Ransomware: Exploring the Hidden Costs

The true cost of ransomware extends beyond the ransomware payment. Case and point: In early 2021, CNA Financial Corp., one of the largest insurance companies in the U.S., paid a $40 million ransom to hackers after an attack left their data compromised and the company locked out of their network. The ransom – a staggering number compared to the average ransom payment of $220,298 – was paid after two weeks of negotiations between the hackers and company leaders.

Cybercriminal activity has become more sophisticated and innovative in recent years. As noted in our 2021 Threat Report, attacks have shifted as ransomware has become more targeted, better implemented and much more ruthless, with criminals specifically targeting higher value and weaker targets. Simply put, businesses have become preferred targets because they can and will pay more to get their data back.

In most cases, ransomware isn’t the beginning of a compromise. Ransomware causes visible disruption, and so it’s typically the end state where the criminals cash in after an extended period. By the time IT teams realize there is ransomware on the network, the criminals have been watching, listening, and tampering, often for weeks or months before being discovered. During this time, they may have gained access to company financials and have developed a comprehensive understanding of what they can get away with and the ransom amount to demand. In the case of CNA, for example, hackers originally asked the company to pay $60 million to gain access back to their networks, before negotiations started.

In reality, a ransom is only one cost; there are many more costs associated with a cybersecurity breach that businesses need to consider, both financial and reputational. According to a new report from Webroot on the hidden costs of ransomware, 40% of victims who suffered ransomware attacks had to devote 8 or more hours to remediate. If a company doesn’t pay up, data might be disclosed publicly or otherwise misused. Worse, depending on what kind of data has been compromised, the consequences of exposure could include costly fines for violating privacy regulations like General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). These fines can start at $100 per customer per record lost and increase up to flat percentages of revenue. Other ransomware fallout includes downtime and lengthy time to recover.

The fact is most organizations, no matter the size or industry, are ill-prepared for a cybercrime incident and few understand the implications of these hidden costs. The U.S. Department of Justice reported that since 2016 more than 4,000 ransomware attacks occur each day. Governments and companies are working together to break down cybercriminal infrastructure, but the need to protect against it has never been greater.

Organizations that fall victim to ransomware attacks and pay up are believed to be fueling a cycle in perpetuity, emboldening cybercriminals to continue. However, for many firms, it’s part of a “back to business” strategy to get up and running again as fast as possible. Many organizations now have insurance to cover the cost of a ransom, so it is common to find senior leaders willing to negotiate, pay and quickly get into recovery mode. And once an agreement is made, hackers often keep their word and turn over or destroy files as outlined, allowing both parties to essentially move on and walk away.

Yet, there are knock-on effects: 46 percent of businesses that experienced ransomware said their clients were also impacted, and 38 percent said the attack harmed their brand or reputation, according to the report from Webroot on the hidden costs of ransomware.

The question is not if an organization will be attacked, but when. Organizations and individuals with training, security measures, backups, and a plan can form a united defense against cyber threats that protects the overall financial and reputational risk to business, no matter what threats may lurk in the shadows. Creating this resilient approach is key in a time when ransomware is pervasive and the hidden costs of ransomware have the potential to outpace the ransom itself.