5 reasons why the cost of ransomware attacks is rising

Not many organizations end up paying $67 million in ransomware related costs like United Health Services (UHS) did last year following a September 2020 attack that crippled its network. The organization is, however, an example of the increasingly heavy financial toll that these attacks have begun to exact from victims over the past two years.

Security experts that have been following the trend point to several factors as driving the increased costs associated with ransomware attacks, especially for organizations in the healthcare sector. One of the most obvious is an increase in the average ransoms that attackers have been demanding from victims.

An analysis of claims data from policyholders by cyber insurance firm Coalition last year showed the average ransom demand jumping 47% from just over $230,000 in Q1, 2020 to $338,669 in Q2, 2020. Some, like the operators of the Maze ransomware strain hit victims with an average ransom demand of $420,000. A study by Coveware found actual ransomware payouts skyrocketing too—from just over $84,000 in Q4, 2019 to over $233,817 in Q3, 2020.

However, the ransom itself is only part of the total cost and is often not a factor at all for organizations that refuse to accede to extortion attempts. Even for such organizations, the cost of attacks has increased steadily over the past two years or so. Here, according to security experts, are five of the most common reasons why that has happened.

1. Downtime costs

Downtime has emerged as one of the biggest—if not the biggest—costs associated with a ransomware attack. Ransomware victims can often take days and sometimes even weeks to restore systems following a ransomware attack. During that time normal services can be seriously disrupted resulting in lost business, lost opportunity cost, lost customer goodwill, broken SLAs, brand erosion and a slew of other problems. The bulk of UHS’s costs, for instance, was tied to lost income because of its inability to provide patient care services as usual and billing delays.

Such issues could get even worse. In recent months, adversaries have begun targeting operational technology networks to maximize downtime for victims and to increase pressure on them to pay. One example is an attack earlier this year on packaging giant WestRock Company, that impacted operations at some of the company’s mills and converting plants. A similar attack on Honda in 2020 temporarily disrupted operations at some of the automaker’s plants outside Japan.

Two-thirds of respondents in a survey of nearly 2,700 IT professionals that Veritas commissioned last year estimated it would take their organizations at least five days to recover from a ransomware attack. Another report from Coveware pegged the average downtime substantially higher at an average of 21 days in Q4, 2020.

Ryan Weeks, CISO at Datto, says a survey the company did last year showed that the average cost of downtime related to a ransomware attack in 2020 was a startling 93% higher than it was just one year ago. “Downtime is often immensely more costly than the ransom itself,” he says.  “The rate at which the cost of downtime is increasing really puts the ransomware epidemic into perspective.”

The company’s data showed the average downtime from a ransomware attack can cost upwards of $274,200—or much higher than the average ransom demand. This can make it tempting for organizations to simply accede to attacker demands, Weeks says. “For example, in 2018, the city of Atlanta, Georgia, was hit by a ransomware attack that cost the city upwards of $17 million dollars to recover from. However, the ransom payment itself was only $51,000,” he says.

Such numbers point to the need for organizations to have a well-considered cyber resilience strategy and business continuity plan, Weeks says. When considering a business continuity plan, organizations need to think about issues like recovery time objective (RTO)—the maximum duration of time within which business operations must be restored—and recovery point objective (RPO)—how far back in time they need to go to retrieve data that is still in usable format. “Calculating your RTO helps determine the maximum time that your business can afford to be operating without access to data before it’s at risk. Alternatively, by specifying the RPO, you know how often you need to perform data backups,” he says.

2. Costs associated with double extortion

In an especially troubling development, ransomware operators have begun stealing large volumes of sensitive data from organizations before locking up their systems and then using the stolen data as additional leverage to extract a ransom. When organizations refuse to pay, the attackers leak the data via dark websites set up for that purpose.

