Skip to content ↓ | Skip to navigation ↓

If your company is worried about the financial hit of paying a ransom to cybercriminals after a ransomware attack, wait until they find out the true cost of a ransomware attack. Because the total costs of recovering from the ransomware attack are likely to be much, much higher.

That’s the finding of a new study by researchers at Check Point, who discovered that the average total cost of a ransomware attack is more than seven times higher than the average ransom paid.

While media reports often focus on the amount paid by businesses to their ransomware extortionists, there are many other financial considerations to take into account – including the cost associated with incident response and restoration of systems, legal fees, and monitoring costs.

When you take that into consideration, it is clear that there are much more significant costs than that of paying the ransom itself.

Looking at a wealth of information leaked from the Conti ransomware group, the Check Point researchers found evidence of ever-increasing professionalism from the criminal gangs in their attempt to make as much money as possible from their victims:

“Ransomware gangs are alarmingly similar to legitimate organizations with clear management structures and HR policies. The sophistication of these ransomware groups even extends to the targeting of victims and how a ransom figure is decided as well as the negotiation techniques they use to exact maximum financial gain.”

Ransomware operators have become sophisticated negotiators – recognising that “offering a big discount to a victim simply because the initial asking price was far too high, could compromise future operations if other victims got to find out about it.”

The notorious Conti cybercrime group, for instance, will consult public sources such as ZoomInfo and DNB to determine a corporate victim’s annual revenue, and adjust its ransom demands accordingly. In addition, ransomware gangs will determine if the company has cybersecurity insurance which may cover the ransom payment.

Another motivator for payment, of course, is the quality and sensitivity of the data exfiltrated by the cybercriminals – and how much damage would be done by it being released to all-and-sundry on the internet.

According to the researchers, the trend is for the percentage of revenue demanded from a victim to be lower as the annual revenue of the victim becomes higher, as that percentage will represent a greater numerical value in dollars. Typically the range varies between 0.7% and 5% of revenue.

At the same time, attackers may offer a discount to “clients who pay fast.” It makes sense for the criminals, who may be negotiating with scores of different victims simultaneously, and want to close the deal as quickly as possible.

Ransomware gangs are becoming more efficient in their dealings with victims. They have commercialised cybercrime to a scale rarely seen in the past.

“It’s remarkable just how systematic these cyber criminals are in defining the ransom number and in the negotiation. Nothing is casual and everything is defined and planned according to factors that we’ve described,” said Sergey Shykevich, Check Point threat intelligence group manager.

As ever, prevention is better than cure. Prevention is better than mopping up the damage to your reputation afterwards, or begging forgiveness from your customers and business partners.

Make sure your business takes steps now to reduce the chances of being the next victim of a ransomware attack.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.