Ransomware is particularly insidious. Prior to the rise of ransomware, criminals focused on the attacking the confidentiality of data with large data breaches that compromised personal data like financial and health data. Fortunately for victims, those records are hard to commoditize with credit card numbers selling for mere pennies on the dark web. Ransomware instead attacks the availability of victim’s data, suddenly proving to organizations that their data has value because they are unable to do business without it. But how bad is this cost? As with any business risk, one must be able to assess how big a (monetary) risk this presents to an organization to determine how much is worth investing to protect against it – or even just accept the risk. This article will take a look at the average and peak costs for ransomware, including recent trends, the frequency these attacks occur with, the consequences of paying the ransom, and some lessons learned from those who have suffered.
Average / Max Costs
We’ll start with some staggering numbers: Cybersecurity Ventures projects that global losses due to ransomware will be $11.5 Billion dollars this year (2019) – fortunately, that’s not all money in the attacker’s pockets – most of that is recovery and downtime costs. Still, the figure is up from the $8 Billion they projected for 2018 and $5 Billion they projected for 2017. These numbers are still small compared to Datto’s estimate of $75 Billion at the end of 2016, so one can consider Cybersecurity Venture’s figures to be the conservative estimate.
Per Incident Average Ransoms
What about the ransoms themselves? Just a couple years ago, the ransoms averaged $544 per infected computer – organizations would frequently have to pay more simply because they had many infected computers. This was also a reasonable price point for home users who did not want to lose their family photos or documents. In the past two years there has been a shift from wide-scale ransomware attacks to attacks on enterprises with a strong ability to pay. Subsequently, by Q1 of 2019, the average ransom increased to $12,762 and by Q2 of 2019 it was up to $36,295. Much of this increase has come from the increased activity of the Ryuk ransomware, which has an average ransom of $286,557. It should be noted that some ransomware variants increase the ransom over time in an attempt to force the victim’s hand instead of waiting to see if they can retrieve their data via other means.
The count of attacks decreased over 2018 as worm-based attacks such as WannaCry and Petya and broad attacks largely affecting home users dropped off so ransomware operators could focus their attention on large targets and targets who are less tolerant of downtime and are likely to pay large ransoms such as government and healthcare organizations. This shift was suspected in the Erie County Medical Center attack where the ransom seemed higher than usual because the attackers knew what they had. It is likely that attackers will expand the high-value targets they go after.
Per Incident Peak Ransoms
Ransomware operators have been good about maximizing their returns for some time. Back in 2017, Nayana negotiated their ransom down to $1M. The following year (2018), the peak ransom reported was $930,000. The figures are still coming in for 2019. Thus far the highest ransom reported has been $600,000 by Riviera Beach, FL, but don’t feel too bad for the attackers making less money, because they also got Jackson County, GA to pay $400,000. In a growing number of cases, the ransom is so high that the companies simply decide that it’s easier to go out of business.
Per Incident Recovery Averages
Ransoms alone do not tell the whole story, however. Many organizations will not pay the ransom out of principle, fear it will not work, or fear of being targeted again – especially if they can reconstitute their services via other means. Unfortunately, the other means are often more expensive due to recovery and downtime costs. According to a 2013 study by the Aberdeen Group, downtime costs a small business $8,581 per hour. Back in 2017, 34% of businesses reported taking over a week to recover from ransomware attacks, and it is only getting worse. In Q1 of 2019, the average recovery time was 7.3 days, and by Q2 it had gone up to 9.2 days. The same Q1 report estimated $64,000 average due to downtime, which is fairly conservative against the $494k one gets from the 7.3 days times $8,581 cost per hour (this would appear to be on-par with a $10M annual revenue firm using regular business hours). The Q2 report did call out that downtime costs are typically 5-10 times that of the ransom demand, which is actually more closely in line with the $494k (or $632k by Q2) calculation.
Per Incident Recovery Examples
In April 2017 the Erie County Medical Center elected to not pay a $44,000 ransom and instead spent over $10M on recovery. The following year, the City of Atlanta elected to not pay a $52,000 ransom and instead spent over $19M on recovery. Coming close to that mark, earlier this year (2019), the City of Baltimore elected to not pay a $76,000 ransom and instead spent over $18M on recovery.
As noted above, the downtime costs can be even more significant than the recovery costs. In 2017, ransomware worms took out both AP Moller-Maersk and FedEx. Both firms reported losses upwards of $300M, each, mostly due to lost revenue and related downtime costs. Considering that those two incidents alone would account for 12% of the total global losses due to ransomware in 2017, one might suspect that the total global losses estimates are a bit low.
As noted above, we have seen a decrease in worm-based attacks that overwhelmingly target consumers to targeted attacks on corporations. Nevertheless, no one has revised Cybersecurity Ventures’ 2017 estimate that a ransomware attack will occur every 14 seconds in 2019 and go up to every 11 seconds in 2021.
