Ransomware Prevention vs. Recovery: Which Costs Businesses More?

It probably comes as no surprise that ransomware attacks are more prolific now than they were several years ago. A 2021 survey found that ransomware attacks increased 62% over the preceding two years, as reported by Security Magazine, with North American registering a surge of 158% during that same period.

These findings reflect several developments. Among them was the decision of digital criminals to capitalize on organizations’ growing network complexity following the events of 2020. In the process, malicious actors elected to attack their targets using new tactics like double extortion as well as sophisticated ransomware variants like REvil/Sodinokibi.

What should come as a surprise is the fact that some organizations are still weighing whether to invest in anti-ransomware capabilities or to pay the costs stemming from a ransomware attack. The answer is obvious to us: it costs much more to suffer a ransomware infection and recover fully than it does to prevent one in the first place. Let’s delve into the reasons why below.

The Costs of a Ransomware Attack

In its Cost of a Data Breach Report 2021, IBM found that ransomware attacks cost an average of $4.62 million. That amount is nearly half a million dollars more than the price tag of the average data breach at $4.24 million. What’s more, it doesn’t include the cost of paying the ransom.

So, what damages factor into that total? To answer that question, it’s helpful to look at our own ransomware study from 2021, titled Ransomware: The True Cost to Business, which revealed:

  • Loss of Business Revenue: Two-thirds of participants in our survey said that their employer suffered significant revenue loss following a ransomware attack.
  • Damage to Brand and Reputation: Slightly less than that (53%) indicated that a successful ransomware infection damaged their employer’s brand and reputation.
  • Loss of C-Level Talent: In 32% of cases, victims lost C-Level talent after weathering a security incident involving ransomware.
  • Layoffs of Employees: Nearly three in 10 (29%) participants said that their organizations laid off employees due to the financial pressures confronting them in the aftermath of a ransomware attack.
  • Closures of Businesses: About a quarter of survey participants noted that a ransomware infection forced their employer to temporarily cease operations.

Which brings us to the additional cost of paying the ransom. In terms of monetary amount, our survey found that 35% of organizations that paid the ransom ended up sending between $350,000 and $1.4 million to the attackers. Seven percent spent even more than that, a reality which became common in the first half of 2021.

Indeed, Bloomberg wrote that the average ransom demand increased to between $50 million and $70 million during that period, with victims spending between $10 million and $15 million after negotiations with the attackers and/or relying on their cyber insurance policies to cover a part of the requested amount.

The issue with paying is that it doesn’t guarantee victims can recover their data. Of those respondents in our survey who said they’d paid the ransom, for instance, nearly half (46%) revealed that some or all their data was corrupted. An additional three percent went on to clarify that they did not gain access to any of their encrypted data after paying.

Paying also communicates the likelihood that an organization will pay up in a follow-up attack. That explains why four-fifths of our survey participants who fulfilled their attackers’ demands ended up incurring another attack from the same ransomware gang or a different group altogether.

A Bit of Ransomware Perspective

Just to clarify, everything discussed above represents the costs for a single ransomware incident. They don’t include the possibility of organizations suffering more than one ransomware incident in a single year. They also don’t include the regulatory compliance fees that they could incur in suffering a ransomware infection, and they don’t include the possibility of suffering other costly security events such as business email compromise (BEC) scams.

Subsequently, organizations could save a lot of money by focusing on augmenting their security posture so that they can defend against ransomware and other threats. One of the ways they can do that is by implementing an anti-ransomware solution that leverages both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle attack activity that can reveal an attack earlier.

Such a tool will help organizations to visualize a ransomware attack wherever it’s occurring in their environments, even an operation that’s not struck elsewhere before, so that their security teams can quickly shut it down.

The Cybereason Advantage Over Ransomware

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed