This is the second half of a two-part series dealing with the cost of ransomware attacks. Read the first part about the money paid to the attackers themselves here.
As horrific as it is, the actual ransom payments make up only a small part of the cost of the attack. Downtime and recovery are much more expensive. These costs are rising steadily. Datto Global State of the Channel Ransomware reports that ransom payments grew by 94% between 2019 and 2020 alone – and were 50 times greater than the actual ransom.
The findings of Sophos’ State of Ransomware 2021 report were also bleak, although not so much. The average ransom, according to Sophos’ findings, was $170,000, while the overall average cost of the attack was $1.8 million. (It should be noted, however, that averages may not be the best measure. As Sophos lead research scientist Chester Wisniewski notes, costs vary widely depending on the size of the target. Attackers exploit companies for multimillion-dollar ransom, and SMBS to obtain on a multi-thousand dollar ransom.)
Why stop working hurt
Downtime costs stem from a combination of issues: production slowdowns, shipping delays, diverted staffing resources, repair efforts, and rebuilding IT infrastructure. These expenses accumulate quickly even over short periods of time.
The UK’s National Health Service (NHS) saw 19,000 appointments cancelled in the wake of the WannaCry attack in 2017, in part due to losses of £92m.
Burning information technology to the ground
Cybereason’s Ransomware: A True Cost to Business report found that two-thirds of respondents lost revenue as a result of an attack. Depending on the extent of the organization’s electronic insurance coverage, many of these costs may be paid out of pocket. Even the most generous policies likely won’t cover the costs of replacing compromised equipment and creating newer, stronger security protocols.
“You literally need to burn through and rebuild your IT,” Wisniewski says with a sigh. “Criminals have been roaming your system for days. Who knows what back doors they left behind?”
Says Roger Grimes, security consultant and cybersecurity engineer at KnowBe4 and author of Ransomware Protection Guide. They say ‘we’ll do things right: we’ll rebuild Active Directory, we’ll make everyone get multi-factor authentication, we’ll get CrowdStrike [a cybersecurity platform]“.Most insurance companies only cover a scope to get you back to where you were.”
Rebuilding may require additional appointments, too — which are also usually not covered by insurance. “Larger companies may decide they need a red team,” Grimes suggests. The average cost of participating in a red team — where security professionals attack your IT infrastructure and tell you where the vulnerabilities are — is $40,000. Or it may seem necessary to hire a new head of information security – his salary is north of $200,000 a year.
Although it is difficult to quantify the amount of reputational damage caused by a ransomware attack can be significant. Cybereason found that 53% of respondents believe they have suffered a blow to their reputation after a breach. Only 17% of Datto participants felt the same.
According to Arcserve, a third of customers would likely take their business elsewhere if they were informed of a ransomware attack through which their data was compromised. Almost 60% will do this if there are two or fewer failures.
This IBM report puts this under lost business – with an average cost of $1.59 million. After telecommunications company TalkTalk received a massive ransomware demand in 2015, it lost more than 100,000 customers.
“There were cases where the damage was really severe,” Grimes remembers. “Traflex is a good example of this.” The currency exchange service provider was hit by a devastating cyber attack in December 2019, which was exacerbated by the closure of airports due to COVID 19. In April 2020, the parent company offered it for sale as damaged merchandise, citing reduced revenue.
However, most companies tend to recover, according to Grimes. “In general, if you look at most companies a year later, revenue and stock prices go up,” he notes. Two years after its disastrous breakout in 2017, Equifax’s stock price is almost back to what it was before the crash, for example.
Wisniewski doubts whether the compromised data has a long-term impact on customer loyalty at all. “We don’t hold companies responsible anymore,” he says. “At what point do we kind of raise our hands and go, ‘Maybe it also be tattooing my mother’s maiden name on my forehead and going on with life?” “
However, heads tend to roll in the aftermath of an attack, whether or not the hacking block executives were actually responsible for the vulnerabilities that allowed this to happen. “Really big companies tend to have board-level mixing, or at least C-level mixing,” Wisniewski says. “Investors demand blood.” Top executives often resign or get fired in the wake of ransomware attacks – see Equifax, Uber, and clinical trial firm eResearchTechnology.
Fines and Legal Fees
On top of the already heavy costs, ransomware victims face the specter of regulatory fines. While fines have been imposed for other types of data breaches, the regulatory consequences of ransomware attacks have not yet become a major problem. However, in 2020, the US Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory warning about the potential financial consequences of making payments to sanctioned entities. And if a ransomware attacker also leaks personal data, the victim organization could face heavy fines under data privacy laws such as the California Consumer Protection Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR).
“You have to make sure that it is legal to pay this [attacker], where they could be on the Treasury’s no-pay list,” Grimes warns.
Even more worrisome are the legal costs of dealing with angry customers whose data has been exposed. “Ransomware attacks are causing far more lawsuits than I ever remember reading about my 34-year career,” he said.
Cases against ransomware victims like Canon, which saw employee data exposed in August 2020, are still ongoing. The final costs remain to be seen. If recent data breach claims are indicative, ransomware cases could result in legal fees for class action attorneys, identity protection coverage and credit monitoring services for plaintiffs, data protection expenses, and a host of damages to affected parties.
What to read next:
The cost of a ransomware attack, Part 1: Ransomware
Measuring cyber resilience and why it matters
The electronic insurance market is in flux