Today computers across the world have been hit by ransomware – notably including the UK’s NHS, and Spanish telco Telefonica. Some initial comments suggested “well, $300 isn’t a very big amount, it’s probably not professionals.” But when you see the scope of this attack, $300 from a lot of those people is a huge amount of money.
I think though that actually $300 is a pretty good price, and I suspect that for a lot of companies it’s going to be the price of doing business.
PC hardware is cheap and capable these days. And it comes with Windows Defender which, as far as many people are concerned, will do what they want, free of charge. And it updates itself.
Big software vendors like Microsoft and Adobe are pushing people to use cloud versions of their apps, and one of the benefits they tout is that you’ll always be using the most up to date version.
So I think it’s fairly easy to see that, especially in a very small company, there are a lot of people who will think “As long as we don’t click on dodgy links, we’ll probably be ok.” After all, they have their free Windows Defender, and their software updates automatically, so why do they need an “IT guy”?
They’re a small, hopefully growing business. And when they grow, they’d like it to be someone who’ll help them do the thing they do, not spend all their time on “computer stuff”.
Take a small office with ten PCs in it. Even if they all get infected once a month with ransomware, and the company pays $300 for each system to unlock their files again, that’s $36,000 a year.
You’re not going to employ an IT staffer for that amount, especially in most big European cities. It’s not going to be a high priority. You might, after you’ve been bitten a few times, think about spending a little more on some security software.
A lot of people, however, may not even do that. They’ll take the chance, and when their computer tells them their files are all encrypted, they’ll send the $300 to get their data back, and remind everyone again not to click on dodgy links, or perhaps try to insist no one surfs the web on company time.
There are – and probably always will be – many companies like that. And that’s why I think $300 is a perfect price for a ransom. It might seem a low amount, but it’s still a great return for the people infecting PCs.
The last thing they want to do is charge so much that it become cost effective for small companies to employ people who will stop them doing that.