British firms paid more than £200m in ransoms last year

British firms paid the sixth-highest total ransom amount to attackers last year, after the USA, Italy, Germany, Spain and France

British firms were hit by nearly 5,000 ransomware attacks last year, forcing them to pay out nearly £210 million in ransoms to cyber criminals, according to the US cyber security firm Emsisoft. The company says that organisations are now showing 'more willingness' to pay ransoms due to fears of public embarrassment, lost data and potential penalties from regulators.

Emsisoft estimates that cybercriminals who use ransomware as a tool for making money are now making approximately £19 billion annually from the practice worldwide. Some of them are so successful in the trade they have started posting job listings on the Dark Web.

Most of the ransoms British firms paid in 2019 were in the form of cryptocurrencies, which are usually difficult to trace to individuals. In many cases, the crooks who received the money were based in Russia and Eastern Europe.

The UK was sixth in the list of countries paying out most ransoms to cyber criminals. The US topped the list (paying $1.3 billion to hackers), followed by Italy, Germany, Spain and France in that order.

The revelation has come at the time when British MPs have been demanding stricter laws against the payment of ransoms. Paying a ransom is not illegal in the UK, unless it is linked to terrorism.

"It should be illegal. Companies are just being irresponsible in paying these people off," former cabinet minister David Davis told The Times.

Last month, US cloud computing provider Blackbaud publically disclosed that it had paid a ransom to hackers following a data breach that affected dozens of customers, including British universities and other institutions.

The company said that it paid the ransom after the hackers promised they would destroy all stolen data.

Last year, the FBI advised organisations and individuals not to pay ransoms to hackers in exchange for decryption keys. The agency said that paying a ransom encourages criminals to target more people.

Emsisoft said that the number of successful ransomware attacks on public sector entities decreased month-over-month between January and April 2020, as the COVID-19 crisis worsened. However, there is a reversal in the trend now and the number of such incidents has again started to rise.

In the US, at least 128 federal and state entities, educational institutions and healthcare providers were impacted by ransomware during the first and second quarter of 2020.

"2020 need not be a repeat of 2019," said Fabian Wosar, CTO, Emsisoft.

"Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly," he added.