Organizations typically consider two figures when attempting to calculate the cost of a ransomware attack: the ransom demand and the cost of recovering data. But more goes into restoring a system than those two factors, judging from the recovery efforts organizations mounted following recent ransomware attacks. Temporary staff increases, consulting services and lost business productivity and revenue are a few of the other considerations that security executives need to keep in mind. To help determine the true cost of a ransomware attack, we reviewed a few to find out how much was spent on getting networks back online and what other expenses businesses incurred as a result of the attack.
What Ransomeware Attacks Really Cost
Atlanta, for example, spent at least $2.6 million just on emergency IT services after a March ransomware attack crippled city services for several days. Between March 22 and April 2 the Atlanta Department of Procurement signed eight emergency contracts with a total value of $2,667,328. The contracts covered incident response services, crisis communication, incident response advisory services and cloud engineering services. The attackers who infected the city's computers with the SamSam malware demanded a ransom that was worth around $50,000 in bitcoin at the time.
Recovering from a February ransomware attack has been a slow and expensive process for Colorado's transportation department, or CDOT. The agency has spent between $1 million and $1.5 million to just partially recover from the incident. That's nearly all of the $2 million the state government allocated to help CDOT fully recover from the incident, which resulted in more than 2,000 computers being infected. Containing the ransomware infection took two weeks and restoring CDOT's operations took another two weeks, said a department spokeswoman. Repairing CDOT's network required help from information security consultants and federal agencies. Between 50 and 150 people were working on restoring the network at any given time, said the spokeswoman.
While Cybereason research has shown that ransomware attacks have peaked, this threat is still potent. In fact, the damage costs associated with ransomware attacks are predicted to climb. Cybereason has observed a consistent decrease in ransomware infection rates since 2015 when attacks were at their peak. However, costs associated with ransomware damage are expected to increase in the coming year. By 2019, ransomware damage costs will hit $11.5 billion, according to Cybersecurity Ventures. That figure is up from $325 million in 2015 and $5 billion in 2017.
Paying the Ransom isn't Necessarily a Panacea
While some organizations may choose to pay the ransom (a move that's discouraged by law enforcement since making a profit only encourages attackers to launch more ransomware attacks), that doesn't necessarily lead to a quick and easy resolution.
Organizations will likely need to setup a bitcoin wallet to pay the attackers, a process that can take a few days. And attackers will need a few days to verify and transfer the funds. Assuming that the attackers provide the encryption key, decrypting hard drives takes time. The more data on a drive, the longer it will take to decrypt it, said Cybereason's research team, who added that a 1TB drive will take about a week to decrypt. And keep in mind that an enterprise may have hundreds or thousands of computers to decrypt.
Plus, paying the ransom does little to bolster an organization's security posture and possibly leaves it more vulnerable to future attacks. Security incidents, including ransomware attacks, can be used as an opportunity to improve information security practices, show other executives and the board why security matters and even help boost a CISO's budget. But paying the ransom may cost a security leader that chance.
"When there was a crisis that's when there was more interest in what we did and people were more receptive to hearing how to fix this. If something went wrong, you almost always have improvements in your security as a result," said Bob Bigman, former CISO at the CIA.
The Cost of Downtime
The time organizations spend restoring systems following an attack represents lost business opportunities. If computers and servers are offline, hospitals can't treat patients, law enforcement can't work on active investigations and delivery companies can't ship goods. Of course, this downtime can also impact revenue. San Francisco lost out on subway fares for nearly three days in November 2016 after a ransomware attack took down part of the public transit system's ticketing system. In Atlanta, revenue collection was hindered following the attack since residents couldn't pay their water bills.
There's also a personnel cost associated with downtime. When security and IT personnel are restoring a system, they're diverted from their regular duties. Inevitably, this leads to a backlog of work. In some cases, contractors or consultants may need to be hired to handle the work that's not being completed while networks are brought back online.
The Cost to a Company's Reputation
For some organizations, the damage from a ransomware attack goes beyond figures and includes brand reputation. While this metric is hard to measure, some security leaders realize that a security incident may tarnish a brand and turn off potential customers.
"We're dealing with data. The brand is really important when it comes to people trusting you with their data. It's not just a numbers thing for us. It's also who we are," said Mario Duarte, vice president of security at Snowflake Computing.
Figuring out how much the damage from a ransomware attack will cost a company requires taking a holistic view of an organization. Consider how the downtime will impact revenue, the company's brand and staffing levels. And have realistic goals about how long it will take an organization to be back online after an ransomware attack. Even if a company pays the ransom, normal business operations may not be restored a week or longer.
Thank you to Fred O'Connor of Cybereason for the article
Learn more about how to prevent a successful network attack.