This is the second half of a 2-part series on the cost of ransomware attacks. Read part one, about the cash paid to the attackers themselves, here.
As harrowing as they are, actual ransomware payments constitute only a small fraction of the cost of an attack. Downtime and recovery are far more expensive. And these costs are rising exponentially. Datto's Global State of the Channel Ransomware Report reported that ransomware payments had grown 94% between just 2019 and 2020—and were 50 times greater than the actual ransom.
The findings from Sophos' State of Ransomware 2021 report were also bleak, though not quite as stark a difference. The average ransom, according to Sophos' findings, was $170,000, while the average cost for an attack overall was $1.8 million. (It's worth noting, though, that averages may not be the best measure. As Sophos principal research scientist Chester Wisniewski points out, the costs vary widely depending on the size of the target. Attackers are tapping enterprises for multimillion-dollar ransoms, and SMBS for multithousand-dollar ransoms.)
Why Downtime Hurts
Downtime costs stem from a host of issues: production slowdowns, shipping delays, diversion of staffing resources, remediation efforts, rebuilding of IT infrastructure. These expenses compound quickly over even short periods of time.
- Mimecast's State of Email Security report estimated that a ransomware attack caused only six days of downtime.
- Comparitech averaged it out to around nine days.
- And Coveware found that the companies it surveyed experienced around 21 days of downtime.
The UK’s National Health Service (NHS) saw 19,000 canceled appointments following the WannaCry attack in 2017, in part accounting for losses of £92 million.
Burning IT to the ground
Cybereason’s Ransomware: The True Cost to Business Report
found that two-thirds of respondents lost revenue as a result of an attack. Depending on the extent of an organization’s cyber insurance coverage, many of these costs may come out of pocket. Even the most generous policies will likely not cover the costs of replacing compromised equipment and instituting newer, stronger security protocols.
“You literally need to burn your IT to the ground and rebuild it,” Wisniewski laments. “Criminals have been wandering around in your system for days. Who knows what backdoors they left behind?”
“The most expensive cost for any organization really is the cost to redo the environment beyond recovery,” says Roger Grimes, security consultant and cybersecurity architect at KnowBe4 and author of the Ransomware Protection Playbook. "They say 'We’re going to do things right: we'll rebuild the Active Directory, we're going to make everyone get multi-factor authentication, and we're going to get CrowdStrike [a cybersecurity platform].' Most insurance companies only cover a range to get you back to where you were.”
Rebuilding may entail additional hires as well—also typically not covered by insurance. “Larger companies may decide they need a red team,” Grimes suggests. The average cost of a red team engagement -- in which security professionals attack your IT infrastructure and let you know where the weaknesses are -- is $40,000. Or it may seem imperative to hire a new Chief Information Security Officer—salaried at well north of $200,000 a year.
Though difficult to quantify, the reputational damage created by a ransomware attack might be substantial. Cybereason found that 53% of its respondents believed that they had taken a hit to their reputations following a breach. Only 17% of Datto’s respondents felt the same.
According to Arcserve, one-third of customers would likely take their business elsewhere if they were made aware of a ransomware attack in which their data was compromised. Nearly 60% would do so if there were two or fewer disruptions.
IBM’s report lumps this under lost business—at an average cost of $1.59 million. After telecommunications firm TalkTalk was hit with a massive ransomware demand in 2015, it lost more than 100,000 customers.
“There have been cases where the damage was really extreme,” Grimes recalls. “A good example is Travelex.” The currency exchange service provider was hit by a damaging cyberattack in December 2019, which was compounded by airport shutdowns due to COVID 19. In April 2020 its parent company put it up for sale as damaged goods, citing falling revenue.
Still, most companies tend to recover, according to Grimes. “Overall, if you look at most companies a year later, revenues and stock prices are up,” he observes. Two years after its catastrophic breach in 2017, Equifax’s stock price had nearly returned to where it was before the incident, for example.
Wisniewski is skeptical as to whether compromised data has much of a long-term effect on customer loyalty at all. “We don't even hold companies responsible anymore,” he says. “At what point do we just kind of throw our hands up and go, ‘I may as well have my mother's maiden name tattooed on my forehead and get on with life?’”
Still, heads tend to roll in the wake of an attack, whether or not the executives on the chopping block were actually responsible for the vulnerabilities that allowed it to happen. “The really big ones have a tendency to cause a board-level shuffle, or at least a C-level shuffle,” says Wisniewski. “Investors are demanding blood.” Top executives often resign or are fired in the wake of ransomware attacks—see Equifax, Uber, and clinical trial firm eResearchTechnology.
Fines and legal fees
On top of the already steep costs, ransomware victims are faced with the specter of regulatory fines. While fines have been levied for other types of data breaches, regulatory consequences for ransomware attacks have not yet become a major issue. Still, in 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning of the potential financial consequences of making payments to sanctioned entities. And if a ransomware attacker also leaks personal data, the victim organization could face significant fines under data privacy laws like the California Consumer Protection Act (CCPA) and the EU's General Data Protection Regulation (GDPR).
“You have to make sure that it's legal to pay this [attacker], as they could be on the Department of Treasury's do-not-pay list,” Grimes warns.
More concerning are the legal costs of dealing with irate customers whose data has been exposed. “Ransomware attacks are causing far more lawsuits than I ever remember reading about my 34-year career,” he imparts.
Suits against ransomware victims such as Canon, which saw the exposure of employee data in August 2020, are ongoing. The ultimate costs remain to be seen. If recent data breach suits are any indication, ransomware cases may result in the payment of legal fees to class action lawyers, coverage of identity protection and credit monitoring services for plaintiffs, mandated expenditures on data protection, and an array of damages to affected parties.
What to read next: