The cost of ransomware attacks

James Dyer | 16th May 2023

Ransomware attacks target organizations or individuals using malware that takes systems or data hostage until a ransom is paid on the promise that a decryption key will then be sent to the organization. There are two main forms of ransomware, non-encrypting ransomware, and crypto ransomware. Non-encrypting, or screen-locking ransomware, locks victims out of their device entirely and is the least common form of ransomware used by cybercriminals. On the other hand, the more popular crypto, or encrypting, ransomware holds the victim’s data hostage by encrypting it.

Ransomware attacks accounted for 11% of all breaches in 2022, according to the IBM Cost of a Data Breach Report. Due to its versatility, bad actors can exploit various vulnerabilities within an organization’s security to deploy ransomware, for example as a malicious link in a phishing email, through a remote desktop protocol (RDP) gateway, or via a disgruntled employee from inside the network. 

It is worth noting that 45% of ransomware attacks start with a phishing email, as cybercriminals aim to take advantage of a significant organizational vulnerability, human error. It is much easier to send phishing campaigns than uncover and exploit technical vulnerabilities, which also happen far less frequently than people interacting with phishing emails. Consequently, cybersecurity and IT leaders must address ransomware attacks with appropriate security controls (such as integrated cloud email security (ICES) to stop phishing attacks) and governance policies.

The below article explores some of the direct costs resulting from ransomware, such as ransom demand payments and data recovery, as well as indirect costs, for example lost productivity and diminished brand reputation.

The cost of ransomware attacks 

Despite the frequency of ransomware attacks increasing from 2021, there was a slight drop off in the financial impact in 2022. Ransomware statistics showed the average remediation cost, excluding ransom payments, was $4.54m — down from $4.62m in 2021. The average ransom payment totaled $812,360 per organization. However, if the ransom was not paid the overall cost to an organization was $630,000 higher, due to increased business downtime.  

According to the IBM Cost of a Data Breach Report 2022 (linked above): “A ransomware attack took 237 days to identify and 89 days to contain, for a total lifecycle of 326 days.” As a result, the cost of a ransomware attack is more extensive than other types of cyberattack.

Examples of prominent recent ransomware attacks

2023 saw some notable ransomware attacks that proved how detrimental they can be.

In February, the Florida Supreme Court was one of over 3,800 victims of a rapidly spreading global ransomware attack targeting several U.S. and Central European universities. The digital extortion campaign affected thousands of servers in Europe and was considered a significant online threat. 

On 10th January 2023 the UK postal service Royal Mail had overseas deliveries severely disrupted by a ransomware attack by Russia-based LockBit. The incident is particularly significant as Royal Mail is considered critical national infrastructure for the U.K. economy. 

In 2022, the Costa Rica government fell victim to a phishing-based ransomware attack initially targeting its finance ministry by holding taxpayer information hostage, then later taking healthcare systems offline. 

While the ransom demand peaked at $20m, the combined impact of lost productivity in the private and public sectors was estimated at $30m per day. Due to the attack, Costa Rica became the first country in the world to declare a national emergency caused by a cyberattack. 

In another high-profile ransomware attack, the largest global microchip company, Nvidia, was compromised. The hackers alleged they had access to 1TB of employee and proprietary data that they threatened to leak and managed to take specific business systems offline for two days. As part of the ransom, they demanded $1m and other unpublicized sums of money.  

Gain more insight into these and other ransomware attacks by reading our article ransomware attack examples.

Other costs involved in a ransomware attack 

Most of the costs incurred from ransomware attacks have nothing to do with the ransom demanded. Lost productivity and downtime are significant expenses brought upon organizations. Additionally, there's a recovery time required to get back-up IT systems running and get back to normal operating levels.

Organizations also face other costs and impacts that could later affect their bottom line. As well as the initial remediation of a ransomware attack, organizations must also manage public, supplier, and customer relations. It’s extremely likely that customers and supply chain partners will need to be informed about an attack, and larger scale incidents will probably be covered by the press, all of which can cause considerable damage to brand reputation that will need to be triaged with an experienced PR agency or crisis management firm. Some organizations will experience customer churn and find it more difficult to acquire new customers, which impacts revenues. Additionally, once an organization has filed a cyber insurance claim, carriers might become wary of insuring the business, boosting premium costs for the next policy period.

Increasingly, organizations are experiencing double, or even triple extortion, as cybercriminals exfiltrate sensitive data and hold onto it after the initial ransom payment. When personal data is compromised through a ransomware attack, organizations could incur financial penalties from regulators, and face class action lawsuits that can incur financial settlements and lawyers’ fees.

Defense against ransomware attacks 

According to the IBM Cyber Resilient Organization study, phishing emails are the most popular method cybercriminals use to deliver ransomware at 45%, with the next highest vector being insecure or spoofed websites at 22%. This statistic demonstrates that organizations must prioritize email security as part of a robust cybersecurity program. One way to do this is by implementing an integrated cloud email security (ICES) solution like Egress Defend, that offers broad capabilities to identify and stop phishing emails whilst increasing employee knowledge through real time teachable moments. 

Cybercriminals will also make use of other methods to introduce ransomware into an organization, from external hard drives to exploiting a vulnerability within a system. Steps you can take to ensure that your organization is secure include implementing antivirus software that is system wide to scan external devices and files coming in from another system. In addition, organizations must update their software regularly and should carry out regular penetration testing to check their defenses.