What is the average recovery cost of ransomware?

Ransomware attacks have been on the rise in recent years, inflicting significant financial damage on businesses and organizations around the world. A ransomware attack typically involves malicious software that encrypts an organization’s files and data, rendering them inaccessible until a ransom payment is made. Recovering from such an attack often requires a complex and costly process of rebuilding systems, restoring data backups, investigating the attack, and hardening defenses against future incidents.

Key Questions

Some key questions around the financial impact of ransomware attacks include:

  • What is the average total cost incurred by an organization to fully recover from a ransomware attack?
  • What proportion of this cost is accounted for by the ransom payment itself, versus other recovery expenses?
  • How do recovery costs vary based on the size of the organization attacked?
  • What are the main cost components that contribute to the total recovery burden?

Average Total Cost of Recovery

According to various studies and surveys, the average total cost of recovery from a ransomware attack ranges from $761,106 to $1.85 million. A 2021 study by Sophos placed the global average cost at $1.85 million for organizations in 2020. Comparatively, Coveware’s 2021 survey reported an average ransomware recovery cost of $1.4 million in Q4 of 2021. Cybersecurity Ventures provides a more conservative estimate of $761,106 as the average recovery cost per organization based on 2016-2017 data.

These cost estimates encompass all expenses related to recovering from a ransomware incident, including:

  • The ransom payment itself, if one is made
  • Costs for forensic analysis of the attack
  • Costs for restoring data and files from backups
  • Costs for patching vulnerabilities and bolstering security defenses
  • Lost revenue from business interruption during recovery
  • Remediation of damaged systems and software
  • Additional IT and staffing costs

Breakdown of Average Ransomware Recovery Costs

Cost Component Proportion of Total
Lost business due to interruption 32%
Remediation of systems and data 23%
Ransom payment 21%
Legal fees 15%
PR and communications 5%
Insurance premium increases 3%
Technical investigation 1%

As this breakdown indicates, business interruption accounts for the largest share of the total burden at 32%. Remediation costs also consume a significant portion at 23%, followed by the ransom payment itself at 21%. Legal fees, PR activities, and other expenses make up smaller but still substantial segments.

Cost Variation by Organization Size

The costs incurred due to ransomware differ significantly based on the size of the organization targeted. Small businesses with under 100 employees tend to face ransom demands and recovery costs in the tens of thousands of dollars. Midsized organizations see costs ranging from the low hundreds of thousands to the low millions.

For larger organizations with over 1,000 employees, average ransomware recovery costs routinely exceed $1 million. A 2020 study by Emisoft on ransomware incidents in North America indicated the following breakdown by organizational size:

  • Small businesses: Average recovery cost of $46,800
  • Midsized businesses: Average recovery cost of $743,320
  • Large businesses: Average recovery cost of $1.59 million

The main driver behind the differences is the amount of business interruption large organizations experience when mission-critical systems are disabled by ransomware. The ransom payment also tends to scale with company size, as threat actors demand larger sums from companies perceived as having deeper pockets.

Average Ransomware Recovery Cost by Company Size

Company Size Average Cost
Small business (under 100 employees) $46,800
Midsized business (100 to 1,000 employees) $743,320
Large business (over 1,000 employees) $1.59 million

Cost Components

The major components that make up the total ransomware recovery cost for most organizations include:

Business interruption

This refers to the economic impact of critical business operations being halted while ransomware locks down IT systems and data. Without access to essential systems, organizations are often forced to stop services and production, resulting in lost revenues and profits. Business interruption accounts for the largest share of recovery costs in most studies.

Remediation

Substantial costs are incurred in the process of rebuilding compromised systems, restoring data from backups, removing malware infections, and hardening security. This includes both internal IT staffing costs as well as fees paid to external consultants and specialists.

Ransom payment

If the organization decides to pay the ransom demand, this is often one of the largest direct costs of recovering from the attack. The ransom amounts vary widely, from several thousand dollars to millions of dollars for large enterprises. The average ransom payment was around $170,000 in 2020.

Legal fees

Ransomware victims often engage law firms to help navigate the incident response process, communicate with threat actors, and determine legal obligations around ransom payments. Legal expertise is also required to determine liability and potential litigation actions.

Public relations

Additional costs are incurred in PR and communications efforts to manage reputation damage and inform stakeholders, customers, and the public of the attack. Regulatory disclosures may also be required.

Insurance premiums

Cyber insurance policies may cover some portion of ransomware recovery costs. However, renewed premiums after an incident often increase significantly.

Investigation and forensics

IT forensics experts are often engaged to determine the root cause, extent of the breach, and steps needed to prevent future attacks. Threat intelligence and incident response specialists add to costs.

