Projecting the overall cost of a ransomware attack can be tricky for security executives considering the many factors that can come into play when responding to and recovering from one. Information from numerous previous incidents show the costs go well beyond any demanded ransom amount and the costs associated with cleaning infected systems.
Consider the following examples. The Erie County Medical Center (ECMC) in Buffalo, NY, last July estimated it spent $10 million responding to an attack involving a $30,000 ransom demand. About half the amount went toward IT services, software, and other recovery-related costs. The other half stemmed from staff overtime, costs related to lost revenues, and other indirect costs. ECMC officials estimated the medical center would need to spend hundreds of thousands of dollars more on upgrading technology and employee awareness training.
Public records show that the City of Atlanta spent almost $5 million just in procuring emergency IT services following a March 2018 ransomware attack that crippled essential city services for days. The costs included those associated with third-party incident response services, crisis communication, augmenting support staff and subject matter expert consulting services.
In Colorado, Gov. John Hickenlooper had to set aside $2 million from the state disaster emergency fund after ransomware infected some 2,000 Windows systems at CDOT, the state department of transportation, this February. In less than eight weeks, CDOT officials spent more than half that amount just returning systems to normal from the attack.
Not surprisingly, industry estimates relating to ransomware damages have soared recently. Cybersecurity Ventures, which pegged ransomware costs at $325 million in 2015, last year estimated damages at $5 billion in 2017 and predicted it would exceed $11.5 billion in 2019.
For security executives trying to prepare a total ransomware cost estimate, the key is not to get fixated on the ransom amount itself. Even if you end up paying it to recover your data—something that most security analysts advocate against—the actual costs of the attack in most cases will end up being greater.
"Data loss and loss of productivity are two of the biggest ransomware-related issues that executives need to proactively plan for," says Gary Mello, security evangelist, SentinelOne. "Projecting the overall cost of an attack needs to include loss and destruction of data, downtime and loss of productivity, and the potential for post-attack disruption to the normal course of business."
Here is a closer look at some of the more obvious and some of the less obvious costs security executives need to consider for any ransomware attack cost-calculation exercise.
Ransomware response, recovery and resumption costs
A lot of the costs that fall into this category are typical of any major security incident. Examples include the cost associated with computer investigations, digital forensics, and the identification and deletion of malware, says Reg Harnish, CEO of GreyCastle Security, one of the firms that helped ECMC after the attack. It includes the cost of fetching backups and re-imaging systems and generally restoring damaged data and systems, he notes.
Unless you have a large and qualified security response team in-house, you will need to bring in outside experts and consultants to help recover your system. You might need to augment your existing staff and be prepared to pay them for the extra time they will likely need to bring your systems back to normal, Harnish says.
Depending on the malware, you may need to upgrade or replace technology. This will have associated costs that you need to at least consider when trying to project the impact of a ransomware attack
The quality of your data backups is a huge factor. Your costs are going to be substantially greater if you don't have good quality data backups or if the attacker managed to delete or encrypt your data backups as well. "The longer you are down, the greater the costs," Harnish notes. A 2018 global ransomware study by SentinelOne found the average number of employee hours required to decrypt encrypted files or to replace encrypted data with backup data was around 40 hours—up from 33 hours in 2016.
Post ransom payment costs
Paying a ransom doesn't guarantee immediate data recovery. Even if you have good reason to pay the ransom, and if the threat actor were to provide the decryption keys as promised, you would still require a minimum length of time to recover your data, Harnish says.
In ECMC's case for example, the attack took down some 6,000 computers. If each system had a 1-terabyte drive that had been encrypted, it would have taken the better part of a week to decrypt everything, Harnish says.
Unless you have a digital wallet stuffed with bitcoin just waiting for such events, you also are going to need a little bit of time to establish and fund a bitcoin wallet. The attacker, too, will likely need some time to verify and transfer the funds.
If your organization is down and operating on paper for two weeks, then even if you are able to recover all your data you are still going to have to reconcile what you put on paper during the two weeks you were offline. All of this can add up, especially when you factor in the ransom payment as well, Harnish says. "Paying the ransom is not a panacea. "There are still expenses and it may not solve all of your issues."
Critically, even when your systems are restored after payment there's no telling how safe they are, says Jack Danahy, CTO and founder of endpoint protection vendor Barkly. "It is almost impossible to be certain that there is no remaining infection or corruption without wiping and reloading the machine," he says.
Even the recovered data files can be infected so that they remain a threat after restoration. "Since the machine and the data have to be regenerated anyway, why pay the ransom?"
Cost of downtime during and after a ransomware attack
A ransomware attack can impact your ability to do business as normal. The time your organization takes to respond from an attack represents lost business opportunity. "In all of the most damaging attacks, the victims hardest hit experienced an inability to deliver their products or services," says Danahy. Hospitals could not treat patients, technology providers could not provide their services, shippers couldn’t ship and responders couldn’t respond, he says.
In November 2016, a ransomware attack temporarily took out ticketing systems on a portion of San Francisco's public transit system. The city lost out on fares for more than a day while security engineers worked on fixing the issue. The takeaway is that "executives should model the cost of downtime of individual machines based on the impact that the absence of that machine will have on their business," Danahy says.
There are other costs associated with downtime as well. The longer your IT and security staff work on fixing the issue, the longer they are away from tasks that they would otherwise be doing.
Downstream costs of a ransomware attack
One cost that enterprises tend to overlook is the impact a ransomware attack can have on suppliers and other third parties says Mello. SentinelOne's global ransomware report showed that 46 percent of third-party suppliers to organizations in the U.S. that experienced a ransomware attack were impacted as well.
Thirty-five percent of these partners and suppliers suffered loss of productivity, while 23 percent claimed financial losses. The only country in the study where third parties were even more impacted was France. "The trickle-down economics of ransomware can have a broad impact on partners and the supply chain and is often overlooked," as a cost factor Mello says.
Reputation costs from a ransomware attack
One of the hardest costs to measure and to budget is reputation damage from a ransomware attack, says Engin Kirda, co-founder and chief architect at Lastline. A financial institution, for example, needs to be trusted by customers. "The common assumption is that the organization will be well prepared against cyber-threats," says Kirda who is also a professor at Boston's Northeastern University. "Customers that hear of a ransomware attack or a related cyberthreat may become reluctant to trust the organization."
Companies that suffer major breaches tend to attract more regulatory attention and big fines. For public companies, there’s also the potential loss of share price as an investor response to an attack, SentinelOne's Mello notes. He points to a 2017 study Oxford Economics conducted on behalf of Montreal-based CGI that showed share prices fell an average of 1.8 percent on a permanent basis at 65 public companies that suffered major breaches. For a typical firm on the Financial Times Stock Exchange 100 Index that equates to a permanent market cap loss north of $160 million.
"No organization would want to be in a situation where many media outlets are reporting on how much sensitive user data was lost. One just cannot put a price tag on this," Kirda says.
Breach costs associated with a ransomware attack
Unless you can conclusively prove that protected data was not improperly accessed in a ransomware attack, you will need to declare it a data breach. That means all the associated breach notification and crisis communication costs and potential regulatory, or statutory penalties, Harnsih says. A breach also can trigger legal and lawsuit related fees, more regulatory scrutiny, and the costs associated with complying with whatever obligations might be imposed by federal or state authorities, he says.
"For regulated industries, executives should meet with the attorneys and compliance teams to understand whether a particular ransomware campaign needs to be disclosed and whether affected users need to be notified," Danahy notes. Ransomware infections are more commonly being viewed as compliance events he says. "This can [mean] significant costs."