What is the average cost in USD to recover from a ransomware attack?

by
What is the average cost in USD to recover from a ransomware attack

Ransomware attacks have become increasingly common in recent years. These cyber attacks involve malware that encrypts an organization’s files and demands a ransom payment in order to decrypt them. Recovering from a ransomware attack can be extremely costly for businesses and organizations. According to recent research, the average total cost of recovery from a ransomware attack is over $1.8 million.

Key Statistics on Ransomware Recovery Costs

  • The average ransom payment made by organizations is $212,000.
  • However, paying the ransom only accounts for a small portion of the total recovery cost. The average total cost, including business interruption and lost revenues, is $1.85 million.
  • For small and medium businesses (SMBs), the average total cost is over $2 million.
  • Larger enterprises face even steeper costs, with the average total cost for organizations with over $1 billion in revenue being $4.37 million.
  • The average time organizations take to recover from a ransomware attack is 21 days.

These costs highlight the immense financial toll ransomware attacks can take on businesses and organizations. Paying the ransom demand itself is costly, but interruptions to operations, restoration of systems and data, and lost business often account for the bulk of the economic damage.

Factors That Influence the Cost of Recovery

Many factors influence the overall cost an organization faces to recover from a ransomware attack. Key factors include:

  • Scale of the infection: The more systems and data that are encrypted, the higher the recovery costs will be.
  • Time taken to recover: The longer systems are inaccessible, the greater the business interruption costs.
  • Lost data: If backups are compromised and data is permanently lost, recreating or restoring that data can be expensive.
  • Damage to systems: If systems or hardware are damaged in the attack, replacement or repair costs add up.
  • Third-party assistance: Outside consultants and forensic experts used to support recovery efforts can be costly.
  • Reputation damage: The costs of PR support, notifications, and potential loss of customers or business due to reputational damage can all contribute to higher overall costs.

In general, the less resilient an organization’s data, systems, and processes are, the more a ransomware attack is likely to cost.

Average Ransom Payment Demands

One major component of the total cost of recovery from ransomware is the ransom payment demanded by attackers. According to research by Coveware, in the first quarter of 2021 the average ransom payment was $212,000. Some key data points on average ransom demands include:

  • In 2020, the average ransom payment increased by 171% to $154,108.
  • The highest average ransom demand across industry sectors was over $5 million in the healthcare sector.
  • The lowest average ransom demand was $84,116 in the retail sector.
  • Ransom demands are tailored based on the type and size of organization being targeted, with larger enterprises facing higher ransom demands.

Attackers conduct research into an organization’s finances and operations to calibrate ransom demands. Cyber insurance coverage can also influence ransom demands, if attackers know costs may be partly covered by insurance.

Average Business Interruption Costs

Business interruption refers to the revenue, productivity, and services lost during a ransomware attack while systems and operations are disrupted. Several factors contribute to these costs:

  • Lost sales and revenue: Any revenue-generating activities halted during an attack lead to direct lost sales.
  • Missed business opportunities: Organizations may miss out on new business and deals that would have been closed.
  • Delayed production and services: Manufacturing, services, deliveries, and productivity grind to a halt during attacks.
  • Technical investigation: Extensive analysis is required to determine how systems were compromised.
  • Incident response: Emergency response involves diverting staff and resources away from normal business operations.

According to Coveware, the average business interruption cost incurred due to ransomware attacks is $46,800. However, business interruption costs can vary dramatically based on the size of the organization and type of business affected. Larger organizations lose millions in revenue for every day critical systems are disabled.

Average Costs Per Day of Downtime

Looking specifically at the estimated costs per day of downtime due to ransomware attacks provides a clearer picture of how business interruption costs add up:

  • For small businesses, approximately $8,500 per day
  • For mid-sized organizations, around $74,000 per day
  • For large enterprises, over $700,000 per day

These per-day costs highlight why the average recovery time of 21 days results in such a massive total economic impact. The business interruption costs alone can devastate organizations of any size.

Costs Associated with Data Loss

If ransomware succeeds in permanently encrypting or corrupting data stores, the costs of recreating or restoring that data can be substantial. Just some of the factors that can drive up costs include:

  • Labor required to manually recreate lost data
  • Efforts to recover data from backups
  • 3rd party data recovery specialist fees
  • Re-entering data into applications and databases
  • Opportunity cost of employees focused on recreating data rather than normal work
  • Purchasing replacement data that may no longer be available elsewhere

According to IBM, data loss is the most expensive consequence of ransomware attacks, costing organizations an average of $239,000.

Costs of Securing and Rebuilding Systems

In cases where ransomware actually damages or destroys systems and hardware, substantial costs can be incurred:

  • Replacing corrupted endpoints like desktops, laptops, tablets, etc.
  • Rebuilding servers from scratch
  • Acquiring new hardware like routers or switches if damaged
  • Installing completely new operating systems
  • Restoring or reconfiguring cloud-based infrastructure
  • Extensive vulnerability scanning and patching after rebuilding systems
  • Configuring new security tools and software

According to Coveware, organizations spend an average of $1.1 million on identifying and removing malware from systems hit by ransomware attacks. Complex environments with many systems and dependencies can result in even higher costs for total rebuilding.

