At the beginning of the year, let's take a look at the balance sheet. Among all the statics of 2019, there is one that stands out above all others: the costs of ransom attacks are increasing and are not only related to the amount of the ransom. What does this type of attack actually cost?
It is estimated that last year, ransomware in the United States cost more than $7.5 billion. To be sure, many reports of ransomware incidents were made, and the number of do-it-yourself ransomware RaaS-projects, including the activities of the less cunning criminals, has grown exponentially. What makes this even more worrying is that the amount paid in ransom is not the whole story. The total financial loss of such activities is many times bigger if you take the indirect costs into account as well. Let’s take a look at the six factors that complete the picture of the total costs of ransomware attacks.
1) The ransom money
Naturally, the amount of the ransom payment is the most visible and first thing we think of. But it is not the only, and not even always the most important, factor in the total cost of ransomware.
This said, we witnessed a 13% growth in the average ransom amount to $41,198 in the third quarter of 2019, compared to $36,295 in the 2nd quarter.
Ryuk ransomware is mainly responsible for this massive increase in ransom paid for ransomware. These malware operators demanded $288,000 on average for releasing systems. In comparison: other criminal gangs asked $10,000 on average.
2) Forced downtime
Indirect costs are the costs of operational disruptions caused by a ransomware attack. Disruptions often cost business five to ten times more than the direct costs of an attack.
It is often difficult to calculate the exact costs of downtime, as a disruption may have different effects for each company. In the SMEs in the US, downtime was estimated to cost $141,000 on average in 2019, an increase of more than 200% compared to the average of $46,800 in the previous year. This amount is more than 20 times higher than the average amount demanded in ransom from SMEs by hackers ($5,900).
In the public sector, 42% of all organisations fell victim to a ransomware incident in the past 12 months, with 73% experiencing a downtime of two days or more. According to a study conducted by the Ponemon Institute, the downtime in the business sector was more than 12 days on average in the 3rd quarter of 2019. The total costs are estimated at $740,357.
This concerns the costs for having to stop operations, which can have an unconceivably large impact on operating results. Aluminium producer Norsk was one of the unfortunate companies that had to experience this. The company was the victim of a ransomware attack resulting in a cumulative loss of $55 million. Attacks on cities can be expensive as well. The total costs of a recent attack on the American city of New Orleans are estimated at $1 million. And an earlier attack on the city of Baltimore in Maryland resulted in an estimated total loss of $18 million.
3) Loss of reputation
The ransomware attacks of today do not differ from the cunning cyber-attacks from the past: both are very destructive and highly visible. Victims have no other option than to announce to the outside world that cyber criminals have succeeded in penetrating the organisation.
Admitting this in public often results in commotion and disapproval from customers, investors, and other stakeholders. Often, the data can be recovered relatively quickly, but this applies to a much lesser extent to public confidence, especially if the announcement is not made in a timely and transparent manner. This may have negative consequences for customer retention, acquisition of future customers, and even the company’s own share prices.
Ransomware attacks may result in deeply dissatisfied customers. Those dissatisfied customers may take legal action to claim compensation. This is what happened to the company DCH Health Systems in the American state of Alabama after a ransomware attack on Alabama hospitals in December 2019. After the attack, patients filed a claim against the company for violation of privacy, negligence, and interruption of medical care.
Of course, it is always possible that charges are brought against a company for such supposed abuses without ransomware having anything to do with it, but the fact that this concerned ransomware resulted in the incident becoming public and, as a result, the case for compensation becoming simpler.
Moreover, cyber criminals also have started disclosing stolen data. This may deeply embarrass an organisation that has become a target and result in complaints and potential lawsuits of customers whose data was leaked.
5) Collateral damage
As with any other type of cyber infection, victims have to be prepared for a series of possible consequences, including damage that does not directly result from the attack itself. As Brian Krebs told us, at a company that was at first infected with Ryuk ransomware, the identity documents of its employees were stolen and subsequently used for all sorts of mala fide activities, partly by deploying another notorious malware, Emotet.
Fortunately, this behaviour is not typical of ransomware hackers, who usually go for fast and easy money – for now. However, this clearly shows the potential of such incidents where the risks of collateral damage are concerned.
6) Data loss
And unfortunately, payment of the ransom does not give any guarantee that the encrypted data is safely retrieved. Recently it was discovered that the mechanism for data recovery used by Ryuk has a defect that results in incomplete recovery of certain file types. The data is lost all the same, though the requested ransom was actually paid by the victim.
In other cases, hackers just run off with the ransom and do not make any effort to release the decoding keys. In that case, the unfortunate victim is left with substantial expenditure and data that is lost forever.
When assessing the potential risks ensuing from ransomware attacks, businesses have to consider many factors: the ransom money, downtime, reputational damage, data loss, etc. After all these aspects have been identified and listed, it is advisable to look for a modern anti-virus solution that really protects you against ransomware. And to supplement this solution with adequate back-up systems and procedures for business continuity. It is also recommended that you take out appropriate cyber insurance to reduce the risk of substantial losses even further.
Eric van Sommeren is Director Sales Northern Europe for SentinelOne. He shares his passion for endpoint security software as a guest blogger for EASI.