We all know ransomware is pretty bad, but if you are a cybersecurity risk manager trying to justify the latest purchase to mitigate it, nailing down real numbers can be pretty hard. There are numbers all over the place.
For example, the FBI’s very respected 2020 Internet Crime Report states, “In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million.” That is not a lot in comparison to most other reports.
For example, Emsisoft states $18B was paid globally in ransom and total costs were in the hundreds of billions of dollars in 2020 alone. Cybersecurity Ventures says ransomware will cost $20B in 2021 and is estimated to grow to $256B in damages by 2031. So, one side is saying $18B- $20B in 2020 and 2021, while the other side is saying just $29.1M in 2020. Why the huge differences?
The key to reconciling these huge discrepancies and deciding which number is more accurate is in realizing they are often reporting drastically different things. In the FBI’s instance, they are only reporting on ransomware events reported to them. At the most, it would only include U.S. victims, and even then, it would have to be a very small percentage of ransomware victims. There is no legal requirement stating that a ransomware victim must get law enforcement involved. I assume many to most victims do not; especially the smaller organizations. Conversely, the larger figures in the billions always include global considerations from firms directly helping ransomware victims, whether law enforcement is involved or not.
Still, the FBI’s numbers seem low. If you divide the quoted losses ($29.1M) by the number of victims (2,474), you only get an average damage loss of $11,762. I am not sure what the FBI’s “adjust losses” figures include, but that seems very low, even if it only included ransoms. Most of the other ransomware reports are showing numbers well over $50,000 to over $300,000 per victim for the ransom alone. And we know many multi-million-dollar ransoms were paid in the U.S. alone in 2020 and 2021. There have been at least a few handfuls of ransoms paid over $5M and at least one at $40M. That one ransom payment alone is more than what the FBI figures state in total. So, how can that be?
First, the FBI is reporting on “adjusted losses”. That is a financial accounting term. It likely only includes the losses not paid by cybersecurity insurance companies. We do know that cybersecurity insurance firm payouts have risen by 300% to 500% over the last two years, along with premiums and deductibles. This 2020 study stated that 64% of ransomware victims had cybersecurity insurance that covered ransomware. So, nearly two-thirds of ransomware-hit victims likely had only a much smaller deductible to pay (and not the whole ransom amount) unless the ransom and damages went over the ceiling of their coverage. Either way, the average ransoms paid do seem higher than the FBI’s reported figures.
For example, the 2021 CyberEdge Group Cyber Threat Defense Report states that the average ransom paid in 2020 was $166,475 and 57% of victims paid the ransom. Coveware says the average ransom paid in Q1 2021 was $220,298. Palo Alto Network’s 2021 Unit 42 Ransomware Threat Report stated that the average ransom paid in 2020 was $312,493. In fact, when I do a search of the Internet and look at every ransomware report I can find, none of them have figures as low as what the FBI is reporting. So, I am inclined to believe that the average ransom paid and losses due to ransomware are higher than what the FBI is reporting.
I do not want to discount that many of these vendors’ reports are not incentivized to lowball figures. They are trying to sell products and services that mitigate the risk of ransomware. And conversely, any numbers reported to the FBI are likely going to be very accurate and very honest, from an accounting perspective, because lying to the FBI is a federal crime punishable by fines and jail time. But my bigger guess is that the FBI’s report does not include all costs due to the ransomware event, whereas, the others do. There are just too many reports of much higher average ransoms paid to think that they are all outliers and the FBI’s report is the only accurate one.
Average vs Mean
I also think the “average ransoms paid” figures are skewed by a few very high-paid ransoms, while the majority of paid ransoms are much lower. Reported figures back this up. For example, the Coveware Q1 2021 report figure listed above states that the average ransom paid was $220,298, but in the same report, it also says the median ransom payment was $78,398. The two figures don’t even seem close. This statistical fact means that a few victims on the upper end are paying far more than the rest of the victims, which brings up the overall average for everyone. Turns out having to pay a few $5M and $10M ransoms will skew results.
This Year vs Last Year
Also, many of the figures being reported are older. For example, the FBI’s figures are for prior years. They did not, for instance, include most of the recent much higher ransom payouts. I also came across older figures from the cybersecurity insurance reports that gave figures, that although still two or three times higher than the FBI’s figures, were far lower than what I have seen reported elsewhere. The year the reports are covering matters.
Ransomware is increasing in numbers of organizations successfully exploited, higher paid ransoms and higher percentage of victims paying. These numbers have steadily increased, year-over-year, since the beginning of ransomware in 1989, and at this moment, are still increasing. Last year’s figures are usually going to be lower than this year’s figures, and if you extrapolate into the future, higher next year. Be careful not to use anyone’s 2019 or before figures. Many 2020 reports are reporting on 2019 data and before, and so on.
