Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Tyler Hudak
Tyler Hudak
Connect Directly
E-Mail vvv

The True Cost of a Ransomware Attack

Companies need to prepare for the costs of an attack now, before they get attacked. Here's a checklist to help.

If anyone needed further proof that ransomware is one of the most important digital threats organizations currently face, the recent attacks on Colonial Pipeline; the Washington, DC, police department; Apple; and Ireland's national health service are all glaringly emblematic of the problem.

Related Content:

New Iranian Threat Actor Using Ransomware, Wipers in Destructive Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

According to a recent Sophos survey, 51% of responding organizations were hit with ransomware last year, and the increasingly brazen attacks being carried out through ransomware-as-a-service (RaaS) syndicates suggest that the trend is likely to continue — even amid recent government efforts to shut down RaaS infrastructure.

Ransomware is an equal-opportunity attack, and any organization can become a target. Therefore, every company should be preparing for this threat, not only in terms of preventive measures like malware detection, network traffic analysis, data leak prevention, and data backups, but also anticipating the costs they should expect to pay.

As an incident responder, I've lost track of the number of ransomware incidents that I've worked on over the years, but I have found that in most of these cases, companies don't realize all the potential costs they may incur during a ransomware attack.

Here is a list of some of the costs that companies need to prepare for now, before they get attacked:

1. Cyber Insurance
Cyber insurance can be a savior when it comes to a devastating ransomware attack, but it will only help if it is in place before attackers strike. Depending on your policy, insurance may provide many of the services listed below (which you may or may not need to pay for).

Know what your deductible is as well. While this isn't a direct cost, it will still cost you money.

Credit: vchalup via Adobe Stock
Credit: vchalup via Adobe Stock

2. Incident Response
The ransomware didn't just appear in your network. You need to figure out the root cause, what the attackers did in your network, and what (if any) data was taken. There are likely compromised users or systems with backdoors that weren't affected by the ransomware still on your network. If you don't find them, this attack will happen again in a few weeks.

Incident response (IR) companies help you figure all of this out. They come into your organization, investigate the attack, and give you the assistance you need to make it through containment, eradication, and recovery of the incident.

One tip: If you don't have an internal IR team, get an IR retainer. This will have someone available to you 24x7x365 to assist if you have an incident.

3. Legal
When dealing with ransomware, legal counsel is a must. They'll be the ones to tell you how to navigate the minefield of reporting obligations, ensure your communications are privileged so opposing counsel can't see them if you get sued, and advise you on whether paying the ransom is legal.

You also want to make sure that your internal legal team knows how to handle cyber incidents or that you work with external legal counsel that has this experience. Organizations can expect to pay anywhere from $250 to $700 an hour for external counsel, with the total bill easily reaching $75,000 for most organizations (if your attack does not go into litigation).

4. Crisis Communications
Your organization probably has a communications team, but has it ever dealt with a crisis? How will you notify your customers? What will you say? How will you say it? What do you say to employees? How do you control the flow of information?

If your team has never gone through this, you'll need a qualified crisis communications firm to tell you what to do and how to do it.

5. IT Support
Yes, you have an IT department and it will be a crucial part of your ransomware response plan. However, you aren't going to recover from a ransomware attack over the weekend (if you do it correctly, at least). Recovering from a ransomware attack is a 24x7 operation that will last for a while, and staff will burn out if they're expected to work long hours for days/weeks/months on end. Organizations may need to bring in extra help and expertise to rebuild things properly and quickly.

Expect bringing in IT support to cost in the range of $200 to $500 an hour, depending on the type of expertise needed.

6. Ransom
Every organization that gets hit with ransomware has to make the decision on whether to pay the ransom or not. Sometimes, it's the only way to get your data back or prevent highly sensitive data from being leaked. I don't recommend it, but that decision is (fortunately) out of my hands. 

In any case, ransoms can range from a few thousand dollars to $2 million to $5 million. I hope you won't ever have to pay, but if you do need to, you should also get a...

7. Ransomware Negotiator
... a ransomware negotiator. These are organizations that specialize in helping reduce the ransom amount, assist in purchasing cryptocurrency, and ensuring your data is deleted (although attackers often don't completely delete your data). Do you need one? Nope. But having one can help save you a large amount of money.

Unfortunately, there are many other costs associated with ransomware attacks, such as hardware and software recovery costs, additional protections, loss of productivity, lawsuits, loss of customers, and ongoing monitoring. The good news is that many of these expenditures can be reduced or eliminated with proper planning and preparation.

Tyler Hudak is the Incident Response Practice Lead for TrustedSec. He has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. Tyler has spoken and taught at a number of ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...