A study that Japan’s Nikkei conducted in collaboration with Trend Micro found that more than 1,000 organizations worldwide fell victim to this type of a double extortion attack just in the first 10 months of 2020. The practice is believed to have started with the operators of the Maze ransomware family but was quickly adopted by numerous groups including the operators of Sodinokibi, Nemty, Doppelpaymer, Ryuk and Egregor ransomware families. Seven-in-ten of the ransomware incidents that Coveware responded to last quarter involved data theft.

“The fact that many ransomware groups now steal data before they encrypt it increases the risk of a data leak,” says Candid Wuest, vice president of cyber protection research at Acronis. “This means that all the related costs such as brand damage, legal fees, regulatory fines and data breach clean up services are more likely to be needed, even if the systems were restored without any major downtime.”

The trend has upended the traditional math associated with ransomware attacks. Ransomware victims—even those with the best data backup and recovery process—now must contend with the real possibility of their sensitive data being leaked publicly or sold to rivals. As a result, victims of ransomware attacks will likely have to bear the brunt of financial penalty from regulatory bodies, says Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows. The publishing and exposure of data stolen from victims may constitute a breach under regulations such as the EU’s GDPR, California’s CCPA and HIPAA.

“Victims might also face legal consequences in the form of third-party claims or class action lawsuits,” Peh notes. The potential for such trouble increases when the data that is stolen and published by attackers involves other organizations—such as third-party data files or client data. “If consumer data was exposed, a firm could expect costs around breach notification and as well. Cyber insurance premiums could also increase as a result of a ransomware attack.” 

3. IT upgrade costs

In the immediate aftermath of a ransomware attack, organizations can sometimes underestimate the costs involved not just in responding to the incident but also in securing the network from further attacks. This is especially true in situations where an organization might assume the best option is to pay the attackers.

“In a scenario where paying a ransom has secured the release of infected machines, victims have no guarantee that the attackers no longer have access to their enterprise,” says Migo Kedem, head of SentinelLabs at SentinelOne. They have no assurance that the attackers haven’t implanted more malware on their systems or that they haven’t sold or transferred their illicit access to another criminal group. There is no guarantee that once paid, the attackers will disinfect machines, delete pilfered data, or give up their access to the victim network.

To mitigate against further attacks organizations often must upgrade their infrastructure and implement better controls. “The hidden costs that victims fail to take into consideration are the incident response and IT upgrade costs necessary to secure that network from further attack,” Kedem says.

4. Increased costs from paying a ransom

Many companies pay a ransom assuming it’s cheaper than restoring data from scratch. That’s a mistake, say security experts. A survey that Sophos conducted last year showed that more than one-quarter (26%) of ransomware victims paid their attacker a ransom to get data back. Another 1% paid a ransom as well but didn’t get their data back anyway.

What Sophos discovered was that those that did pay a ransom ended up paying double in total attack-related costs compared to those that didn’t. The average cost of a ransomware attack—including downtime, device and network repair and recovery costs, people time, opportunity cost and ransom paid—for companies that did pay a ransom was roughly $1.4 million compared to around $733,000 for the non-payers.

The reason is that victims still need to do a lot of work to restore data, Sophos found.  According to the company, the costs associated with data recovery and a return to normalcy are roughly the same whether an organization recovers data from backup or with an attacker-provided decryption key. So, paying a ransom only adds to those costs.

5. Cost of reputational damage

Ransomware attacks can erode consumer trust and confidence and result in an organization losing customers and business. A survey of nearly 2,000 consumers from the US, UK, and other countries that Arcserve conducted last year showed 28% saying they would take their business elsewhere if they experienced even a single service disruption or experience where their data was inaccessible. More than nine-in-ten (93%) said they considered an organization’s trustworthiness prior to purchasing and 59% said they would avoid doing business with a company that experienced a cyberattack in the past 12 months.

The recent emergence of a group calling itself Distributed Denial of Secrets could soon make it harder for organizations to play down data breaches. The group, which has modeled itself along the lines of WikiLeaks, claims to have collected troves of data that ransomware attackers have leaked online and has said it will publicly publish the data in the name of transparency. The group has already published data belonging to multiple companies that it says it obtained from sites and forums used by ransomware operators to leak stolen data.