Ransomware loss composition
Let’s talk about the anatomy of a ransomware loss. Our research indicates that merely glancing at the total or average figures does not provide a sufficient understanding on the behavior and the main drivers behind these losses (squinting and glancing for longer also did not help). In this short insight study, we discuss typical components of ransomware caused financial losses. These insights are valuable for both analyzing loss events and quantifying risks for an organization.
Background and Approach
We have built a database containing different types of cyber loss events including ransomware, malware, data breach, wire transfer fraud and other events. This study focuses on events classified as ransomware attacks. It describes insights from 74 case studies on ransomware events in companies across different industries.
When collecting the data, we looked beyond the total losses and gathered as many details about the events as possible. This included the composition of the losses. Hence, how much was spent for what. It's important to note that the level of detail and the depth of information provided by the victim companies varied from case to case. They range from almost no information to clear listing out of components contributing to the total loss. The wording and reporting style of these events is also inconsistent. As the main reason we consider the lack of reporting standards in this regard.
Despite these “teething problems” related to the data quality and reporting, good insights to the loss composition are available already now.
What are the typical loss components that companies report on?
Figure 1 lists the various loss components reported by the victim companies. The section below provides an explanation for these components.
The percentage of companies reporting ransom payments is probably the best joke of this study.
Lost business - lost revenue as a result of not being able to fulfil orders, customer compensations and refunds, delayed revenues, lost net sales.
Response and recovery cost - expenses and costs caused to remediate the incident. Costs related to direct response to the incident, IT recovery, including forensics and other professional services, and costs associated with business recovery such as additional labor hours due to lost productivity.
Legal costs - legal fees related to governmental investigations, class actions*, plaintiff’s attorney fees, lawsuit expenses.
Regulatory penalty - penalty for late notification of data protection controllers, penalty for misleading disclosures. Settlement with the attorney general.
Ransom - here it includes cases where the victim company mentioned the exact ransom amount or the fact of “paying” the ransom.
Loss reported as a total amount - the reported loss was provided as a total amount or as an overall damage to the business. It was not possible to assign the loss to one of the distinguished loss components mentioned above.
*For the readers in Europe. “A class action lawsuit is one person or a small group of people suing on behalf of a larger group of people who have all suffered the same injury.” [1] In context of cybersecurity, class actions are mostly initiated in case of breach of person identifiable information. This form of legal action is not as common in Europe as in US.
Figure 1 conveys a clear message on the two main loss components - response and recovery cost and lost business. This is not surprising, given the primary impact of a successful ransomware attack—operational disruption due to encrypted IT systems and data. It also goes hand in hand with our findings from the study on the “Link between the cybersecurity measures and the financial losses caused by ransomware”. Ransomware caused losses are driven by the company size, length of operational interruption and the degree to which the company is affected. These factors directly impact both recovery costs and revenue losses.
Legal costs and regulatory penalties have been mentioned surprisingly rarely- only in 3-4% of the cases. Important to point out that these cases involved a major data breach affecting personally identifiable information (PII) of several millions of individuals, leading to costly class-action lawsuits and regulatory penalties.
These are, however, not the only cases of ransomware events involving a data breach. In additional 32% of the cases, the victim companies reported some kind of data breach along with the ransomware attack. Based on the currently available information, we conclude for now that in these cases, the data breaches were smaller, resulting in either no or minimal costs (e.g., some companies reported on smaller amounts of affected PII, others did not provide many insights on the breach). The expenses related to the data breach may have been absorbed within the response and recovery costs, without explicit mention, likely due to the absence of significant legal action and regulatory consequences following the event. However, further verification should be carried out with additional data points going forward.
Admitting the ransom payment
Now, let's take a critical look at the percentage of companies reporting ransom payments. Only 11% mentioned the ransom amount or confirmed that they paid the ransom. We dare to suspect that the actual number is much higher. In 2021 study by Kaspersky, 56%[2] of companies admitted having paid. Similarly, a survey by Statista revealed that 73%[3] of the companies paid.
Our 11% here seem to come from a different planet.
However, this might be easily explained by the circumstances under which companies are more willing to admit to the ransom payment. Hence, it is easier to acknowledge making the payment in a global, anonymous survey than in their own annual or quarterly reports or press releases, as doing so risks further consequences. In other words, it seems to be preferred to bury the ransom payment beneath the rug of response and recovery costs rather than addressing it directly. As the motto goes, “I won't say anything unless someone asks.”
Brand damage, reputational impact, and other animals
It's worth noting that in none of the cases were costs and losses related to brand damage, reputational impact, employee turnover, management time, or similar impact categories mentioned. Why do we mention this? These are the “good old classics” used to assess the impact in context of cyber risk management (i.e., protection needs analysis, business impact analysis). A similar observation was made by Cyentia Institute in their “Information Risk Insight Study 20/20”[4]:
“We found zero attributable losses in either the reputational damage or competitive advantage categories. That’s not to say we’re certain none of the organizations in this study experienced these forms of indirect impact, but rather that they were never cited or observable in any quantifiable way in these well-publicized events. It is possible that some reputation damages are reflected in softer elements of organizational impact, which we’ll get to in a moment.”
It would not be correct to conclude that none of the companies experienced such effects after the ransomware attack. If these impacts were experienced, it was likely in a qualitative manner that could not be reflected in financial terms, such as direct costs. (When it comes to stock price impact and adverse effects during M&As, we will address these topics in a separate article.) For now, we will take this observation as it is and keep it in mind as we proceed.
Relative proportion: lost business vs. recovery cost
Let's take an additional step and examine the proportion of the main loss components. To do this, we will utilize the information on the cost composition of events where both main loss components, recovery cost and revenue loss, were mentioned.
Let’s look at the weird graph (boxplot).
The middle line in each box represents the average value. Hence, lost business contributes to 63% of the total loss, while response and recovery costs contribute an average of 37% to the total loss.
It is also worth noting that the ranges are quite broad. The upper and lower boundaries of each box indicate the range where 50% of all values fall.
In our sample, revenue contributes between 45% and 80% to the total, while response and recovery costs contribute between 19% and 55%. The wide range can be partially explained by variations in loss composition across different industries, and event describing circumstances.
Conclusion
The study reveals the two main components contributing to losses caused by ransomware: lost business and response and recovery costs. Only a few companies (11%) dare to mention ransom payments in their reports. This number contradicts the statistics of other studies, which suggest that more than a half of ransomware victims pay the requested ransom amount. The dataset also suggests that in a relatively small fraction of ransomware-caused data breaches, there are noticeable regulatory and legal consequences. We also found that qualitative loss categories, such as brand damage and reputational loss, were not mentioned in any of the reports. We conclude that this type of impact, even if experienced, cannot be directly quantified as a loss.
References
[1] ClassAction.org (2023): What Is a Class Action Lawsuit? URL: https://www.classaction.org/learn/what-is-a-class-action (Last visited: 01.11.2023).
[2] Kaspersky (2021): Over half of ransomware victims pay the ransom, but only a quarter see their full data returned. URL: https://www.kaspersky.com/about/press-releases/2021_over-half-of-ransomware-victims-pay-the-ransom-but-only-a-quarter-see-their-full-data-returned (Last visited: 01.11.2023).
[3] A. Petrosyan (2023): Share of ransom payers worldwide that recovered data 2018-2023. URL: https://www.statista.com/statistics/700894/global-ransom-payers-recovered-data/ (Last visited: 01.11.2023).
[4] Cyentia Institute (2020): IRIS 20/20 Xtreme. URL: https://www.cyentia.com/wp-content/uploads/IRIS2020-Xtreme.pdf (Last visited: 26.09.2023).