The real problem with ransomware
Posted: July 27, 2017 by Malwarebytes Labs
Ransomware – a specialized form of malware that encrypts files and renders them inaccessible until the victim pays a ransom – is an extremely serious problem and it’s quickly getting worse. The FBI estimated that ransomware payments were $1 billion in 2016, up from “just” $24 million a year earlier. 2017 will likely see another dramatic increase in extortion payments with tens of thousands of ransomware victims paying several hundred dollars each to recover their encrypted files. In some instances, the ransom is larger, such as South Korean web hosting company Nayana, which paid 397.6 Bitcoin (about $1 million) in June 2017 and Hollywood Presbyterian Medical Center, which paid $17,000 in Bitcoin in February 2016.
Despite the significant payments to the cybercriminals behind ransomware, Osterman Research found that most ransomware victims don’t pay the sums that cybercriminals attempt to extort from them. For example, in a six-country survey of 1,054 small to medium-sized businesses conducted in June 2017 for Malwarebytes by Osterman Research, we found that only 28 percent of ransomware victims actually paid the ransom demands.
Since most organizations choose not to pay the ransom, the primary challenge stemming from a ransomware attack is not actually the ransom. Instead, Osterman Research discovered that the largest cost of ransomware is the downtime that results when endpoints become infected and the files they contain are no longer accessible. We found that the average amount of downtime that results from a ransomware infection is 21.4 hours, meaning that potentially critical files and systems are unavailable to an organization for nearly a day (or much longer in some cases). For example:
- Desktop or laptop PCs infected with ransomware prevent users from accessing corporate email or databases, meaning users may not be able to communicate with key clients or respond to inquiries in a timely manner. At a minimum, employee productivity can be seriously impacted by ransomware-induced downtime. For example, on June 27, 2017, Washington, D.C.-based law firm DLA Piperinstructed its employees not to turn on their computers and to remove all laptops from their docking stations and FedEx employees received a text message in May 2017 to turn off their computers as a precaution against a fast-moving ransomware attack.
- Servers or other endpoints involved in processing retail transactions that are infected with ransomware can no longer do so, resulting in delayed or lost sales. One example is the KimcilWare ransomware that targets the Magento eCommerce platform.
- Hospitals whose systems become inaccessible for hours or days because of ransomware can see lives put at risk, such as NHS patients whose cancer treatments were delayed as a result of a May 2017 attack.
- Manufacturing operations can be temporarily shut down due to a ransomware attack, as were Renault factories in France and Slovenia in May 2017.
In short, while ransomware payments will likely cost businesses several billion dollars in 2017, the cost of downtime will be much higher.
To understand the full impact of downtime from an attack, Osterman Research has developed a cost calculator that aims to quantify the cost of downtime resulting from a ransomware attack. Using data from the June 2017 survey mentioned above, as well as secondary data, we made the following assumptions for an organization of 500 users that suffer just two downtime incidents per year:
- Mean employee hourly wage: $28.00
- Employee productivity loss during downtime: 50 percent
- Corporate revenue generation per hour: $24,000
- 21 hours of downtime until full recovery
- Impacts of ransomware:
- 50 percent chance of employees suffering productivity loss
- 30 percent chance that the business will shut down temporarily
- 20 percent chance of corporate revenue loss
Based on these assumptions, we found that for a 500-employee business, the total annual impact of downtime resulting from just two ransomware infections will be $219,634, or $220 per employee. That means that just two ransomware attacks per year are costing organizations the equivalent of nearly one day’s productivity per employee, not to mention the hard-to-quantify impacts of lost future revenue, damage to corporate reputation, missed deadlines, etc.
What this also means is that if a company could deploy a technology that would prevent just one of these ransomware infections each year, and if the total cost of that solution was $50 per user per year, the organization would save $170 per user per year in downtime costs or nearly $110,000 per year.
In short, the primary impact of downtime for your company is not the ransom that is being demanded of you, but instead, the real cost of ransomware is the downtime it will cause – a cost that is much greater than the ransom that will be demanded.