The Hidden Costs of Ransomware

Ransomware is one of the world’s most significant cybersecurity challenges – both expensive in terms of cost, and beyond.

In recent years the scale of ransomware has grown massively; in 2021, two out of three organisations reported a ransomware attack, almost double those reported in 2020. Of the “successful” ransomware attacks, where data is successfully encrypted, the average ransom demanded increased almost fivefold to $812,360 during the same period. As well as financial costs, which are more far-reaching than the ransom itself, there may also be other costs such as damage to brands and psychological impacts on employees.

So what are the monetary costs associated with ransomware? Let’s start with the ransom itself. The 2022 State of Ransomware Report found that the number of businesses paying ransoms over $1 million or more increased from 4% in 2020 to 11% in 2021. At the lower end of the scale, the portion of victims with ransoms of less than $10,000 decreased from 34% in 2020 to 21% in 2021.

In short – cybercriminals are increasingly demanding more money from their victims, and not letting smaller businesses off lightly either. A recent study Sophos found the average ransom to be $570,000, while another study by Pao Alto put the average at $812,360. The vast majority of governments and cybersecurity organisations around the world advise that you should not pay the ransom under any circumstances; in the US, paying cybercriminals a ransom is actually illegal. If the ransom is paid, there is no guarantee that the decryption tool will be provided. Additionally, caving to the demands of cybercriminals only serves to encourage the practice and drive up ransoms for future victims.

Other than the financial costs associated with paying the ransom, your business could also find itself in hot water legally. Increasingly, cybercriminals are adopting a two-pronged approach, whereby they not only encrypt data, but steal it too, threatening to leak compromising or personal data onto the dark web unless the ransom is paid. As well as increasing the likelihood of the ransom being paid, this stolen data can also be sold for a profit. If confidential data is leaked, then your organisation is open to a whole host of class-action lawsuits and settlements from aggrieved customers. Regulatory and legal fines for data protection breaches can also be incredibly hefty.

There are also reputational costs that can arise from a ransomware attack, leading to stunted growth, lost customers, and fewer business opportunities. The National Cyber Security Alliance found that 60% of small and medium sized businesses go out of business within six months of falling victim to a cyber-attack, with 90% of organisations saying the attack had affected their ability to function.

Data Recovery