ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintIcon Twitter
Technology

Ransomware payments made in half of global attacks

87% of U.S. targets paid up, against 33% in Japan, survey finds

Colonial Pipeline holding tanks in New Jersey: Ransomware attacks are becoming more frequent and seeking bigger payouts.   © Reuters

TOKYO -- As ransomware attacks grow increasingly frequent, more than half of the targeted organizations in seven major markets have made payments, according to a recent survey.

Roughly 2,400 out of 3,600 companies and organizations surveyed by U.S. cybersecurity specialist Proofpoint faced a ransomware attack in 2020, with 52% paying the attacker in the hopes of restoring access to data. American entities paid in 87% of cases, followed by 59% and 54% by British and German concerns. A third of Japanese targets made payments.

In high-profile attacks this May on Colonial Pipeline, a major pipeline operator on the U.S. East Coast, and Brazilian meat supplier JBS, both companies acknowledged making ransomware payments. The growing severity of such attacks, affecting the targets' ability to operate, is a factor in the decision.

No Japanese company has disclosed a ransomware payment to date.

"A payment that materially affects the business would trigger a disclosure requirement," says Nobuhiko Kato, a partner at Ernst & Young ShinNihon. "But smaller amounts can be handled as non-operating expenses, so they wouldn't be noticed from the outside."

Kenji Uesugi, chief researcher at the Japan Cybersecurity Innovation Committee, points out that "many of the payments may be made by unlisted small and midsize enterprises."

The size of ransomware payouts continues to increase. Payments averaged more than $312,000 globally in 2020, roughly tripling from the year before, according to American cybersecurity company Palo Alto Networks.

Companies targeted in ransomware attacks face sensitive decisions, such as consulting specialists.

"If a company pays without assessing the scale of damage or the ability to recover without a payment, management may be found in violation of their duty of care," says Hiroaki Yamaoka, a legal expert in cyber matters.

Payments without due consideration encourage more ransomware threats, fostering conditions for cyberterrorism. Companies face the task of maintaining the latest cyberdefenses while taking such steps as timely reporting to the authorities and sharing information with industry trade groups.

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Try 1 month for $0.99

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world
.

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends October 31st

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to Nikkei Asia has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more