And those lowball cybersecurity insurance reports I used to see that were closer to the FBI’s figures have all disappeared this year. When you see the large number of cybersecurity insurance firms quit covering ransomware at all, and those that remain offer far less ceiling coverage (closer to $50K to $100K than in the millions like they used to cover), and the premiums for that significantly reduced coverage have significantly increased, you know average ransomware costs per event have increased. I think the fallout in the cybersecurity industry tells you all you need to know. Cybersecurity insurance firms would not be exiting if average adjust losses were really only $11K.
Location, Location, Location
Different countries are known for paying different percentages and amounts of ransom. Many reports have country-specific, industry-specific and organization-size-specific figures that you can use to calculate from. For example, try the Hiscox Cyber Readiness Report 2021. It has a great selection of figures and breaks down ransom and other costs by industry, size and country.
What Is Being Counted?
It is also important to realize that different reports include and talk about different figures. Adjusted losses and ransom paid are not the total cost of ransomware. When doing risk management planning, you need to estimate total damages due to a successful ransomware event, not just adjusted losses or ransom paid. Here is a more inclusive list of potential costs to consider:
Whether or not a ransomware event has occurred:
- Costs of ransomware mitigations to prevent an attack in the first place
- Increase in backup costs and labor to prepare to recover from a ransomware event
- Cybersecurity insurance premiums, if any
If a ransomware event has occurred:
- Ransom paid, if any
- Recovery expenses
- Business interruption losses, by the intended victim and downstream impacts
- Law enforcement and investigation costs
- Personnel changes, adds/deletes/changes, if any
- Productivity slowdowns due to new procedures and protections, if any
- Reputational harm
- Additional defense preparations to mitigate the next attack
With all of this said, costs from a ransomware event can be random. Many direct-action ransomware trojans…the ones that just immediately encrypt the computer they are on without seeking to encrypt more computers or take over the whole network, often ask every victim for the same “low” amount – usually under $1,000 USD. The more sophisticated kinds of cyber criminals behind ransomware, which are responsible for the vast majority of ransomware today, take their time to evaluate how much money they can ask the victim for. They want to ask for the most ransom they think they can get paid within 3-5 days, that the victim will actually pay. They do not want to ask for too much or too little. So, the size of your organization matters greatly.
The average ransomware gang will research your organization and try to determine how much money you make a day and in a given year. Then, they will ask for some percentage of that amount. Your recovery costs will depend on whether you pay the ransom or not. People paying the ransom tend to get back more data and have lower costs than those who do not. How many computers you have to recover will determine overall costs. Do you have cybersecurity insurance to offset the potential costs, and if so, how much coverage?
If I was doing a ransomware risk management assessment, I would start with the average ransom paid for an organization with my sized revenues. If your organization only makes $1M a year, the ransomware gang is not going to ask you for $5M in ransom. If you are on the larger side, go with the average figures of $200K-$300K to be on the safe side if you do not have a better guess. If you are a much smaller organization, go with a mean figure. Then estimate the cost of being down for several weeks. Add to it the cost of having to recreate your IT infrastructure from scratch. Add to it the cost of any possible data restoration costs. Although it is important to remember that many times (over 77% of time), ransomware groups exfiltrate your data and threaten to release it to others if you do not pay. So, data restoration is not the 100% saving grace it used to be. Calculate in the costs of not being up at full capacity for several months, at least, and any possible resulting reputational harm and customer loss.
This is to say, that the cost of a single successful ransomware event is pretty expensive no matter the size of your organization. It is far cheaper in every scenario to prevent ransomware from happening in the first place. It can be done. Create and enforce the best, defense-in-depth, layered set of computer security controls you can in order to prevent hackers and malware from getting inside of your organization. Since social engineering and phishing are the top ways ransomware gets into an environment, fight those problems first and best (unpatched software and password guessing are the number two and number three causes). Anything you can do (i.e., policies, technical defenses and education) to prevent social engineering and phishing from being successful is money well spent. Sadly, most organizations spend less than 5% of their IT security budget trying to fight social engineering and phishing. It is this fundamental misalignment of risk versus mitigation that allows hackers, malware and ransomware to be so successful.
If you want to best fight ransomware, consider using KnowBe4 for your security awareness training. You can also download our free Comprehensive Anti-Phishing Guide ebook.
The potential cost of a ransomware event can be difficult to calculate, but in every case, it is much better to prevent one from happening than paying after a successful compromise.