Assessing the true cost of ransomware attacks

Ransomware demands are getting bigger and bigger.

In 2020, $30 million ransoms were breaking records. By 2021, the biggest demand had ballooned to $70 million. Yet these staggering sums arguably don’t show the real impact of ransomware.

Assessing the true cost of an incident may well start with the ransom itself – and Australian companies are more likely to pay than anyone else. But attacks also result in operational downtime, recovery costs, reputational damage, legal costs and insurance headaches. Put together, these can quickly dwarf the price of the ransom itself.

Ransomware is growing fast

While ransomware still only forms a relatively small proportion of cybercrime incidents, it hits hard. “Ransomware remains the most serious cybercrime threat,” says the Australian Cyber Security Centre (ACSC), “due to its high financial impact and disruptive impacts to victims and the wider community.”

And ransomware is affecting more and more organisations. In 2020, 48% of companies experienced business disruption from ransomware – by 2021 the figure had soared to 64%.

Worse still, ransomware keeps evolving. In the old narrative, a successful phishing attack let malware through company defences, allowing gangs to encrypt data and demand payment for the key that will restore it. Today, extortionware allows attackers not just encrypt their victim’s data, but also threaten to publish or exploit it. And the rise of ransomware-as-a-service (RaaS) has let criminals without technical expertise or deep pockets enter the arena and play cybercriminal with only basic computer skills. Check out the Mimecast Ransomware Kit to learn more about how dangerous ransomware is becoming, and what you can do to fight back.

Getting back on track is expensive

The ACSC and New Zealand's National Cyber Security Centre (NCSC) have guides on how to avoid and manage ransom demands. The ACSC explicitly advises organisations not to pay up, but over half of organisations still do.

Sadly, paying up only encourages further cyberattacks. Mimecast’s State of Email Security Report found that when faced with a ransomware attack, 62% of companies paid the ransom, yet nearly 30% of them failed to recover their data. With average payments topping $1 million, those who do pay are staking a significant sum on the honesty of cybercriminals. And, whether you pay or not, your problems won’t end there.

On average, companies affected by ransomware recorded four days of downtime, but for 26% it was a week or more. As we’ve seen, recovery can be a fraught and intensive process in itself. It will run alongside efforts to get critical systems, supply and sales channels operational.

Paying a ransom won’t necessarily remove malware from your network. After an attack, you’ll need to identify which systems and endpoints have been affected, and where malware may still be hiding. Only once you’ve carefully checked the nature, location and extent of the damage can you start to think about restoring your system. Malware is stubborn and may have been lurking on your network for months, while decryption is notoriously difficult.

You may need specialist support for recovery

Many organisations restore from backups, typically some combination of cloud archives and offsite storage. For complex organisations, third-party specialists are often brought in to ensure systems are clean and get them up and running again – adding a significant expense.

The best backup and recovery tools use continuous data protection, or point-in-time recovery. If you’ve installed a sophisticated, version-controlled recovery solution, you should be able to recover data right up to the point the attack hit. Such solutions don’t come cheap – but the alternative is a time-consuming, manual backup process that can miss weeks' worth of data.

There will be legal and PR implications

Recovery isn’t the only major effort in the aftermath of an attack. Reporting a ransomware incident is advised and in some cases mandatory (as proposed for major companies in Australia’s Ransomware Action Plan). You may be required to inform individuals if their data has been compromised, and if your customers or partners are spread across multiple regions, different data protection laws may necessitate different responses. The resulting work will put a strain on your administrative and legal teams.

If you’ve made the attack public, customer and media queries will follow. Depending on the scale of the incident, that may mean bringing in external PR firms and building a crisis communications team. Reputational damage can be hard to quantify, but breaches have wiped a third from stock-market value in the past. Demonstrating swift action and transparency with any attack and its aftermath may reduce any hits you take.

Insurance can help, but doesn’t offer total protection

Regular insurance policies rarely cover ransomware attacks. Where cyber insurance does cover ransomware, it should ensure you don’t suffer a direct loss from the attack. But delays in payouts may put you under budgetary pressure, and reputational damage may not be covered. Insurance helps with the costs we’ve listed above – but it’s no silver bullet.

Ransomware attacks hit company finances hard

As we’ve seen, ransomware isn’t just about ransoms. If your organisation is hit, you may incur recovery, legal and PR costs, and suffer serious downtime.

The first step to avoid attacks and make yourself a harder target. A well-funded and planned cybersecurity strategy that combines technical measures with frequent user training is the best way to go. Demonstrating the impact an incident can have may help focus your board’s mind on the need for additional budget.

The second step is to respond decisively if you are breached. The right backup solution and an effective response plan can dramatically mitigate the effects of an attack. The international community is escalating its attempts to tackle the plague of ransomware, but the threat will keep evolving – it pays to stay safe and prepared.