By Katrina Thompson.
When threat actors deliver a ransom note, it may be the tail-end of the attack, but it is only the beginning of a potential nightmare for the victim organization. A recent report noted that 75% of US consumers would sever business with a brand that had suffered a data breach, and the vast majority of ransomware attacks today involve the infiltration of sensitive data to be used as additional leverage to compel a ransom payment.
The costly impact of ransomware attacks goes far beyond the dollars required for remediation and recovery, as they can impact brand, competitive standing, and introduce additional risk to the organization from lawsuits and regulatory actions. In this article, we’ll examine the all-around costs of ransomware and what organizations stand to lose by not being prepared.
Let’s Get Money Out of the Way
Before we begin to get creative, let’s cover the obvious. Ransomware attacks are very, very expensive. Financial pain can come in two ways:
- When you pay the ransom (spoiler: don’t do it unless you absolutely have to) and then try to get your systems back online without data being corrupted and then hope the attackers don't have persistence and decide to attack you again and issue a new ransom demand because they assume your organization is an easy mark
- You don’t pay the ransom and then begin the arduous task of wiping and reimaging every single impacted device manually (assuming the attackers did not also encrypt your backup files), which can take weeks and significantly impact production
Let’s tackle them each in turn.
- The average ransomware payout as of the fourth quarter 2023 was USD 568,000. In the previous quarter, it was as high as 850,000 dollars. The highest ransom demand? A staggering $100 million from ransomware group REvil to Taiwanese computer manufacturer Acer in 2021. It started at a no-more-reasonable $50 million and escalated quickly. And paying is no guarantee of recovery; A recent report revealed that ransomware victims permanently lose 43% of their data. And of the 81% that reported paying, only two-thirds were able to recover their data. As the report summed up, ”The attack will be worse than you imagined and cost more than you’re expecting.”
- A recent study indicated that the mean cost to recover from a ransomware attack (excluding the ransom) is $1.82 million. While the cost of restoring from backups was cheaper than paying the ransom, the sum still averaged out to 375,000 dollars. And on average, ransomware claims are $190,000 higher for organizations that fail to successfully restore their data following a ransomware attack. And in the event that they did encrypt your backups? Now you have to account for weeks or even months of downtime.
Lastly, what if your data gets exfiltrated and published online (the worst-case scenario), and you are still facing a ransom demand? With no chip left in your favor, the only hope is that if you pay, they won’t do it again. Don’t hope too hard; when entities pay the ransom, it signals to cybercrime gangs that they are willing to play ball and pay up. Consequently, the ball gets served to them time and time again.
While high, those out-of-pocket expenses are in many ways expected. When dealing with ransomware, companies know it comes with the territory. Now, let’s get into some itemized costs you may not think of when “ransomware” comes to mind.
Downtime and Operational Disruption
The average length of downtime following a ransomware attack is 22 days. By one estimate, the average cost of downtime for a small business is $427 per minute. By that math, SMBs will be over $13 million in the hole by the time they’re up and running again, and for most, that will be too late. It’s no wonder that up to 60% of small businesses shutter after a ransomware attack.
That isn’t an easy pill to swallow for enterprises, either. For larger outfits, downtime can cost anywhere from $145,000 to $450,000 per hour. In the automotive industry, that number can range as high as 3 million dollars. Gartner splits the difference at an estimated $5,600 per minute, but even that is hard to weather – if not impossible for most.
Granted, extended downtime for a golf course is likely negligible, but for sectors like retail or manufacturing, it can be an existential event. And imagine if the local power company got knocked offline for a few hours. Blackouts would not only inconvenience but endanger, as hospitals would be left in the dark, traffic lights would go black, and local cell phone towers would struggle to emit a signal, cutting off vital communication.
By comparison, consider the price of investing in additional ransomware security software or even hiring a few new cybersecurity professionals for your team. If the cost is anything less than 13 million dollars in 22 days (the lowest estimate), it would be a financially sound investment.
Regulatory Fines and Legal Costs
What you’re going to spend on compliance fines depends on the severity of the case, your sector, and the applicable laws. But these estimates can get you close:
- HIPAA violations can range from an annual cap of $25,000 to one of $1.5 million, depending on the severity of the crime. At the top end of the spectrum is “willful neglect, not timely corrected.”
- PCI DSS compliance fines are billed at up to $500,000 per incident or $5,000 to $100,000 per month. This, in addition to potential costs of staff time during recovery, printing, and mailing breach notifications to customers, and all the intangibles that come from having the public know you failed to protect their sensitive cardholder data.
- GDPR fines bear a hefty price of up to 10 million euros, or in some cases, 2% of the company's entire global turnover for the previous year, whichever is higher.
And just like a ransomware note, these fines are only the beginning; legal costs extend to so much more than dollar signs. Class action lawsuits against organizations that have allowed customer data to be breached are making headlines nearly every month, and liability continues to move up the food chain. Several CISOs have been criminally charged for mishandling their company’s data breaches (a la Uber and SolarWinds), and it is only a matter of time before that risk extends to the C-suite and Board of Directors as well.
Damage to Brand Reputation
Now comes the part that hurts the most or perhaps cuts most deeply. An organization’s brand is its calling card. It is what lets customers – even millions of them – lend their collective trust to this entity and build brand loyalty, purchasing from them again and again and allowing them to reasonably project future earnings and make investments against those projections.
That’s why data loss amounts to so much more than the loss of the data itself. When your brand image drops, so does your competitiveness in the market. Data exfiltration can also result in the loss of intellectual property, further handicapping your “edge” and destroying your image, earnings, and prospects further.
One ransomware attack could throw the whole thing off course. We already know that a successful data breach shakes the confidence of three-fourths of American consumers. It turns out that 44% of them put the responsibility squarely on the company’s shoulders, attributing the compromise directly to a lack of adequate security measures.
When a company develops the image of neglecting customer security in favor of its bottom line, it enters a depth of reputational hell that’s hard to redeem itself from.
Conclusion
More than ever before, the cost of ransomware prevention is far smaller than the consequences of ransomware cost. And prevention now isn’t what it used to be. Now, there are anti-ransomware platforms that provide organizations with focused, laser-point precision for preventing the ransomware problem using AI/ML and non-traditional means. At a time when ransomware is running rampant, solutions like these, in addition to comprehensive defense-in-depth cybersecurity strategies, are an enterprise’s only hope for staying one step ahead of attackers and escaping the ransomware minefield with the fewest financial casualties.
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.