Revenue

A ransomware attack can severely affect the operating capability of an organization. Even if the organization is well prepared and has functional back-ups, restoring affected systems could take hours. Worse, organizations that were not as prepared, or whose back-ups may have been compromised during the attack, could take days or weeks to return to full operating capacity, meaning their revenues will decline or stop all together while they are recovering 

Reputation

Suffering a data breach or a ransomware attack can adversely affect the reputation of an organization. Some customers may view a successful attack as an indication of weak security practices, or may be so severely impacted by a service disruption they choose to conduct business elsewhere

Financial

Ransomware is an unexpected cost and it is expensive. In addition to the loss in revenue an organization may suffer, there are other costs that may be obvious and some that are not. More obvious costs include: the cost of the ransom payment (if paid); the cost to remediate the incident, to include new hardware, software, and incident response services; insurance deductibles; attorney fees and litigation; and public relations. Other less obvious costs may include: insurance premium increases; devaluation of reputation/tradename; and loss of intellectual property

Data

During a ransomware attack, a malicious actor will encrypt numerous files making them, and often the systems that rely on them, unusable. If a ransom is not paid these encrypted files are often permanently locked requiring the organization to regenerate the information, if it can. However, even if a ransom is paid, there is no guarantee that a threat actor will act benevolently and provide a decryption key. Moreover, even if a key is provided it is still possible the ransomware attack caused significant destructive damage, which may require rebuilding the affected systems anyway. Further, if threat actor has stolen a trade secret, propriety information, or any Personally Identifiable Information (PII), the loss of this data could spur legal action or lead to the loss of a competitive advantage.  

• Ransomware, like other forms of malware, seeks to take advantage of poor security practices by employees and system administrators. According to the Internet Crime Complaint Center (IC3) the most common methods of infection are¹
  • Email Phishing: Is a form of social engineering where a cyber-criminal sends an email, which appears to be legitimate, but contains a link to a malicious website or document with a malicious script that infects the recipient’s computer and associated network
  • Remote Desktop Protocol (RDP) Vulnerabilities: RDP is a type of software that allows individuals to control the resources of another computer over the internet. RDP is commonly used by employees working remotely and by system administrators to manage computers from a distance
  • Software Vulnerabilities: Are flaws in the code of a piece of software that can be exploited by threat actors to gain control of a system to deploy malware.

• Projected Cost – Ransomware, like other successful cyber-attacks, can be expensive to remediate, and since 2018 the costs associated with ransomware and extortion insurance claims have risen by 7 fold². As mentioned above, under financial costs, there are several obvious, and not so obvious expenses related to recovery. Depending on the severity of the attack, the availability of back-ups, and the size of your network, costs can vary from a few thousand dollars to a few million, which doesn’t include the cost of the ransom. According to a recent briefing of the U.S. Department of Health and Human Services, the average cost of rectifying a ransomware attack, across all industries, was $1.27M³. However, if data is stolen from your organization, in addition to the ransomware attack, costs can be even higher, as according to IBM’s 2020 Annual Cost of a Data Breach Study, the average cost of recovering from a data breach for a U.S. company is $8.19M⁴.
• Average Ransom Demand – As with projected costs, the average demand can vary wildly. Ransom demands typically are contingent on the type of organization and its annual revenues. For instance, recent attacks on critical infrastructure in 2021 have seen ransom demands range from $5M to $11M, with Insurer AIG noting in their Q3 2020 Claims Analysis that payments vary depending on the characteristics of the attack⁵. The U.S. Department of Health and Human Services reports that in 2021 the average ransom demand against hospitals has been $131,000⁶ .

• Average Downtime – In terms of downtime, organizations can recover as quickly as they are resilient. If organizations have working back-ups that are regularly tested, the outage could last only a few hours. However, if an organization is unable to restore their systems from back-ups the outage could last days or weeks; particularly if the replacement of unique hardware is required or a complete rebuild of a network is necessary. If this is the case, most organizations can expect to be down for several days in order to restore their systems. Insurer AIG notes in their Q3 2020 Claims Analysis that the typical outage length ranges from 7-10 days⁷.

Defending your network against ransomware is no different than defending your network against any number of cyber threats. Cyber defense is based on good cyber hygiene principles and involves a nexus of people, processes, technology, and resiliency. 

• Process - Cybersecurity starts with your organization’s leadership making it a priority and implementing cybersecurity best practices. 
• People - Employees must also be educated and engaged to recognize potential threats and avoid them.
• Technology - Lastly, segmenting your network into smaller areas to attack, keeping it up-to-date, and having a layered defense to monitor for and take action against threats will help to prevent and mitigate attacks.
• Resiliency - However, it is important to keep in mind that while your organization’s defenses have to be right 100 percent of the time to guard against attack, attackers only have to successful once. With this in mind, every organization should develop a disaster recovery and business continuity plan. Organizations may also want to consider purchasing a cyber insurance policy to help defer some of the costs of a cyber-attack.

• Be wary of social-engineering tactics used by malicious actors such as Phishing, Vishing, SMSishing, which trick employees into opening emails and documents containing malware, clicking malicious links, or divulging sensitive information
• Do not open attachments or click on links in emails that are unusual, or from someone you do not know
• Report suspicious emails or computer activity to your IT or cybersecurity department

• Keep your network up-to-date with the latest software patches
• Use robust antivirus and firewall protections in your network
• Back up data securely and separately from your network, and routinely test restoring backups
• Deploy mandatory employee training and testing on phishing and other security practices
• Maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.
• Retain backup hardware to rebuild systems in the event the primary hardware is destroyed during a cyber attack
• Run simulations and drills to assess your capability and resiliency in the event of an attack
• Consider physical or logical network segmentation
• Employ the concept of ‘least privilege’ to limit the use of administrator privileges
• Requiring the use of multi-factor authentication, like a one-time password, token or key, is a safeguard in case a username-password combination is compromised
• Create your own “Red Team” or hire one from a cybersecurity firm to routinely attack and evaluate your systems using the same techniques as the bad guys
• Consider using encryption to make data harder to access, copy or transfer.
• Use an application “allow list” to only permit designated applications to run on your network
• Develop a business continuity plan that will allow you to sustain operations without access to certain systems
• Consider purchasing a cyber insurance policy to help defer the cost of a cyber attack

• Execute your incident response and business continuity plan as soon as possible, when you experience a ransomware attack
• Contact your financial institution and make them aware that you have experienced a ransomware attack and are executing your resiliency plans
• Suspend access to payment platforms to mitigate the execution of fraudulent transactions until you are confident that your network system is secure
• During the attack, review wires and ACH credit origination transactions prior to release by your financial institution