that their companies were too small to be a target of ransomware.
"Every business is potentially a target," he said. "If you have a computer, you're a target."
Norman Guadagno, chief evangelist at Carbonite
And if companies believe that the ransomware will get into their backups, making them useless, that's not true either, said Guadagno.
"Once you find out you have a ransomware infection, our team rolls back to before the point where you had the infection," he said.
If the file containing the ransomware malware was also backed up, that file is encrypted and inert, he said, and can't spread while it is stored in the cloud.
And there are processes in place to catch it so that it doesn't get restored when the infected system is cleaned out.
"Our tech support teams get all the latest tools and ensure that you're downloading a clean backup," he said.
There hasn't been a case yet of a customer getting reinfected from a bad backup, he said.
"I'm not saying that it's not a constant battle between us and them," he added. "But we feel very confident -- we've helped more than 10,000 over the past two years get their data back safely."
However, losing access to their data wasn't the only potential consequence of a ransomware attack, and that is where backups fall short.
According to the survey, 55 percent of companies said they thought it was either likely or certain that the ransomware also exfiltrated data from the infected device.
"That was a stunning statistic," he said.
Businesses should not only have anti-virus in place to keep ransomware from getting in, but also train their employees to spot potential attacks.
According to the survey, only 29 percent of respondents said they were confident that their employees could detect risky links or sites.
It just goes to show that you can't even trust cybercriminals these days.
"The criminals might be saying, 'Yup, we encrypted it, pay us, you'll get it back, and everyone is happy'," Guadagno said. "But they could also be poking through the data, looking for valuable information, and exfiltrating it. It could be that the criminals are not telling us the truth."