The Cost of a Ransomware Attack

According to a new report, the average cost to recover from a ransomware attack has skyrocketed to more than $80,000.

Cybersecurity company Coveware’s quarterly Ransomware Marketplace report has revealed that the average number of days a ransomware incident lasts has risen from 12.1 days in the third quarter of 2019 to 16.2 days in the final quarter. The explanation for this higher downtime has been attributed to the rise in ransomware attacks on big businesses, which often take many weeks to get back on their feet. The costs of ransomware can vary. As well as the cost of the ransom if it is paid, costs are also incurred while a network and its hardware are being repaired, and there can also be potentially costly brand damage. The third and fourth quarters of 2019 saw the average ransom payment increase by a shocking 104%, from $41,179 in Q3 to $84,116 in Q4. This suggests that cybercriminals are starting to focus on attacking larger businesses with the ability to pay higher ransoms; the Ryuk and Sodinokibi ransomwares in particular have moved into targeting large-scale enterprise in the hope of extorting a seven-figure ransom.

On the other end of the spectrum, there are ransomware variants that target smaller enterprises, like Snatch and Dharma, where the ransom is typically much lower, around a few thousand dollars. Our general advice is that you should never give in to the demands of cybercriminals, as this only encourages new and more complex forms of ransomware to be developed. However, in some circumstances – for instance, when recovering from a backup isn’t possible, or there is no decryption tool available – the victim might be forced to pay the ransom.

If a business does decide to pay the ransom, there’s no guarantee that the outcome will be favourable. Firstly, does the ransom actually result in the decryption tool being delivered as promised? Secondly, if the decryption tool is delivered, how effective is at decrypting the data? Coveware found that the vast majority (98%) of companies that paid the ransom received working decryption tools, but a smaller minority didn’t. The Phobos, Rapid, and Mr Dec ransomwares are known in particular to default after the payment has been made. Before handing over any payment, then, any victim of ransomware should seek out information on the actor to ensure they will follow through on their promise. On the issue of decryption tools actually working, Coveware found that 97% of encrypted data was successfully decrypted by the average ransomware victim. Better outcomes are seen with the more sophisticated types of ransomware like Ryuk and Sodinokibi, who are more careful with the way they encrypt data.