Quantifying the real cost of ransomware attacks can be difficult. Contributors can include the ransom itself, cyber insurance, downtime and lost revenue, remediation and recovery, and regulatory fines as well as qualitative factors such as reputational damage or customers’ mistrust of the organization. The true costs of a ransomware attack can include amounts to be determined far beyond the immediate aftermath.
Paying the Ransom
It’s not uncommon for victims of a ransomware attack to pay the ransom in order to get back to business as quickly as possible. In fact, more than one quarter of organizations pay the ransom in order to get their data back according to Sophos' The State of Ransomware 2020 study and the average cost to remediate a ransomware attack totals $761,106 USD globally. This includes downtime, device cost, network cost, lost opportunity, the paid ransom, and more. The survey also found that smaller companies—those consisting of less than 1,000 employees—paid close to half a million dollars less than organizations consisting of 1,001 - 5,000 employees. According to the Sophos survey, on average, 64% of organizations have ransomware insurance. Of the organizations that paid the ransom, 94% stated that insurance covered the cost.
Cost to Rebuild
Organizations that elect not to pay the ransom oftentimes are faced with an even higher expense of recovering from an attack. Recovering a database to a clean and secure environment can mean the difference between secure infrastructure and a second outage. When customers aren’t able to use a platform or purchase products this can come down to hundreds of thousands of dollars in lost revenue every minute during an outage. Additional recovery costs can include:
- Infrastructure rebuilding
- Employee technology security review
- Data recovery services
- Employee education
Reputation and Brand Damage
When recovering from a breach, the damage to an organization’s reputation can mean a loss of half their customer base. A tarnished reputation with current and future customers can be irreparable.
U.S. Civil Penalties
Further complicating the matter, an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments put out October 2020 by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC), reaffirmed that “companies that facilitate ransomware payments to cyber actors on behalf of victims...not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
In an effort to discourage organizations from funding criminal endeavors, OFAC has designated actors responsible for ransomware such as Cryptolocker, SamSam, WannaCry 2.0, and Dridex malware under its sanctions programs and prohibits U.S. persons from transacting with such entities. This means that if a ransom is paid to a person that is prohibited under sanctions laws and regulations administered by OFAC, civil penalties may be imposed on the victim, even if it was not known that the bad actor is considered a blocked person, is on OFAC’s Specially Designated Nationals and Blocked Persons List, or is covered by country or region embargoes.
According to The National Law Review, “Entities that violate these laws without a license from the Department of Treasury could face a fine of up to $20 million.”
If data taken from a ransomware attack is leaked, organizations are left dealing with a breach requiring notification mandated by GDPR and other privacy laws and may be subject to fines up to 4% of annual turnover of €20 million per event, whichever is higher.
Encrypting data at rest in addition to encrypting it in transit ensures that the data has no value outside of the organization and as such disincentivizes bad actors from releasing it on the web. Of course, the cybercriminal could still encrypt an organization’s encrypted data in order to extort a ransom, but in this case, the hacker would not be able to threaten the organization with additional repercussions including GDPR and other privacy law fallout.
What to Do
Ideally, the best way to avoid these costs is to prevent or bypass the fallout of a ransomware attack in the first place. Of course, that's often easier said than done. One of the most compelling reasons to having data and processes in the cloud is that cloud providers supply easy-to-use backup options and the ability to quickly restore systems to an earlier version. Yet, while moving data to the cloud solves many problems, it sometimes results in new challenges and organizations need to be aware of configuration options and activity monitoring that are unique to the cloud.
Learn more about the complexities and best practices of protecting data in public cloud databases from ransomware attacks in our white paper Ransomware and The Cloud.