The True Cost of a Ransomware Attack

Companies need to prepare for the costs of an attack now, before they get attacked. Here's a checklist to help.

If anyone needed further proof that ransomware is one of the most important digital threats organizations currently face, the recent attacks on Colonial Pipeline; the Washington, DC, police department; Apple; and Ireland's national health service are all glaringly emblematic of the problem.

According to a recent Sophos survey, 51% of responding organizations were hit with ransomware last year, and the increasingly brazen attacks being carried out through ransomware-as-a-service (RaaS) syndicates suggest that the trend is likely to continue — even amid recent government efforts to shut down RaaS infrastructure.

Ransomware is an equal-opportunity attack, and any organization can become a target. Therefore, every company should be preparing for this threat, not only in terms of preventive measures like malware detection, network traffic analysis, data leak prevention, and data backups, but also anticipating the costs they should expect to pay.

As an incident responder, I've lost track of the number of ransomware incidents that I've worked on over the years, but I have found that in most of these cases, companies don't realize all the potential costs they may incur during a ransomware attack.

Here is a list of some of the costs that companies need to prepare for now, before they get attacked:

1. Cyber Insurance
Cyber insurance can be a savior when it comes to a devastating ransomware attack, but it will only help if it is in place before attackers strike. Depending on your policy, insurance may provide many of the services listed below (which you may or may not need to pay for).

Know what your deductible is as well. While this isn't a direct cost, it will still cost you money.

2. Incident Response
The ransomware didn't just appear in your network. You need to figure out the root cause, what the attackers did in your network, and what (if any) data was taken. There are likely compromised users or systems with backdoors that weren't affected by the ransomware still on your network. If you don't find them, this attack will happen again in a few weeks.

Incident response (IR) companies help you figure all of this out. They come into your organization, investigate the attack, and give you the assistance you need to make it through containment, eradication, and recovery of the incident.

One tip: If you don't have an internal IR team, get an IR retainer. This will have someone available to you 24x7x365 to assist if you have an incident.

3. Legal
When dealing with ransomware, legal counsel is a must. They'll be the ones to tell you how to navigate the minefield of reporting obligations, ensure your communications are privileged so opposing counsel can't see them if you get sued, and advise you on whether paying the ransom is legal.

You also want to make sure that your internal legal team knows how to handle cyber incidents or that you work with external legal counsel that has this experience. Organizations can expect to pay anywhere from $250 to $700 an hour for external counsel, with the total bill easily reaching $75,000 for most organizations (if your attack does not go into litigation).

4. Crisis Communications
Your organization probably has a communications team, but has it ever dealt with a crisis? How will you notify your customers? What will you say? How will you say it? What do you say to employees? How do you control the flow of information?

If your team has never gone through this, you'll need a qualified crisis communications firm to tell you what to do and how to do it.

5. IT Support
Yes, you have an IT department and it will be a crucial part of your ransomware response plan. However, you aren't going to recover from a ransomware attack over the weekend (if you do it correctly, at least). Recovering from a ransomware attack is a 24x7 operation that will last for a while, and staff will burn out if they're expected to work long hours for days/weeks/months on end. Organizations may need to bring in extra help and expertise to rebuild things properly and quickly.

Expect bringing in IT support to cost in the range of $200 to $500 an hour, depending on the type of expertise needed.

6. Ransom
Every organization that gets hit with ransomware has to make the decision on whether to pay the ransom or not. Sometimes, it's the only way to get your data back or prevent highly sensitive data from being leaked. I don't recommend it, but that decision is (fortunately) out of my hands.

In any case, ransoms can range from a few thousand dollars to $2 million to $5 million. I hope you won't ever have to pay, but if you do need to, you should also get a...

7. Ransomware Negotiator
... a ransomware negotiator. These are organizations that specialize in helping reduce the ransom amount, assist in purchasing cryptocurrency, and ensuring your data is deleted (although attackers often don't completely delete your data). Do you need one? Nope. But having one can help save you a large amount of money.

Unfortunately, there are many other costs associated with ransomware attacks, such as hardware and software recovery costs, additional protections, loss of productivity, lawsuits, loss of customers, and ongoing monitoring. The good news is that many of these expenditures can be reduced or eliminated with proper planning and preparation. beta.darkreading.com