Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2021
01:00 PM
Tyler Hudak
Tyler Hudak
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The True Cost of a Ransomware Attack

Companies need to prepare for the costs of an attack now, before they get attacked. Here's a checklist to help.

If anyone needed further proof that ransomware is one of the most important digital threats organizations currently face, the recent attacks on Colonial Pipeline; the Washington, DC, police department; Apple; and Ireland's national health service are all glaringly emblematic of the problem.

Related Content:

New Iranian Threat Actor Using Ransomware, Wipers in Destructive Attacks

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

According to a recent Sophos survey, 51% of responding organizations were hit with ransomware last year, and the increasingly brazen attacks being carried out through ransomware-as-a-service (RaaS) syndicates suggest that the trend is likely to continue — even amid recent government efforts to shut down RaaS infrastructure.

Ransomware is an equal-opportunity attack, and any organization can become a target. Therefore, every company should be preparing for this threat, not only in terms of preventive measures like malware detection, network traffic analysis, data leak prevention, and data backups, but also anticipating the costs they should expect to pay.

As an incident responder, I've lost track of the number of ransomware incidents that I've worked on over the years, but I have found that in most of these cases, companies don't realize all the potential costs they may incur during a ransomware attack.

Here is a list of some of the costs that companies need to prepare for now, before they get attacked:

1. Cyber Insurance
Cyber insurance can be a savior when it comes to a devastating ransomware attack, but it will only help if it is in place before attackers strike. Depending on your policy, insurance may provide many of the services listed below (which you may or may not need to pay for).

Know what your deductible is as well. While this isn't a direct cost, it will still cost you money.

Credit: vchalup via Adobe Stock
Credit: vchalup via Adobe Stock

2. Incident Response
The ransomware didn't just appear in your network. You need to figure out the root cause, what the attackers did in your network, and what (if any) data was taken. There are likely compromised users or systems with backdoors that weren't affected by the ransomware still on your network. If you don't find them, this attack will happen again in a few weeks.

Incident response (IR) companies help you figure all of this out. They come into your organization, investigate the attack, and give you the assistance you need to make it through containment, eradication, and recovery of the incident.

One tip: If you don't have an internal IR team, get an IR retainer. This will have someone available to you 24x7x365 to assist if you have an incident.

3. Legal
When dealing with ransomware, legal counsel is a must. They'll be the ones to tell you how to navigate the minefield of reporting obligations, ensure your communications are privileged so opposing counsel can't see them if you get sued, and advise you on whether paying the ransom is legal.

You also want to make sure that your internal legal team knows how to handle cyber incidents or that you work with external legal counsel that has this experience. Organizations can expect to pay anywhere from $250 to $700 an hour for external counsel, with the total bill easily reaching $75,000 for most organizations (if your attack does not go into litigation).

4. Crisis Communications
Your organization probably has a communications team, but has it ever dealt with a crisis? How will you notify your customers? What will you say? How will you say it? What do you say to employees? How do you control the flow of information?

If your team has never gone through this, you'll need a qualified crisis communications firm to tell you what to do and how to do it.

5. IT Support
Yes, you have an IT department and it will be a crucial part of your ransomware response plan. However, you aren't going to recover from a ransomware attack over the weekend (if you do it correctly, at least). Recovering from a ransomware attack is a 24x7 operation that will last for a while, and staff will burn out if they're expected to work long hours for days/weeks/months on end. Organizations may need to bring in extra help and expertise to rebuild things properly and quickly.

Expect bringing in IT support to cost in the range of $200 to $500 an hour, depending on the type of expertise needed.

6. Ransom
Every organization that gets hit with ransomware has to make the decision on whether to pay the ransom or not. Sometimes, it's the only way to get your data back or prevent highly sensitive data from being leaked. I don't recommend it, but that decision is (fortunately) out of my hands. 

In any case, ransoms can range from a few thousand dollars to $2 million to $5 million. I hope you won't ever have to pay, but if you do need to, you should also get a...

7. Ransomware Negotiator
... a ransomware negotiator. These are organizations that specialize in helping reduce the ransom amount, assist in purchasing cryptocurrency, and ensuring your data is deleted (although attackers often don't completely delete your data). Do you need one? Nope. But having one can help save you a large amount of money.

Unfortunately, there are many other costs associated with ransomware attacks, such as hardware and software recovery costs, additional protections, loss of productivity, lawsuits, loss of customers, and ongoing monitoring. The good news is that many of these expenditures can be reduced or eliminated with proper planning and preparation.

Tyler Hudak is the Incident Response Practice Lead for TrustedSec. He has over 20 years of real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple organizations. Tyler has spoken and taught at a number of ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33035
PUBLISHED: 2021-09-23
Apache OpenOffice opens dBase/DBF documents and shows the contents as spreadsheets. DBF are database files with data organized in fields. When reading DBF data the size of certain fields is not checked: the data is just copied into local variables. A carefully crafted document could overflow the all...
CVE-2021-34767
PUBLISHED: 2021-09-23
A vulnerability in IPv6 traffic processing of Cisco IOS XE Wireless Controller Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, adjacent attacker to cause a Layer 2 (L2) loop in a configured VLAN, resulting in a denial of service (DoS) condition for that V...
CVE-2021-34768
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34769
PUBLISHED: 2021-09-23
Multiple vulnerabilities in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected dev...
CVE-2021-34770
PUBLISHED: 2021-09-23
A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a deni...