The scarier facts here are that in 2017 12.6% of large organizations suffered a ransomware attack, and a whopping 45% of small-to-mid-sized businesses (SMBs) suffered from ransomware. While many businesses were hit in 2017 by the worm-based ransomware, the fact is that as ransomware has become more targeted, SMBs are frequently those preferred targets because they typically do not have defenses or good backups, and they need the data to run their business.
Given this 45% successful attack rate times the Q2 average downtime figure, this means that if you are a small business, you will likely lose $284k due to ransomware in any given year – as your business grows, so does that number.
Consequences of paying
Faced with a $632k downtime figure, versus $36k in ransom, why not just pay? Some organizations such as Government entities will usually make a blanket decision to not pay the ransom due to a strict policy of not paying criminals. Businesses on the other hand will more often consider the option of paying, especially weighed against the much higher cost of downtime and recovery. Unfortunately, the reality is that one does not simply pay the ransom and go back to business as usual. First of all, sometimes despite paying the ransom businesses sometimes do not receive the decryption tool, or still experience data loss, decryption can take a long time, and finally it makes you a target to be hit again.
Just a few years ago, victims were more likely to be left hanging after paying the ransom, with upwards of 33% never receiving a decryption tool after paying the ransom. This made people less likely to pay the ransom, so ransomware vendors have by-and-large gotten much better about providing the decryption tool, with figures from earlier this year up to 94%.
Even if you receive a decryption tool, due to the inherently destructive nature of ransomware, you may still have trouble decrypting your data. As of April 2019, only about 93% of data was recovered on average after paying a ransom with variants such as Dharma being particularly unreliable and Ryuk data recovery sitting at around 80%. Presumably due to that reputation, the Ryuk authors managed to increase that to around 87% by July, still one can imagine that losing 13% of your data – especially after paying hundreds of thousands of dollars – would be pretty catastrophic.
Finally, just paying the ransom might seem like a fair option if the pain were simply over and done with, but evidence shows that it just marks you as a target. Over half of organizations who are hit with ransomware will be hit again, and 40% of IT professionals claimed to have clients who had been hit six or more times.
The best upside of looking at this onslaught of ransomware attacks is that we can learn from them to prevent them from happening to us, or be better prepared if they do.
Initial infection vector
According to anti-virus maker Sophos, 75% of ransomware victims were running up-to-date anti-virus; this is actually a shocking revelation coming from an anti-virus vendor. At the same time, it underscores the lengths ransomware operators will go to spread their wares. As of late 2017, 91% of ransomware came from phishing attacks. While phishing continues to be a significant vector, increasingly Remote Desktop Protocol (RDP) is being used as ransomware focuses on small to mid-sized enterprises. As of July 2019, RDP accounted for 59.1% of the initial infection vectors.
The conventional response to ransomware is to just restore from backups – you have backups, so you’re safe, right? Unfortunately, ransomware is starting to teach businesses that their backup solution often doesn’t work for a multitude of reasons:
- Organizations frequently don’t back up everything in order to save money and come to discover that some of their most critical data was part of what was not backed up,
- Attackers know that backups are their enemy, so unlike a hard drive failure, they’ll destroy/encrypt the backups as well,
- Restoration fails because backups were not conducted properly or became corrupted,
- Restoration will take too long.
Each of these has a corollary of advice, of course: backup everything (if it’s not worth backing up, it’s not worth having), keep backups off-line and off-site (this also protects against threats like fires and storms), test your backups, and ensure your solution is adequate for the size of your IT footprint.
Pulling it together
Based on current trends, you should plan to lose about 2.84% of your revenue to ransomware each year. That means $284k for just a $10M business. Now, that number is absent any controls to prevent, detect, or respond to the threat. You can use that figure to calculate the ROI on any controls you use to address ransomware.
On the prevention front, you should — of course — have antivirus software, but as noted above, that’s not enough: you should also have a purpose-built solution to detect and stop ransomware in its tracks. Prevention should address some broader IT Security controls as well, such as risk assessment and vulnerability management. Some broader IT management also falls into place here, like asset management and data architecture: do you know what all your devices are and where all your data is?
Detection should be tied in with your prevention control(s). One of the aggravating aspects of ransomware is that it can look like legitimate file usage until after it has started to cause damage. Consequently, your prevention solution might stop it before it does wide-spread damage, but leave you to restore a handful of files.
Finally, for response, the biggest control is having a backup solution that is distributed (meaning on-site and off-site), performant, resilient (so the ransomware cannot attack it as well), and tested (so you know you can restore from it). An effective cyber-insurance policy, while technically a “risk transference” activity can be considered part of your response, and will help account for edge cases such as a combined ransomware and data breach attack. Other general response controls such as an incident response plan and keeping lawyers and public relations firms on retainer can also fit into this bucket.
Ransomware is a bad problem today, and it’s only going to get worse, particularly because it is so lucrative for attackers. 2.84% of your revenue is a lot of money for any business. Fortunately, you can obtain an effective anti-ransomware system for much less. With the money you save, you can even justify a very effective information security program. BuboWerks has worked with Valiant to develop a holistic defense against ransomware at a much better value than the likely losses. Contact us to learn more!