Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Tyler Hudak
Tyler Hudak
Connect Directly
E-Mail vvv

The True Cost of a Ransomware Attack

Companies need to prepare for the costs of an attack now, before they get attacked. Here's a checklist to help.

If anyone needed further proof that ransomware is one of the most important digital threats organizations currently face, the recent attacks on Colonial Pipeline; the Washington, DC, police department; Apple; and Ireland's national health service are all glaringly emblematic of the problem.

Related Content:

New Iranian Threat Actor Using Ransomware, Wipers in Destructive Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

According to a recent Sophos survey, 51% of responding organizations were hit with ransomware last year, and the increasingly brazen attacks being carried out through ransomware-as-a-service (RaaS) syndicates suggest that the trend is likely to continue — even amid recent government efforts to shut down RaaS infrastructure.

Ransomware is an equal-opportunity attack, and any organization can become a target. Therefore, every company should be preparing for this threat, not only in terms of preventive measures like malware detection, network traffic analysis, data leak prevention, and data backups, but also anticipating the costs they should expect to pay.

As an incident responder, I've lost track of the number of ransomware incidents that I've worked on over the years, but I have found that in most of these cases, companies don't realize all the potential costs they may incur during a ransomware attack.

Here is a list of some of the costs that companies need to prepare for now, before they get attacked:

1. Cyber Insurance
Cyber insurance can be a savior when it comes to a devastating ransomware attack, but it will only help if it is in place before attackers strike. Depending on your policy, insurance may provide many of the services listed below (which you may or may not need to pay for).

Know what your deductible is as well. While this isn't a direct cost, it will still cost you money.

Credit: vchalup via Adobe Stock
Credit: vchalup via Adobe Stock

2. Incident Response
The ransomware didn't just appear in your network. You need to figure out the root cause, what the attackers did in your network, and what (if any) data was taken. There are likely compromised users or systems with backdoors that weren't affected by the ransomware still on your network. If you don't find them, this attack will happen again in a few weeks.

Incident response (IR) companies help you figure all of this out. They come into your organization, investigate the attack, and give you the assistance you need to make it through containment, eradication, and recovery of the incident.

One tip: If you don't have an internal IR team, get an IR retainer. This will have someone available to you 24x7x365 to assist if you have an incident.

3. Legal
When dealing with ransomware, legal counsel is a must. They'll be the ones to tell you how to navigate the minefield of reporting obligations, ensure your communications are privileged so opposing counsel can't see them if you get sued, and advise you on whether paying the ransom is legal.

You also want to make sure that your internal legal team knows how to handle cyber incidents or that you work with external legal counsel that has this experience. Organizations can expect to pay anywhere from $250 to $700 an hour for external counsel, with the total bill easily reaching $75,000 for most organizations (if your attack does not go into litigation).

4. Crisis Communications
Your organization probably has a communications team, but has it ever dealt with a crisis? How will you notify your customers? What will you say? How will you say it? What do you say to employees? How do you control the flow of information?

If your team has never gone through this, you'll need a qualified crisis communications firm to tell you what to do and how to do it.

5. IT Support
Yes, you have an IT department and it will be a crucial part of your ransomware response plan. However, you aren't going to recover from a ransomware attack over the weekend (if you do it correctly, at least). Recovering from a ransomware attack is a 24x7 operation that will last for a while, and staff will burn out if they're expected to work long hours for days/weeks/months on end. Organizations may need to bring in extra help and expertise to rebuild things properly and quickly.

Expect bringing in IT support to cost in the range of $200 to $500 an hour, depending on the type of expertise needed.

6. Ransom
Every organization that gets hit with ransomware has to make the decision on whether to pay the ransom or not. Sometimes, it's the only way to get your data back or prevent highly sensitive data from being leaked. I don't recommend it, but that decision is (fortunately) out of my hands. 

In any case, ransoms can range from a few thousand dollars to $2 million to $5 million. I hope you won't ever have to pay, but if you do need to, you should also get a...

7. Ransomware Negotiator
... a ransomware negotiator. These are organizations that specialize in helping reduce the ransom amount, assist in purchasing cryptocurrency, and ensuring your data is deleted (although attackers often don't completely delete your data). Do you need one? Nope. But having one can help save you a large amount of money.

Unfortunately, there are many other costs associated with ransomware attacks, such as hardware and software recovery costs, additional protections, loss of productivity, lawsuits, loss of customers, and ongoing monitoring. The good news is that many of these expenditures can be reduced or eliminated with proper planning and preparation.

Tyler Hudak is the Incident Response Practice Lead for TrustedSec. He has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. Tyler has spoken and taught at a number of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file