31 March 2023  —  Acronis

The cost of ransomware: Why every business pays, one way or another

Acronis Cyber Protect
formerly Acronis Cyber Backup

Ransomware is one of the most devastating cyberthreats businesses face today. It can cause irreparable damage to a company’s systems, data, and reputation, and the financial harm can be severe.

Let’s explore the financial significance of ransomware attacks, which go well beyond ransom payments. Even victims who refuse to pay will incur substantial expenses and lost revenue for the duration of the incident itself, throughout the containment and recovery process, and potentially for weeks and months afterward.

How businesses may be affected financially

Ransomware attacks can have a disastrous financial impact on businesses through both direct and indirect costs. Direct costs typically include the cost of any ransom paid (in return for a decryption key to unlock encrypted data, a promise not to follow through on threats to leak stolen data, or mount a denial-of-service attack on the business’s public servers, etc.), as well as the cost to hire experts to remove the malware and restore affected systems. Indirect costs may include lost productivity and revenue due to downtime, damage to reputation, compliance violation fines and legal expenses.

Direct costs

One of the steepest ransoms to become publicly known was the $70 million demanded in the Revil ransomware attack on software vendor Kaseya. Ransom demands vary widely depending on the attacker’s sophistication and how much intelligence it has gathered on how much the target can afford to pay — varying from thousands to tens of millions of dollars.

The ransom demand is sometimes determined as a percentage of the target company's yearly revenue (usually 3%).

According to experts' estimates, the ransom payment only accounts for a small portion — often as little as 15% — of the overall costs associated with the ransomware attack.

Indirect costs

The cost of downtime and recovery of lost data after a ransomware attack typically comprises a much larger part of a ransomware attack's overall expenditures. After a ransomware incident, the average business experiences a recovery period of 22 days of downtime to resume operations. The average cost of downtime can frequently amount to fifty times more than the ransom demand.

In the wake of a ransomware attack, the entire company must shift its attention to recovery, from the IT operation teams restoring encrypted or damaged data and restarting operations to teams from marketing, legal, HR and other organizations handling crisis messaging. Additional ransomware costs may include lost sales opportunities, reduced product or services output, reputational harm, fees for external consultants and contractors to speed recovery efforts, loss of equity in publicly-traded companies, fines by regulatory agencies for failure to protect customer data or other compliance violations, penalties paid to clients for failure to meet service level agreements, and so on.

Additionally, ransomware attacks reveal weak points in a company's cybersecurity defenses, necessitating an analysis of forensic data to identify the vulnerability that enabled the attack, the construction of a plan to close those gaps so as to prevent the recurrence of a similar attack, and then the necessary additional investments in cybersecurity technology, processes, and people skills to execute the remediation plan.

The average global cost of a data breach — not including the actual ransom payment — is expected to reach $5 million in 2023.

Estimating the cost of ransomware attacks

There is no one-size-fits-all answer when estimating the cost of destructive cyberattacks. The financial loss suffered by companies can vary greatly depending on several factors, including:

  • The type of data encrypted or compromised in the attack. If critical data is encrypted, the company may have to pay a ransom to get it back or address the costs of replacing it if it cannot be recovered from its encrypted state.
  • Regulatory fines, especially if particularly sensitive data is lost or exposed.
  • Lost productivity, revenue, and other costs associated with the organization’s inability to conduct normal business operations.
  • Reputational damage. Customers and partners may choose to reduce or end their relationship with the business over fears about data security; sales prospects may delay or walk away from pending deals; negative publicity may adversely affect investor confidence and the stock price.

By taking the time to review all of these factors, companies can get a better idea of how much a successful attack by a ransomware gang could cost them in the short and long term, and why it’s necessary to have an incident response plan in place.

When companies pay a ransom, they may believe they are fully eliminating the risk posed by the cyberattack. This is a dangerous illusion for several reasons:

  • The attackers may still have active access to the company's systems and data.
  • The attackers may have exfiltrated sensitive data that they could release publicly if not paid.
  • Paying the ransom does not guarantee that the attackers will not launch future attacks.
  • Paying the ransom may encourage other attackers to target the company.

Real-world ransomware attack examples

There are many examples of the financial impact of ransomware attacks on businesses in every industry, in every geography, of every size.

