White Paper - XDR for Retirement Systems

August 4, 2021
Ken Ballard

Ransomware attacks continue to target businesses in all industries across the United States. By gaining access to networks and encrypting important systems and files with specialized malware, threat actors seek a payday in return for decrypting compromised IT resources. This article explores the full cost of ransomware attacks to businesses—and you might be surprised at the extent of the findings.

7 Ransomware Costs That Could Impact Your Business

Industry reports and surveys emerge all the time highlighting the costs of ransomware to businesses. These estimates often vary significantly from one another, partly because each business is impacted differently and each situation is unique. 

Estimating the actual cost of a successful ransomware attack is more nuanced than you may first think about. Here are seven different costs that can factor into the equation for your business.  

1. Paying the Ransom

The most obvious direct cost is the ransom demanded by cybercriminals to decrypt any files or systems they’ve locked down. Industry experts regularly debate the topic of whether to pay ransoms, and there remains no established consensus among commentators. 

Security experts working in the industry may debate the topic of whether to pay, but governmental guidance is more clear-cut. The Cybersecurity and Infrastructure Security Agency (CISA) expressly states in its Ransomware Guide that “ CISA, MS-ISAC, and federal law enforcement do not recommend paying a ransom.” Even bearing that advice in mind, organizations still regularly pay the ransoms that hackers demand because they feel like there’s no other option. 

So, what does a ransom payment look like? 

A recent Palo Alto report found that the average ransom paid by organizations increased from $115,123 in 2019 to $312,493 in 2020. It’s worth noting that the methodology for calculating this figure wasn’t defined in the report, so this average payment could be skewed by large ransoms paid by enterprsies. A 2019 Datto report found that the average ransom requested for SMBs was $5,900, which seems more realistic.

All of this is to say that the ransom payment varies depending on the size of your business and the nature of the data that has been compromised.  

2. Double Extortion Costs

Many recent ransomware attacks have used double extortion tactics to increase the likelihood of receiving ransom payments. By first exfiltrating sensitive data from systems before encrypting the affected systems, threat actors use stolen data as extra leverage to demand ransoms. 

With double extortion tactics, the perpetrators threaten to publicly disclose stolen confidential data. Using this tactic, ransomware groups can demand higher payments because many businesses desperately want to avoid public disclosure of sensitive data. 

3. System Downtime

Not having access to important files and systems is extremely costly for pretty much every business. Ransomware typically brings down multiple systems simultaneously. Estimates for the average time it takes to restore affected systems range from 16 days to 21 days.  

Restoration activities include:

  • Reconnecting data backups from offline storage sources
  • Rebuilding systems using OS images
  • Using tools (if available) to decrypt the ransomware strain’s encryption algorithm

It’s worth noting that paying the ransom doesn’t guarantee the swift resumption of access to affected systems. Downtime costs often far exceed those of the initial ransom. The aforementioned Datto report found that downtime from ransomware costs an average of $274,200, which is over 46 times greater than the $5,900 average ransom for SMBs. 

4. Legal Costs

Most businesses unfortunate enough to become victims of ransomware attacks face legal costs too. These costs arise from needing to hire an attorney and seek legal advice on how to adhere to relevant laws at the state, local, or federal level. Furthermore, double extortion attacks that result in breaches of PHI or PII data call for additional legal counsel about data breach notification requirements for affected parties.

5. Incident Response Teams

Not every organization has its own dedicated incident response team. The seriousness of ransomware generally necessitates availing of incident response services providing the required expertise to deal with the fallout from a successful attack. These cross-functional teams cover some of the following aspects of responding to ransomware incidents:

  • Identifying the particular ransomware strain/variant impacting your systems
  • Investigating the scope of the attack and its impact on the network
  • Containing the attack by quarantining systems or network subnets
  • Recovering affected systems using decryption techniques or backup and recovery methods

While an expert outsourced incident response team can reduce recovery time and minimize other costs associated with successful attacks, it’s still a ransomware cost worth thinking about. 

6. Reputational Damage

Reputational damage is an important ransomware cost that often gets overlooked. Customers naturally feel annoyed if an attack exposes their sensitive data. If companies are slow to react, don’t take responsibility, or aren’t transparent enough about what happened, severe reputational damage is likely to ensue. 

The fact that ransomware attacks regularly make media headlines almost guarantees at least some negative press coverage. Reputational damage often begins with a social media backlash and culminates in a share price drop and/or a decline in customers. 

A report by insurer Aon into the impact of cyber risk on reputation highlighted how UK-based company TalkTalk lost 101,000 customers as a result of a serious data breach. On the topic of insurance, it’s worth noting that ransomware victims (and victims of other cyber crimes) often end up paying increased future insurance premiums. These premium increases stem from an increased perception of risk from the insurer’s perspective. 

7. Non-Compliance Fines

Several regulations protect sensitive data in particular industries, such as HIPAA in healthcare or GLBA in finance. When ransomware attacks result in breaches of sensitive data, companies run the risk of violating these regulations. GLBA fines can cost up to $100,000 per violation, so the impact of non-compliance can be devastating. 

A ransomware advisory issued by the U.S. Office of Foreign Assets Control (OFAC) highlighted further potential non-compliance costs for businesses to consider. These costs extend beyond compliance fines for data breaches. According to the document, paying a ransom may result in “civil penalties for sanctions violations”. 

To summarize, ransomware attacks remain such a perilous threat to businesses because of their disparate and far-reaching costs. The cost of ransomware attacks provides sufficient motivation to ensure you have controls in place that can protect against these cyber attacks. Our Ransomware Risk Assessment provides a way to validate your controls against ransomware using external, unbiased security expertise. Contact us today. 

join our email list