Cost Mitigation Strategies

Given the severe financial impact ransomware can inflict, investing in proactive mitigation strategies pays dividends by reducing the overall recovery burden. Some key strategies include:

  • Employee training – Ongoing security awareness training makes employees less vulnerable to phishing and social engineering tactics that often enable ransomware attacks.
  • Email security – Advanced email security solutions can detect and filter out dangerous ransomware executable files targeting employees.
  • Endpoint protection – Effective endpoint detection and response software can stop ransomware infections before they spread across networks.
  • Network segmentation – Separating and isolating high-value systems and data makes it harder for ransomware to propagate.
  • Backups – Maintaining recent backups of critical data enables restores without paying the ransom demand.
  • Incident response plan – Having an updated plan to guide rapid action against an attack limits damage and promotes faster recovery.

The Ransom Decision

One of the most difficult decisions an organization faces during a ransomware incident is whether or not to pay the ransom demand. There are compelling arguments on both sides of the issue:

Reasons to pay

  • Quickly regain access to encrypted systems and data
  • Prevent business interruption from extending further
  • Cheaper than rebuilding systems from scratch
  • Retrieve data not backed up

Reasons not to pay

  • No guarantee of getting decryption key
  • Data may be stolen and leaked anyway
  • Payment funds criminal enterprises
  • Paints a target for future attacks

With weighty repercussions on both sides, the ransom decision requires a context-specific cost-benefit analysis for each organization. Government agencies and law enforcement typically recommend against paying ransoms. Most private companies take a pragmatic approach focused on minimizing overall business disruption.

Ransomware Trends

Several ransomware attack trends are driving the rise in costs for organizations:

  • Double extortion – Increasingly, attackers not only encrypt data but exfiltrate it and threaten to publish sensitive documents if the ransom isn’t paid.
  • RaaS services – Ransomware kits are available as malware-as-a-service offerings on the dark web, lowering barriers to launch attacks.
  • Targeted attacks – More threat actors are shifting from “spray and pray” attacks to researched, targeted ransomware campaigns on valuable targets.
  • Critical infrastructure – Ransomware is increasingly disrupting hospitals, transportation networks, food supply chains and other critical infrastructure.

These trends significantly magnify both the likelihood of attacks and the resulting recovery costs. More sophisticated tactics and increasing ruthlessness on the part of attackers makes ransomware a high-stakes threat for organizations of all sizes and industries.

The Role of Cyber Insurance

As ransomware costs rise, cyber insurance policies have become an important element of risk transfer and cost mitigation for many organizations. By 2021, over 90% of Fortune 500 companies had purchased cyber insurance. Policies cover a portion of costs associated with incident response, business interruption losses, investigation, and ransom negotiations.

However, insurance coverage for ransomware comes with caveats. Most policies have limits on total claim amounts. Insurers may refuse to reimburse ransom payments. Premiums increase sharply after attacks, and exclusions for ransomware are becoming more common. Policyholders also must follow strict security standards to receive payments.

Cyber insurance can be a valuable risk management tool but is not a panacea. Reducing the business impact of attacks through security best practices remains imperative.

Global Impact

While individual attacks make headlines, the cumulative worldwide impact of ransomware is massive and still growing. Cybersecurity Ventures estimated that global ransomware losses would exceed $20 billion in 2021. In June 2021, REvil ransomware alone extorted over $70 million in just one weekend of attacks.

In addition to the economic damage, ransomware threatens human lives and safety when it strikes healthcare organizations and critical infrastructure. The FBI received 2,084 ransomware complaints from businesses and organizations of all sizes in 2020, a more than 225% annual increase.

As ransomware becomes increasingly destructive and disruptive globally, companies and governments must make cyber resilience a top priority. Implementing layered defenses and comprehensive preparedness is the best way to weather the ransomware storm.

Key Takeaways

  • Average total ransomware recovery costs range from $761,000 to $1.85 million per incident.
  • Business interruption accounts for the largest share of costs, followed by remediation and ransom payments.
  • Costs scale significantly with company size, exceeding $1 million on average for large businesses.
  • Effective mitigations include training, backups, segmentation, email security and proactive planning.
  • While controversial, ransom payments may be the most cost-effective recovery option in some cases.
  • Cyber insurance policies can offset costs but come with limitations.
  • Ransomware’s global impact runs into tens of billions of dollars annually.

Conclusion

Ransomware remains one of the most financially destructive cyber threats facing businesses today. Both the frequency and costs of attacks continue to rise. The average total cost of recovery now ranges from three-quarters of a million dollars to nearly $2 million for impacted organizations.

The bulk of these costs stem from business interruptions as operations grind to a halt. Remediating systems, restoring data, paying ransoms and legal fees add to the burden. Larger organizations tend to bear the brunt of the damage, with average recovery costs exceeding $1.5 million.

Reducing the costs requires a strategy focused on security awareness, technical protections, backups, and effective incident response. While paying ransoms is controversial, the business impact may dictate that option in some cases. Cyber insurance can potentially recoup a portion of costs but is not a complete solution.

In the evolving ransomware landscape, companies must remain vigilant and regularly assess their defenses. Proactive investments in prevention and resilience continue to be the best path to avoiding crippling recovery costs.