According to the U.S. Justice Department, roughly 75% of all ransomware cases involve small businesses. And recent research shows that 60% of the small businesses that are cyberattack victims go out of business within six months.

  • In September 2022, the Hive ransomware gang claimed responsibility for four victims within one week. Attackers gained access to the systems of Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider. Over 320,000 individuals were affected by this incident.
  • Damart, a French clothing company with over 130 stores across the world, was hit by a ransomware attack in 2022, where the attackers demanded a ransom of $2 million. As a result of the ransomware infection, their ability to process new orders was impaired, and customer support was made unavailable.
  • Nvidia suffered a ransomware incident in 2022 that leaked employee credentials and proprietary information online. The ransomware group Lapsus$ claimed to have exfiltrated one terabyte of data from the company and demanded a ransom of $1 million plus a percentage of an unspecified fee.
  • Lincoln College in Lincoln, Illinois had to close its doors following a ransomware attack in December 2021, locking up all of its systems for recruiting, retention and fundraising.

These examples illustrate the varying financial impact and true cost that ransomware attacks can have on businesses, depending on the size and type of business, the extent of the attack, and the response to the attack.

The Healthcare sector is often a target of Ransomware attacks

Breakdown by sector

Ransomware attackers target victims in every industry, though certain vertical sectors are favored for their vulnerability to specific external pressures, e.g., healthcare, finance, government, education and technology.

Healthcare industry: Hospitals often have sensitive patient data that attackers can exploit, and many are less well-protected than other industries regarding cybersecurity. Locking up healthcare delivery systems can put patients’ lives at risk.

Finance: Banks and other financial institutions store confidential customer data. Attackers can then use this financial data to extort money from victims or commit identity theft. Industry and government regulators can impose stiff penalties on firms that violate compliance rules on data privacy.

Government agencies: Government institutions and agencies often possess or manage critical infrastructure data or classified information, and attackers can use this data to blackmail victims or disrupt operations. Political leaders are sensitive to public reactions to critical constituent services going offline for extended periods.

Education institutions: Educational organizations often retain personally identifying information (PII) or research papers. Attackers can use this information to extort money from victims or sell it on the black market. Budget and IT staffing constraints, as well as the tendency of students to be careless with the websites they access and applications they download, create a tech environment with far more vulnerabilities than is typical of the commercial world.

Technology: Tech companies suffer many of the same issues as other businesses: they may struggle to keep up with patching of known vulnerabilities and counter the latest security threats. But their risk of reputational harm is greater than non-tech businesses: customers, prospects, and partners are likelier to flee a tech company that is known to have suffered a successful ransomware or other malware attack.

Ransomware demands keep rising

According to a recent report, ransomware attacks surged drastically in 2022 — 25% of all breaches involved ransomware. Additionally, ransomware affected 66% of organizations in 2021 — an increase of 78% over 2020.

The average ransom demand has dramatically increased as attackers realize that many organizations are willing to pay to avoid the significant disruption and costs associated with a ransomware attack. For instance, The Washington Post reported that ransomware payments spiked 70 percent in 2021.

The advent of cryptocurrencies like Bitcoin are another major enabler of ransomware gangs’ success and ability to continue to operate unimpeded by law enforcement. Ransom payments in cryptocurrency are difficult to trace and can be easily converted into cash. In addition, many cybercrime businesses largely operate through the dark web.

Data exfiltration on the rise

Ransomware attackers are no longer relying solely on encryption attacks to extract ransoms from their targets. Increasingly, attackers quietly exfiltrate a significant amount of sensitive data prior to triggering the ransomware attack. Whether or not the victim is willing to pay for the decryption key, they are much more likely to pay to prevent the attacker from leaking sensitive data online and exposing the business to various kinds of legal, reputational, and compliance risks.

There have been numerous examples of such attacks. For instance, Optus, a subsidiary of Singtel and Australia's second-largest mobile operator (with over 10.5 million subscribers), suffered a security breach in September 2022. Attackers claimed to have obtained the data of 11 million customers, and demanded $1 million in ransom.

Marriott International revealed that the private information of 500 million guests was stolen in a data breach in 2022. When Twitter was hacked dozens of high-profile accounts were taken over in an attempt to scam people out of cryptocurrency.

What is the global cost of ransomware?

The average ransomware payment is difficult to estimate precisely. Not all attacks are reported, and the costs incurred can vary widely depending on the size and nature of the target organization, the amount of data encrypted, and the ransom demanded. However, some estimates suggest that the cost of ransomware attacks could be billions of dollars per year.

According to the Acronis 2022 End-of-Year Cyberthreats Report, the average total cost of a data breach in the United States was nearly $9.5 million. As mentioned earlier, the average cost per incident worldwide is expected to surpass $5 million in 2023.

In their 2022 Ransomware Market Report, industry analysts Cybersecurity Ventures predict that ransomware will cost its victims an aggregate of $265 billion a year by 2031.

What percentage of ransomware victims pay the ransom?

According data compiled by Statista in a 2022 survey of global IT professionals, around 72% of respondents paid a ransom and recovered their compromised data.

However, compared to 2021, ransomware payments declined by more than 40% during 2022, as victims resisted paying their extorters, according to blockchain analysis firm Chainalysis. According to the firm’s 2023 Crypto Crime Report, ransomware attackers extorted $456.8 million from victims in 2022. This represents a significant decline from $765.6 million in 2021, and $765 million in 2020.

Does insurance cover ransomware?

Cyber insurance policies may cover ransomware attacks, but the specific coverage and terms of these policies can vary depending on the insurer and the policy purchased. For example, some policies may cover ransom payments, while others may only cover the costs of restoring data or systems.

However, while many cyber insurance policies cover ransomware attacks, rates for these policies have dramatically increased in recent years. This is due to the rising number of cyberattacks taking place around the world. Insurance companies have a better understanding the risks of doing business online, and are charging higher insurance premiums as a result.

How much does it cost to recover from a ransomware attack?

The price of recovering from a ransomware attack can vary widely depending on the scope and severity of the incident, and paying a ransom is not the only cost involved.

Ransomware recovery costs include expenses related to data recovery, system restoration, legal and regulatory compliance, and reputational damage, not just the actual ransom payments. According to some reports, the average cost of a ransomware attack is $4.54 million — not including the cost of ransom payments, which average $812,360.

There are a number of methods that can be used to recover from a ransomware attack, but the most important requirement is to have a good backup and disaster recovery strategy in place so that you can restore your data if it is encrypted.

You should also have antivirus, anti-malware and two-factor authentication software installed to prevent the initial infection. In addition, it’s important to take steps to prevent repeat attacks from occurring, as the cost of prevention is typically far lower than the cost of recovery.

Strategies to prevent ransomware attacks

Not only do large enterprises with considerable resources fall victim to cyberattacks, but these attacks also affect smaller businesses with tighter budgets and less expertise.

No matter your organization’s size, it is vital to have a robust backup and disaster recovery plan in place to ensure business continuity. This enables quick restoration of your data in the event of a system compromise.

Other important ways to protect your data include:

  • Educating employees about ransomware and how it works. Employees should be aware of the risks associated with opening email attachments and clicking on links from unknown sources.
  • Implementing security measures such as firewalls, intrusion detection and prevention systems, multifactor authentication and email filtering.
  • Keeping systems and software up to date with the latest security patches. This will help to close any known vulnerabilities that attackers could exploit.

Ransomware is an evolving threat, and small businesses should take proactive measures to protect against financial loss.

By investing in cybersecurity solutions, training staff to spot suspicious activity, having reliable backups for data recovery, and a comprehensive plan to deal with these threats, businesses can reduce the costs associated with ransomware attacks.

How Acronis Cyber Protect can help stop ransomware attacks

Acronis Cyber Protect is an integrated and cost-effective cyber protection solution that uses artificial intelligence (AI) to detect malicious activity and prevent businesses from falling victim to ransomware attacks. It works by analyzing the behavior of files and applications on a system, terminating malicious processes, and automatically reversing any damage done.

It includes a robust anti-ransomware engine that proactively detects and blocks attempts to encrypt or delete your data, and protects against other types of malware. In addition, Acronis Cyber Protect can quickly restore any data encrypted by ransomware — it includes best-of-breed data backup and disaster recovery capabilities, making it a valuable tool for businesses.

Want to see Acronis Cyber Protect in action? Start your 30-day free trial today!

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

More from Acronis