New research from Infrascale, a cloud-based data protection company providing industry-leading backup and disaster recovery solutions, reports that ransomware attacks are not at all unusual in the small and medium business (SMB) community, as 46% of these businesses have been victims. And 73% of those SMBs that have been the targets of ransomware attacks actually have paid a ransom. 

Yet, more than a quarter of the total SMB survey group said they lack a plan to mitigate a ransomware attack. And nearly a fifth of the total group said they feel their organization is unprepared for a ransomware attack.

The Infrascale research is based on a survey of more than 500 C-level executives. CEOs represented 87% of the group. Almost all of the remainder was split between CIOs and CTOs.

"Ransomware is not a new phenomenon," said Russell P. Reeder, CEO of Infrascale. "However, it is surprising how many businesses are unprepared for a ransomware attack. It is shocking that during a time in which the world should be coming together in the fight against COVID-19, criminals are preying on unsuspecting people and organizations for personal - usually financial - gain. And, in many cases, these bad actors are actually benefiting. With appropriate strategies using preventative measures like internet security and education, and protection measures like data backup and disaster recovery, you should never have to worry about paying ransomware."

B2B Organizations Were More Likely Be Ransomware Targets Than B2Cs

Business-to-business (B2B) organizations were more likely to have experienced a ransomware attack than business-to-consumer (B2C) entities, according to the Infrascale survey results. Representatives from more than half (55%) of the B2Bs said they had been hit by ransomware.

But B2C organizations clearly are not immune to the ransomware risk. The research showed that more than a third (36%) of this group said they have been victims of ransomware attacks.

Adequate Time and Resources Often Stand in the Way of Ransomware Prevention Efforts

The majority of SMBs (83%) said they do feel prepared for a ransomware attack, with 10% more B2Bs (87%) expressing that sentiment than the B2C group (77%). However, 17% of the SMBs participating in the survey said they do not feel that their business is prepared for a ransomware attack.

Those SMBs that said they feel unprepared to contend with ransomware attackers indicated that time and resources are their next biggest enemies in this battle.

Almost a third (32%) of the SMBs said they simply have limited time to research ransomware mitigation solutions. The same share said their IT teams are so stretched that they feel their organizations don't have the adequate resources to address the ransomware threat.

"There's no question that the time and talent of IT professionals are at a premium today," said Reeder. "But there are many solutions, with varying levels of protection, available to help businesses address ransomware. Many qualified third parties can do much of the heavy lifting in terms of implementation and setup. That makes it easier than ever for businesses to protect themselves from ransomware and avoid rewarding criminals by paying out costly ransoms."

Ransoms Commonly Run in the Tens of Thousands of Dollars - With No Guarantees

A lack of ransomware protections is likely to cost these SMBs later. And, in some cases, SMBs may already have experienced the hassles and financial losses that ransomware creates.

The Infrascale research shows that 78% of SMBs in the B2B category already have paid a ransom in a ransomware attack. The majority of B2C SMBs (63%) said they have done the same.

More than a quarter (26%) of the SMBs that said they have never paid a ransom said they would consider doing so. Of that group, 60% said they would pay ransom to get their files back quickly. And 53% said they would pay ransom to protect their company's public image around data protection and recovery efforts.

SMBs that are open to paying ransoms might want to start saving now, as this is not an inexpensive proposition. Forty-three percent of SMBs said they have paid between $10,000 to $50,000 to ransomware attackers. Thirteen percent said they were forced to pay more than $100,000.

Paying a ransom does not guarantee that an organization will recover any or all of its data. Seventeen percent of the survey participants who said they paid ransoms to their ransomware attackers indicated they recovered only some of their organization's data.

Those That Are Still Unprepared Should Take Steps Now Toward Prevention, Education

The good news is that 72% of the SMB survey group said their organization currently has a plan in place to mitigate a ransomware attack. And the research suggests B2Bs (80%) are better prepared on this front than B2C organizations (62%).

However, 28% of SMBs said they do not have a plan to mitigate a ransomware attack. That puts these organizations - and their customers and other stakeholders - at significant risk. But these organizations can get started now to protect themselves from costly ransomware attacks.

"The best protection, of course, is prevention. And education is the key to its success," said Reeder. "If something looks nefarious, it usually is. However, criminals are becoming increasingly sophisticated at making their attacks look legitimate. And again, at a time where people are in search of information and answers, the public's fake-filters are at an all-time low.

"Next, of course, are protection strategies," Reeder added. "Picking up on a potential attack in advance is ideal to prevent it from happening. However, if an organization is compromised, near-immediate remediation is top priority - and it shouldn't be in the form of paying a ransom. With appropriate backup and disaster recovery in place prior to a compromising event, an organization can quickly restore its data or spin up its operations to restore service. And, with more investments in sophisticated tools or features such as those in Infrascale's Cloud Backup and Disaster Recovery, the point of compromise can also be pinpointed and often prevented."