The end of year summary season is gone, and among all the scary and shocking statistics, there is one number that looms above all others. It is estimated that ransomware has cost the United States more than $7.5 billion last year. And indeed, we’ve heard of countless ransomware incidents and seen an explosion of build-your-own ransomware RaaS projects making it easier for unsophisticated criminals to get in on the act. And yet, when you add up the numbers and calculate the average payout, those dollar amounts don’t paint the entire picture of the financial burden suffered by organizations hit by these kinds of criminal attack. In this post, we’ll look at the six true costs of a ransomware attack.
Of course, the up-front ransomware payment is the headline figure, but it’s only one – and not necessarily the largest – factor in the overall cost that ransomware imposes on its victims.
That said, in Q3 of 2019, we saw the average ransom payment increase by 13% to $41,198 compared to $36,295 in Q2 of 2019.
Ryuk ransomware is largely responsible for the massive increase in ransomware payments. The malware operators demand an average of $288,000 for the release of systems, compared to the $10,000 average price demanded by other criminal gangs.
Indirect costs are the costs of business interruption associated with a ransomware attack. Business interruption costs are often five to ten times higher than direct costs.
Calculating the actual cost of downtime can be challenging as it has different effects on different businesses and organizations. For SMBs, the average cost of downtime in 2019 comes out at $141,000, a more than 200 percent increase over last year’s average downtime cost of $46,800. This is more than 20 times higher than the average ransom request from SMBs, which is $5,900.
In the public sector, 42% of organizations have suffered a ransomware incident in the last 12 months, with 73% of those experiencing two or more days of downtime as a result. For enterprise, the average downtime in Q3 2019 was 12.1 days, according to a Ponemon Institute study, and the overall cost estimated at $740,357. This leads to the additional cost of operational shutdown, which can have a truly staggering impact on the bottom line, as aluminum manufacturer Norsk discovered when it suffered from a ransomware attack that caused cumulative damage of $55 million. Attacks on municipalities can be costly as well. A recent attack on New Orleans is estimated to have cost the city $1 million, and an earlier attack on Baltimore is estimated to total $18 million in damage.
Ransomware attacks are unlike stealthy cyber attacks of the past. As such, they are both highly destructive and visible, leaving victims with no choice but to make it known to the public that they have been breached.
That public admission can often result in outcry and disapproval from customers, investors and other stakeholders. While the data can be restored, it’s not always so easy to restore public trust, particularly if disclosure is not handled in a timely and transparent manner. This can have adverse effects on retaining existing clients, generating future business and even negatively affect the company’s stock prices.
Ransomware attacks can lead to very unhappy clients, and these clients in turn could resort to legal means for some compensation. That’s what happened to DCH Health Systems after a ransomware attack on Alabama Hospitals in December 2019. Subsequently, patients filed a class action lawsuit against the company, alleging privacy violations, negligence and medical care disruption.
While it’s always possible that companies can fall foul of libel suits for such issues without ransomware being involved, the fact that ransomware was involved made the incident public and the case for compensation easier. In addition, cyber criminals have started to expose stolen data, which could lead to potential embarrassments for the victimized organization and further law suits from clients’ whose data is leaked.
As with any type of cyber infection, victims should expect the full gamut of damage, even if it’s not directly related to the attack. In one such incident, as reported by Brian Krebs, a company initially infected with Ryuk ransomware had its entire credentials stolen and then reused for all sorts of malicious activities, in part with the help of another notorious malware family, Emotet.
While this may not be typical behaviour of many ransomware-related hackers, who usually go directly for the quick payout, it does show the potential for further collateral damage from such incidents.
And unfortunately, after all the damage caused by the attack itself, paying the ransom does not guarantee the safe retrieval of the victim’s encrypted data. Recently, it was discovered that the data recovery mechanism used by Ryuk is faulty, causing an incomplete recovery of some types of files and leading to data loss even if the victim had paid the ransom demand.
In other cases, hackers have been known to simply walk away and never bother to provide the decryption keys, leaving the hapless victim out of pocket and their data lost forever.
Ransomware attacks can be deadly for businesses, which might never recover from the financial burden caused by the direct and indirect damage inflicted. In one such case, a US fundraising firm has been forced to close its doors after more than 60 years in business following a crippling ransomware attack in October. The company had paid the ransom, but nonetheless it was unable to get back on its feet and had to close shop in late December, making it a very unhappy Christmas for all its employees.
When trying to assess the potential risk emanating from ransomware attacks, businesses should factor in all these aspects: the payout, downtime, damage to reputation, data loss and more. Once all these have been taken into consideration, it is advisable to seek a trusted endpoint solution to provide maximum security against ransomware and complement it with proper backup systems and business continuity procedures. It’s also advised to purchase suitable cyber insurance to reduce the risk even further.