The hidden costs of ransomware

The catalogue of high-profile ransomware attack examples is growing larger and becoming more alarming every day, affecting everything from gas pipelines to transport and technology firms. And as the range of targets for ransomware attacks grows, the average value of ransom payments being demanded by cyber criminals is also skyrocketing. In fact, the average ransom payment was approximately $220,000 in the first quarter of 2021, up from $6,733 at the end of 2018.

Ransomware has become more targeted, better implemented, and much more ruthless, with criminals specifically targeting higher value and weaker targets to gain larger financial rewards. It’s clear that larger organisations have become preferred targets because they can and will pay more to get their data back – in fact, the world’s largest meat processing company recently paid $11m (£7.8m) in ransom to put an end to a major cyber attack.

However, hidden costs associated with these attacks can be just as significant as the ransom payment. It is becoming more complex and expensive for businesses to recover from these attacks, and recovery often leaves a significant dent in operating budgets.

Although some companies follow some cyber security best practices, security issues often exist because the threat surface area is now so large – and cyber criminals are experts in exploiting the gaps. This is why businesses must understand the hidden costs of ransomware to be aware of and how to protect against them.

How to eliminate ransomware risk, not just manage it

Raghu Nandakumara, field CTO at Illumio, discusses how ransomware risk within organisations can be eliminated, not just managed. Read here

Recovery of data and operations

Once inside a network environment, ransomware replicates and spreads, causing more damage as it propagates. Some businesses spot and remediate straight away, but for others the infection doesn’t reveal itself for 24 hours or more.

The further ransomware spreads, the longer it takes to mitigate. Every infected device requires additional man-hours. Spreader capabilities or lateral movement multiply the work involved exponentially. In best-case scenarios, a ransomware infection that is caught early may only require a few man-hours to remediate. We’ve found that more than 40% of businesses that suffer a ransomware attack spend eight or more man-hours on remediation efforts.

Not only does the cost of ransomware remediation include the work hours required, it includes the opportunity cost of diverting IT resources away from other strategic priorities – which can be harder to quantify – as well as the cost of downtime.

The cost of downtime varies widely depending on the nature and size of the business, risk tolerance and vertical – but we estimate costs can run around $10,000 per hour for small and midsize businesses and up to $300,000 per hour for large enterprises.

Brand and reputational damage

Like ransomware, downtime also entails hidden costs. If either extends to external customers, the reputational harm and diminished brand equity can exceed both the ransomware payment and the operational costs associated with an attack.

In addition, customer loyalty is increasingly fickle. According to one study, 61% of consumers switched some or all of their business from one brand to another in the last year, and 77% admitted they now retract their loyalty more quickly than they did three years ago.

Many businesses are continually assessing their cyber risk profile and proactively managing their defences. However, it is also vital that they put measures in place to mitigate the impact of a cyber attack on their reputation and brand, which means preparing a proactive, effective and instant crisis communications response.

Q&A: Splunk EMEA VP discusses European perceptions of consumer data

Frederik Maris, vice-president, EMEA at Splunk, spoke to Information Age about the split European perceptions around data. Read here

Defensive measures

The best-prepared businesses are the ones that can refuse to pay ransom demands because they are able to recover their data. Of course, the best way to be able to recover data is to back it up. But deploying backup isn’t the only defensive measure businesses should consider. Gaps in protection must be closed to ensure the resilience of the entire system.

A meaningful security posture starts with preventative security measures and a defensive in-depth data protection strategy. This starts by looking at the attack vectors that could lead to a ransomware infection.

We find the most common threat vector is often an organisation’s employees themselves, who may inadvertently visit malicious websites, click on phishing email links or attachments, or disclose their login credentials.

Security awareness training is therefore the most effective way to address the common threat vectors that lead to successful ransomware attacks. Training employees with phishing simulations is more effective when conducted more frequently, and we’ve found that after 12 sessions click rates on malicious links and attachments can drop up to 50%.

Alongside this, businesses can ensure cyber resilience by undertaking an external security audit to identify software vulnerabilities, implementing two-factor or multi-factor authentication to minimise credential theft and deploying internet threat intelligence and DNS filtering to block malicious sites.

Ultimately, having a strong security posture in place to protect against ransomware infections in the first place is crucial to mitigating costs. Some companies now consider paying ransoms to be a cost of doing business. They prepare in advance for inevitable ransomware attacks, such as having Bitcoin on hand or acquiring it immediately so that they can pay ransoms quickly.

But it doesn’t have to be this way. The true cost of ransomware infections includes more than just the ransomware payment – and organisations need to ensure they have full protection in place or risk paying the price.

Written by Kelvin Murray, senior threat research analyst at Webroot

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at

Related Topics

Cyber Attacks