Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.

The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.

The Cost of a Ransomware Attack Can Run to Millions of Dollars

When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.

These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.

In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.

Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.

Ransomware is Here to Stay

As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.

Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.

Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.

Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.

Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.

Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.

Tips for Preventing a Ransomware Attack

  • Ensure users only have access to data and network drives necessary for them to perform their jobs.
  • Backup devices should be disconnected when backups have been performed.
  • Keep operating systems, software applications, and plugins up to date and fully patched.
  • Block access to websites known to host exploit kits using a web filter such as WebTitan.
  • Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
  • Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
  • Segment your network and restrict administrator rights.

To ensure a swift recovery from a ransomware attack, make sure you:

  • Create multiple backups of all files, websites, and systems.
  • Create three backups on two different media and store one copy offsite.
  • Develop a ransomware response plan that can be implemented immediately when an attack is suspected.