Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Tyler Hudak
Tyler Hudak
Connect Directly
E-Mail vvv

The True Cost of a Ransomware Attack

Companies need to prepare for the costs of an attack now, before they get attacked. Here's a checklist to help.

If anyone needed further proof that ransomware is one of the most important digital threats organizations currently face, the recent attacks on Colonial Pipeline; the Washington, DC, police department; Apple; and Ireland's national health service are all glaringly emblematic of the problem.

Related Content:

New Iranian Threat Actor Using Ransomware, Wipers in Destructive Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

According to a recent Sophos survey, 51% of responding organizations were hit with ransomware last year, and the increasingly brazen attacks being carried out through ransomware-as-a-service (RaaS) syndicates suggest that the trend is likely to continue — even amid recent government efforts to shut down RaaS infrastructure.

Ransomware is an equal-opportunity attack, and any organization can become a target. Therefore, every company should be preparing for this threat, not only in terms of preventive measures like malware detection, network traffic analysis, data leak prevention, and data backups, but also anticipating the costs they should expect to pay.

As an incident responder, I've lost track of the number of ransomware incidents that I've worked on over the years, but I have found that in most of these cases, companies don't realize all the potential costs they may incur during a ransomware attack.

Here is a list of some of the costs that companies need to prepare for now, before they get attacked:

1. Cyber Insurance
Cyber insurance can be a savior when it comes to a devastating ransomware attack, but it will only help if it is in place before attackers strike. Depending on your policy, insurance may provide many of the services listed below (which you may or may not need to pay for).

Know what your deductible is as well. While this isn't a direct cost, it will still cost you money.

Credit: vchalup via Adobe Stock
Credit: vchalup via Adobe Stock

2. Incident Response
The ransomware didn't just appear in your network. You need to figure out the root cause, what the attackers did in your network, and what (if any) data was taken. There are likely compromised users or systems with backdoors that weren't affected by the ransomware still on your network. If you don't find them, this attack will happen again in a few weeks.

Incident response (IR) companies help you figure all of this out. They come into your organization, investigate the attack, and give you the assistance you need to make it through containment, eradication, and recovery of the incident.

One tip: If you don't have an internal IR team, get an IR retainer. This will have someone available to you 24x7x365 to assist if you have an incident.

3. Legal
When dealing with ransomware, legal counsel is a must. They'll be the ones to tell you how to navigate the minefield of reporting obligations, ensure your communications are privileged so opposing counsel can't see them if you get sued, and advise you on whether paying the ransom is legal.

You also want to make sure that your internal legal team knows how to handle cyber incidents or that you work with external legal counsel that has this experience. Organizations can expect to pay anywhere from $250 to $700 an hour for external counsel, with the total bill easily reaching $75,000 for most organizations (if your attack does not go into litigation).

4. Crisis Communications
Your organization probably has a communications team, but has it ever dealt with a crisis? How will you notify your customers? What will you say? How will you say it? What do you say to employees? How do you control the flow of information?

If your team has never gone through this, you'll need a qualified crisis communications firm to tell you what to do and how to do it.

5. IT Support
Yes, you have an IT department and it will be a crucial part of your ransomware response plan. However, you aren't going to recover from a ransomware attack over the weekend (if you do it correctly, at least). Recovering from a ransomware attack is a 24x7 operation that will last for a while, and staff will burn out if they're expected to work long hours for days/weeks/months on end. Organizations may need to bring in extra help and expertise to rebuild things properly and quickly.

Expect bringing in IT support to cost in the range of $200 to $500 an hour, depending on the type of expertise needed.

6. Ransom
Every organization that gets hit with ransomware has to make the decision on whether to pay the ransom or not. Sometimes, it's the only way to get your data back or prevent highly sensitive data from being leaked. I don't recommend it, but that decision is (fortunately) out of my hands. 

In any case, ransoms can range from a few thousand dollars to $2 million to $5 million. I hope you won't ever have to pay, but if you do need to, you should also get a...

7. Ransomware Negotiator
... a ransomware negotiator. These are organizations that specialize in helping reduce the ransom amount, assist in purchasing cryptocurrency, and ensuring your data is deleted (although attackers often don't completely delete your data). Do you need one? Nope. But having one can help save you a large amount of money.

Unfortunately, there are many other costs associated with ransomware attacks, such as hardware and software recovery costs, additional protections, loss of productivity, lawsuits, loss of customers, and ongoing monitoring. The good news is that many of these expenditures can be reduced or eliminated with proper planning and preparation.

Tyler Hudak is the Incident Response Practice Lead for TrustedSec. He has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. Tyler has spoken and taught at a number of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, has been found in SourceCodester Online Tours & Travels Management System 1.0. This issue affects some unknown processing of the file admin/practice_pdf.php. The manipulation of the argument id leads to sql injection. The attack may be initiated...
PUBLISHED: 2023-01-28
A vulnerability, which was classified as critical, was found in SourceCodester Online Tours & Travels Management System 1.0. Affected is an unknown function of the file /user/s.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The expl...
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Exposure of Sensitive Information to an Unauthorized Actor. Sandboxed users shouldn't be able to view data about other Metabase users anywhere in the Metabase application. However, when a sandbox user views the sett...
PUBLISHED: 2023-01-28
Metabase is an open source data analytics platform. Affected versions are subject to Improper Privilege Management. As intended, recipients of dashboards subscriptions can view the data as seen by the creator of that subscription. This allows someone with greater access to data to create a dashboard...
PUBLISHED: 2023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to...