The True Cost of Ransomware Attacks

Along with reputational damage, downtime, and supply chain disruptions, ransomware attacks are notoriously costly to resolve.

From ransomware payment to recovery costs, along with lost profits due to disrupted business operations, we’ve reviewed 192 trillion data points in our annual report to figure out the average cost of a ransomware attack.

In this ransomware cybersecurity playbook, we’ll run through common trends in ransomware attacks in 2024, along with the true cost of these cyberattacks—and what you can do about them.

1. What are ransomware attacks?

A ransomware attack is when cybercriminals block someone’s data until they make a payout or “ransom payment.”

Data breaches like this happen when threat actors exploit vulnerabilities in their victims’ critical infrastructure, encrypting vital systems until the ransomware demand is paid.

To facilitate this extortion, they might use:

  1. Phishing emails: Attackers send emails containing malicious attachments or links. When the recipient clicks on the attachment or link, it executes the ransomware, infecting the system.
  2. Malvertising and scams: Cybercriminals inject malicious code into legitimate online advertisements. When users click on these ads, they unwittingly download ransomware onto their devices.
  3. Exploit kits: Hackers exploit vulnerabilities in software or operating systems to gain unauthorized access to sensitive data systems and deploy ransomware.
  4. Remote Desktop Protocol (RDP) compromise: Attackers gain access to a network by exploiting weak or default credentials on RDP services.
  5. Brute Force attacks: Hackers use automated tools to systematically try various username and password combinations until they find the correct ones to gain access to a system or network.
  6. Drive-by downloads: Malware is automatically downloaded onto a user’s device when they visit a compromised or malicious website without their knowledge or consent.
  7. Supply chain attacks: Attackers compromise software vendors or managed service providers (MSPs) to distribute malware to their clients through legitimate software updates.
  8. USB/Disk droppers: Attackers distribute ransomware by leaving infected USB drives or disks in public places or mailing them to targeted individuals or organizations to infiltrate their endpoints.
  9. Social engineering: Hackers manipulate individuals through social engineering tactics, such as impersonating trusted entities or exploiting human error, to trick them into downloading and executing ransomware.
  10. Watering hole attacks: Cybercriminals compromise websites that are frequently visited by their target victims. When users visit these sites, they inadvertently download ransomware onto their devices.
LockBit_Takedown_explainer-Todd-Carroll_CybelAngel

Ransomware Takedowns
Ransomware gangs being targeted by global police operations. Recently, UK law enforcement, alongside several international law enforcement units, disrupted a major cybercriminal gang, the LockBit gang, that was believed to hold 20-25% of the ransomware market.

Read our CISO, Todd Carroll’s analysis here.

2. The state of ransomware: 5 trends to know

At CybelAngel, we just ran our annual 2024 State of the External Attack Surface report, where our CISO Todd Carroll analyzed 192 trillion data points to understand the cybersecurity landscape this year.

Here are 5 insights about the state of ransomware, before we crunch the numbers and figure out the average cost of ransomware recovery and remediation.

For more ransomware insights read our 2024 annual report.

1. Ransom demands increased by 40% in 2023

Ransomware incidents aren’t going away; in fact, they’ve almost doubled in the last year.

In a method that’s ironically known as ‘Ransomware as a service’ (RaaS), more people are providing ransomware attack assistance in exchange for a cut of the profits. So now, it’s even easier for cybercriminals to get help with their next data breach.

Why is this?

In a method that’s ironically known as ‘Ransomware as a service’ (RaaS), more people are providing ransomware attack assistance in exchange for a cut of the profits. So now, it’s even easier for cybercriminals to get help with their next data breach.

2. Unprotected assets and data have doubled this year

The risk of data loss has never been higher, with exposed databases doubling from 740,000 to 1.5 million in the last year. And with more data left vulnerable to exploitation, cybercriminals have a bigger pool of targets, increasing the frequency and severity of ransomware incidents.

Plus, the interconnected nature of digital systems means that one data breach can have a ‘snowball effect’ and cascade into supply chains and critical infrastructure.

3. Construction, IT, and healthcare are the biggest targets

Building and construction organizations, information technology services, and hospital and healthcare industries are the most attractive targets to cybercriminals. And this is simply because they are usually the easiest targets.

Most worrying of all, we all depend on IT services to some extent for our data, systems, and machines—and it’s the second-most targeted industry out there.

4. Most ransomware cybercrime victims are based in the US

CybelAngel’s annual report found that 48% of ransomware group victims were based in the United States. Why is this? US-based organizations present a lucrative opportunity to cybercriminals, because:

  • It’s the largest global economy, making it a major player
  • Many high-value companies, institutions, and government agencies are based there
  • There’s been widespread adoption of technology, creating plenty of vulnerable endpoints
  • Governance and regulation are decentralized, meaning the cybersecurity practices are not the same in different states and industries

All of these factors increase the attack surface potential in the US, due to multiple vulnerabilities and entry points that cybercriminals can exploit.

5. Double extortion attacks are on the rise

A concerning new trend is that cybercriminals will make backups of the data they steal, and threaten to make the information public as well. This forces companies to pay a “double ransom” to retrieve their systems, and avoid having confidential information leaked.

Consequently, this doubles the cost of a data breach and makes the disaster recovery process a whole lot more complicated.

With this data in mind, let’s talk about the average ransom costs involved for victims, based on our report from the last year.

3. The true cost of ransomware attacks

Calculating the average cost of ransomware attacks can be a challenge because not all data breach reports come to light.

Some companies and small businesses prefer to quietly fulfill their payouts and sweep ransomware incidents under the rug, rather than admitting their shortcomings to regulators and addressing their data security problems head-on.

But CybelAngel has calculated the average costs of ransomware attacks based on its own data in the annual report.

The financial cost of ransomware attacks

The economic implications of ransomware incidents can be far-reaching. Our research found that where backups were available, the average costs were somewhat lower—but these still averaged in the millions of dollars.

  • $1.82 million: The average recovery cost from a ransomware attack (not including the ransom itself)
  • $2.6 million: The average ransom fee to restore lost data, although this can be reduced to $1.6 million by using backups

The time cost of ransomware attacks

Time is money. And we found that significant recovery time was required to get back on track, particularly for companies who chose to pay the ransom fee.

  • 45% of organizations with physical backups were able to recover within 1 week
  • But only 39% of organizations who paid the ransom fee were able to recover within a week

The bottom line

The average cost of ransomware attacks can be reduced when the organization has access to backups to restore their data. This can save them from having to pay a ransom fee, and also reduce the time required to get their systems back up and running.

However, prevention is better than cure, and investing in cyber insurance and cybersecurity services would cost under 8% of these recovery costs per year.

4. Case study: Independent Living Systems (ILS)

To illustrate the true cost of ransomware attacks, let’s look at a case study.

ILS is a Miami-based healthcare administration service, which recently had a data breach that impacted 4.2 million people. It was the biggest healthcare industry data incident in 2023.

An unauthorized individual accessed a whole database of personal and medical information, making people vulnerable to identity theft and fraud.

While they didn’t disclose what kind of cyberattack they faced, it could very well have been a ransomware incident—due to the fact that many of their computer systems were rendered inaccessible during the attack.

Since then, ILS has suffered 5 lawsuits and reviewed all of its cybersecurity measures.

The takeaway

The healthcare industry is the third most-targeted industry by ransomware gangs. Healthcare systems are often particularly vulnerable due to:

  • Lack of resources
  • A wide pool of networks and systems
  • Many third parties involved, creating more entry points for criminals
  • Valuable personal information databases

This makes it even more important for healthcare industries to proactively put cybersecurity systems in place, rather than suffer the far greater cost of a ransomware incident later down the line.

5. How to fight back against ransomware attacks

Now that we understand the true cost of ransomware incidents in terms of time and money, let’s talk about the good news: how we can fight back.

Rather than waiting for something to go awry, it is far cheaper and less disruptive to invest in a premium cybersecurity solution like CybelAngel.

The more that organizations focus on improving their cybersecurity measures, the more difficult and less profitable it will be for ransomware gangs to exploit them.

Generally, people are only targeted when their data is easily accessible. So if your data and systems are safely secured with a strong cybersecurity system, then it’s much poorer pickings for cybercriminals—and peace of mind for everyone else.

Wrapping up

For more ransomware insights access our annual report written by CybelAngel’s CISO, Todd Carroll.

Ransomware attacks are a real and dangerous threat, and they’re on the rise in 2024.

But the good news is that with the right cybersecurity measures in place, you can sidestep the risk and keep your organization safe.

If you found these insights interesting, then you’re invited to review our 2024 annual report, which includes further data and trends on the state of cybersecurity this year.