AKINOBU IWASAWA, NAOKI WATANABE and TADATSUGU SHIMAZU, Nikkei staff writers
TOKYO — As ransomware attacks grow increasingly frequent, more than half of the targeted organizations in seven major markets have made payments, according to a recent survey.
Roughly 2,400 out of 3,600 companies and organizations surveyed by U.S. cybersecurity specialist Proofpoint faced a ransomware attack in 2020, with 52% paying the attacker in the hopes of restoring access to data. American entities paid in 87% of cases, followed by 59% and 54% by British and German concerns. A third of Japanese targets made payments.
In high-profile attacks this May on Colonial Pipeline, a major pipeline operator on the U.S. East Coast, and Brazilian meat supplier JBS, both companies acknowledged making ransomware payments. The growing severity of such attacks, affecting the targets’ ability to operate, is a factor in the decision.
No Japanese company has disclosed a ransomware payment to date.
“A payment that materially affects the business would trigger a disclosure requirement,” says Nobuhiko Kato, a partner at Ernst & Young ShinNihon. “But smaller amounts can be handled as non-operating expenses, so they wouldn’t be noticed from the outside.”
Kenji Uesugi, chief researcher at the Japan Cybersecurity Innovation Committee, points out that “many of the payments may be made by unlisted small and midsize enterprises.”
The size of ransomware payouts continues to increase. Payments averaged more than $312,000 globally in 2020, roughly tripling from the year before, according to American cybersecurity company Palo Alto Networks.
Companies targeted in ransomware attacks face sensitive decisions, such as consulting specialists.
“If a company pays without assessing the scale of damage or the ability to recover without a payment, management may be found in violation of their duty of care,” says Hiroaki Yamaoka, a legal expert in cyber matters.
Payments without due consideration encourage more ransomware threats, fostering conditions for cyberterrorism. Companies face the task of maintaining the latest cyberdefenses while taking such steps as timely reporting to the authorities and sharing information with industry trade groups.