Average Costs of Third-Party Consultants

Many organizations choose to hire external incident response consultants and forensic experts to assist with ransomware attack recovery. These specialists provide technical skills and experience to help expedite the recovery process. Average costs incurred include:

  • Emergency incident response contracting – $75,000
  • Forensic investigation and malware analysis – $40,000
  • Communications and PR consulting – $50,000
  • Legal counsel and notifications – $30,000
  • Cyber insurance coordination – $10,000

The combined costs of third-party help average around $200,000 based on typical ransomware response engagements. However, larger organizations or complex incidents result in much higher consulting costs.

Indirect Costs and Consequences

In addition to the direct costs discussed above, there are a number of indirect consequences that add to the overall impact of ransomware attacks. These include:

  • Reputational damage: Customers lose trust after data breaches and service outages.
  • Decreased valuation: Cyber incidents can greatly reduce an organization’s valuation.
  • Legal liabilities: Class-action lawsuits, regulatory fines, and contractual penalties often arise.
  • Increased insurance premiums: Rates spike after ransomware claims.
  • Employee morale: Productivity and engagement suffer in aftermath of attacks.
  • Opportunity costs: Resources dedicated to recovery cannot focus on strategic initiatives.

While harder to quantify, these indirect costs and consequences compound the economic damage of successful ransomware attacks.

When Do Recovery Costs Exceed the Ransom Demand?

An important consideration for organizations debating whether to pay ransom demands is understanding when recovery costs exceed the ransom amount. According to Coveware:

  • Small businesses pay an average ransom of $5,400, while total costs average $107,000.
  • Mid-size organizations pay an average of $22,300 vs. $2.1 million in total costs.
  • Enterprises pay an average ransom of $110,000 compared to total costs of $4.37 million.

In most cases, paying the ransom demand alone is far less than even a fraction of the complete recovery costs. This is why most experts warn against paying ransoms, as organizations rarely recoup the total costs.

How Do Costs Vary Across Industries and Sectors?

While all organizations are at risk of costly ransomware attacks, some sectors are more highly targeted and prone to higher recovery costs than others. According to Coveware research, the sectors with the highest average ransoms and costs include:

Industry Average Ransom Average Total Cost
Healthcare $5.3 million $7.5 million
Education $447,000 $4.4 million
Government $217,000 $2.8 million
Manufacturing $174,000 $1.6 million
Retail $84,000 $710,000

Industries like healthcare, education, and government often have highly sensitive data, stretched IT resources, and complex environments. Manufacturing and retail can also be prime targets due to valuable intellectual property and customer data assets.

Does Cyber Insurance Cover Ransomware Costs?

Cyber insurance can potentially help offset some of the costs associated with responding to and recovering from ransomware attacks. Policies may cover expenses like:

  • Incident response and forensic services
  • Notifying customers and regulatory bodies
  • PR consulting to manage reputational damage
  • Employee productivity losses
  • Hardware replacement costs
  • Data restoration services
  • Legal and liability costs

However, policies vary widely in ransomware coverage. Many have exclusions for costs related to paying ransoms. Average claim limits also are often well below total recovery costs. Effective cyber insurance planning requires assessing potential risk scenarios and losses.

Steps Organizations Can Take to Reduce Costs

While ransomware attacks can incur massive costs, organizations can take proactive steps to boost resilience and minimize costs. Actions to reduce potential ransomware recovery expenses include:

  • Implementing robust backup systems with offsite and offline storage making data recovery easier.
  • Developing an incident response plan to ensure an efficient coordinated response.
  • Securing and separating networks to limit the blast radius of infections.
  • Conducting penetration testing and red teams to find and fix vulnerabilities.
  • Investing in next-gen antivirus, email security, firewalls, and intrusion detection.
  • Providing cybersecurity training to educate employees as human firewalls.
  • Monitoring systems proactively via threat hunting and analytics.

Building cyber resilience across people, processes, and technology is the most effective way to minimize costs and damage when ransomware strikes.

Key Takeaways on Ransomware Recovery Costs

To summarize the key statistics and findings on the costs associated with recovering from ransomware attacks:

  • The average total cost of recovery is $1.85 million.
  • Average ransom payments account for about 10% of total costs.
  • Business interruption causes major productivity and revenue losses.
  • Rebuilding compromised systems and data contributes significantly to costs.
  • Consulting fees for incident response and IT support average $200,000.
  • Indirect costs like reputational harm and legal liabilities often occur.
  • Healthcare, education, and government sectors face the steepest costs currently.
  • Proactive security measures are imperative to minimizing the economic damage.

Understanding the true magnitude of costs associated with successful ransomware attacks helps underscore the importance of prevention, resilience, and effective response plans.

Conclusion

Ransomware attacks represent serious cyber threats capable of greatly disrupting organizations and incurring massive recovery costs. However, by taking proactive steps to secure systems, backup data, and develop incident response plans, businesses can build resilience and mitigate costs. Cyber insurance can also help cover a portion of costs, though policies vary. Ultimately, investing in robust cyber defenses remains the best strategy for avoiding the costly aftermath of successful ransomware attacks.