Ransomware costs an estimated $169 billion per year
In the title, I have given a financial cost, but the cost could also be in terms of someone’s life, as a ransomware attack against a hospital could put lives at risk.
The true cost of ransomware?
The true cost of a security incident is difficult to estimate, but some attacks such as ransomware allow for a tangable appraisal of the impact. Emisoft have now tried to quantify the costs for recent attacks [here]. For 2019, they focus mainly on the US, and found that, at least, 966 government agencies, educational establishments and healthcare providers were infected by ransomware and that the potential cost is greater than $7.5 billion. This included 113 state and municipal governments and agencies, 764 healthcare providers, 89 universities, colleges and school districts (with 1,233 individual schools affected).
Estimated demands and costs
For 2019, Emisoft estimate a total ransomware demand of over $25 billion (Table 1), and with the US, Germany and Italy suffering the largest number of demands.
But the cost of the ransomware does not tell the full picture, as there is an impact in downtime costs. The estimated overall cost now rockets to over $169 billion (Table 2).
Within their analysis, Emisoft discovered that the STOP ransomware was the most popular type, and that the average ransomware demand was $84,000. But, in 2020, they have observed that the demands have increased significantly. They also think that 33% of companies pay the ransom demand, and that the average downtime is 16 days. Their estimate for a daily cost is pegged at $10K per day. In many cases, this cost will be MUCH higher.
The public sector
Emisoft are fairly damming in their coverage of ransomware incidents, and give the observation that while there were attacks against 966 public sector agencies, there was not one disclosure against a bank. While equally a target, banks tend to have better defences, and Emisoft point to the public sector perhaps adopting best practice within their security infrastucture. Two core areas of focus are perhaps to enable MFA (Multifactor Authentication) on their systems — as this has been proven to thrawt at least 99.9% of all account comprises — and enable backups.
But Emisoft highlight that organisations should be careful around a reliance on backups, and where the recovery of files is often not an easy thing. The recovery process often requires days, weeks or even months of painful restoration. This, of course, is not good within areas which require no down-time, such as in hospitals and criminal justice.
Emisoft have an insightful viewpoint and observe that those with cyber insurance may be more ready to pay the ransom. But this could be counter-productive, as it insentivizes cybercriminals. A proper investment in defence, and an investment cyber insurance, together, are possibly the best strategy. They define thus that cyber insurance is not an alterative to proper investment in security.
Emisoft also highlight that the double whammy attack, and where an attack both encrypts the files locally, and also exfiltrates some of the data off the site. This results in a double ransom demand, for the decryption of the files, and for the deletion of the exfiltrated data (of which it is difficult to know if it has been done successfully). As the public sector often has personally sensitive information, this could cause a major data leakage incident.
Emisoft’s main conclusions are:
- Improved security standards and oversight: Government agencies often have weak security, and poor auditing. Emisoft have generally defined that
- More guidance: Emisoft define that there needs to be improved baseline security levels, and that investment needs to be targetted.
- Security debt and funding: Many government departments have been underfunded in terms of their cybersecurity infrastructure, and perhaps funds needs to be redirect, or funding increased in key areas.
- Closing the intelligence gap: Government agencies often do not share incident details, but this sharing could help build up intelligence on the threat landscape.
- Better public-private sector cooperation: With this there needs to be strong partnersghips between the private sector and the public sector.
- Legislative restrictions on ransom payments: Many government agencies end up paying the ransom, and this is a model that is not sustainable, as it makes ransomware more attractive to cybercriminals.
- Vendors and service providers must do more: Vendors and service provides need to provide better support for government agencies, and work with on monitoring and protecting public sector infrastructures.
If you are interested, here’s a quick lecture on ransomware:
As an add-on, here’s one person’s solution: