Paying For It: How to Cost Out a Ransomware Attack

Almost every IT project must, at some point, run the financial justification gauntlet. Even initiatives with broad organizational support, like ransomware mitigation, aren’t immune. IT security projects can be tougher to justify because they don’t typically reduce costs or increase revenue. Asking for data security funding triggers skepticism in many CFOs.

If you want to smooth the way to data security nirvana, there are two questions you need to answer. How much risk are you avoiding? And how much should you spend?

At our customer’s request, Concentric recently surveyed the latest research into ransomware costs, such as downtime, forensics, and expected ransom payments. Big Bitcoin transfers make the headlines, but it turns out downtime is the biggest ransomware cost driver. Here’s what we learned.

  • Extortionists are getting bolder. Average ransom demands continue to rise. According to a recent study by Palo Alto Networks, the average ransom paid in 2020 was up 171% over the previous year. Perpetrators of the Maze ransomware variant demanded an average of $4.8M.
  • Ransom payouts are rising too. In 2019, the average ransom paid across organizations of all sizes was about $115k. In 2020, that number jumped by over 150% to $312k (from the same PAN study).
  • The real financial pain isn’t the ransom, it’s the recovery. Baltimore, for example, was hit by a cyber extortionist demanding $76k. The actual damage to Baltimore’s finances topped $18.2M. Atlanta had a similar experience. A 2018 attack with a $52k ransom demand led to recovery costs exceeding $17M.

Unfortunately, anecdotes and averages don’t say much about your specific situation. Larger companies face larger ransom demands. If you’ve hardened your systems, you’ve also lowered the odds of a successful attack. If you have an ace forensics expert on staff, you’ll reduce your recovery costs. And so on. Estimating your exposure to ransomware costs is not one-size-fits-all.

A manageable model groups ransomware costs into three buckets: direct ransom costs, downtime costs, and forensics/recovery costs. Your exposure to these costs is a function of five factors: company size, ransomware hardening, recovery preparedness, forensics expertise, and downtime cost rates. And while investments in data security won’t change two of these five factors (company size and downtime cost rates), they can have a dramatic effect on the other three. Here’s how.

Ransomware Hardening

Hardening against ransomware lowers the odds of a successful attack and reduces the amount of damage should one occur. A comprehensive hardening program would include, at a minimum, these activities:

  • Staff training to teach employees how to spot phishing attacks and avoid risky Internet activities.
  • Centralized and maintained anti-phishing defenses
  • Anti-malware on endpoints and network perimeters that’s routinely updated and used by everyone
  • Least-privileges access control discipline for data, networks and applications
  • Privileged account control that incorporates multi-factor authentication

Recovery Preparedness

Time is of the essence if you’re confronting an in-progress attack or demands for ransom. Your ability to recover can spell the difference between a relatively minor incident and expensive downtime. Here are some factors that enhance your own recovery preparedness:

  • Data inventory that provides insights into data locations, access, and business criticality
  • Comprehensive, system-wide data backups
  • Centralized management of all backup activities
  • Recover-from-backup plans in place with organizational readiness to implement them quickly

Forensics Capabilities

If ransomware impacts your organization, it’s essential to understand what’s been compromised, how the attackers penetrated your systems, and how to eliminate vulnerabilities that made the attack possible. Many organizations can’t afford to staff skilled forensics professionals and are forced to rely on external resources when the need arises. These are the factors that will lead to lower costs for forensics analysis:

  • Trained, in-house forensics experts with a knowledge of your IT systems can complete required forensics activities quickly and without incremental expenses
  • Should you need external forensics resources, expect higher recovery costs and delays

Once you’ve assessed your organization’s current readiness, you can make better estimates for the likelihood of a successful attack, downtime exposure, forensics costs, the potential for you to negotiate a lower ransom, and other factors that can help you make an accurate case to your financial team.

Concentric now has a spreadsheet-based ransomware cost model combines your answers with current industry research to estimate costs your organizations might face. As with any model of this type, your best bet is to take our suggestions as starting points for your own situation.

If you’re interested in learning more, or getting access to our cost model, let us know and we’ll help you come up with your own research-based ransomware cost estimates. We look forward to working with you!

Get the latest from Concentric!