Adding Up the Direct and Indirect Costs of Ransomware Data Recovery

MAY 12TH, 2021

It is common knowledge in IT and data security circles that ransomware attacks are on the rise and that they are bigger and “badder” than ever before. Take, for instance, the recent attacks on Scripps Health and Washington D.C.’s Metropolitan Police Department. 

The attack on Scripps knocked out mission-critical systems, including patient records and scheduling, and forced serious medical emergencies to be diverted to other local hospitals.

Ransomware gang Babuk took their attack on the D.C. police a step further by allegedly stealing 250 GB of data, including some that could potentially expose informants.

This double extortion approach to ransomware is gaining popularity because it significantly increases the odds that a company or organization will pay the ransom to avoid data exposure. 

The gang that attacked the Metropolitan Police Department, announced soon after that they were getting out of the ransomware encryption business to focus their efforts on extortion and exfiltration because it pays better. 

Common Ways Ransomware Attacks Succeed

Although the impact of ransomware has evolved over the years from a minor annoyance to a full-fledged disaster, many of the tried-and-true tactics for breaching an organization’s security perimeter are still popular with today’s ransomware operators.

Phishing Emails

Phishing is a favorite pastime for cybercriminals. It only takes one distracted user with access to the company network to open up the proverbial can of worms. Clicking a bad link, opening an infected attachment, or offering up sensitive information such as login credentials or account numbers gives ransomware operators an easy in.

Unpatched Applications

Missed patches are essentially the welcome mats of the ransomware world. Everyone who works in network security knows this. Yet skipped patches and updates continue to be two of the most common ways malware gets past protection to encrypt and exfiltrate data.


Remote access has always been a weak point in system security, but the mass pivot to remote work environments in early 2020 made the issue much worse. With millions of new remote endpoints suddenly connecting through infrastructure that wasn’t ready for this type of load, ransomware operators had a field day.

Exploit Kits

Exploit kits take a multi-step approach to ransomware attacks. These kits are often distributed via drive-by download from an infected site. Once the code enters a system, it scans for common vulnerabilities, and if it finds any, the kit deploys malware to encrypt or exfiltrate data.

The Direct and Indirect Costs of a Successful Ransomware Attack

Sophos reported in The State of Ransomware 2021 report that the average cost of remediation from a ransomware attack in the U.S. is now $1.85 million.

Obviously, there are many factors at play in coming up with that number, and every situation is different. Still, one thing is certain: A successful ransomware attack is going to cost your organization one way or another.

There are dozens of ways ransomware impacts business. Some are apparent from the start, and others may take time to manifest, but there will doubtless be repercussions. 

The price an organization pays for inadequate ransomware protection and disaster recovery can be broken down into two buckets: direct costs and indirect costs.

Direct Costs

Direct costs are the out-of-pocket expenses for cleaning up after a ransomware attack. This bucket includes tangible items and activities such as ransom payments, equipment replacement or repair, third-party security assessments, and upgrading cybersecurity and data protection tools. 

Ransom payments are generally the most expensive cost associated with a ransomware attack. In 2020, the average ransomware payment rose by 171 percent from $115,123 to $312,493. 

Many cybersecurity experts warn against paying the ransom, but some organizations see it as the best and fastest way to get their data back and minimize disruption. But in reality, it is not that simple. Sophos also noted in The State of Ransomware 2021 report that, on average, only 65 percent of encrypted data was restored, even after the victims paid the ransom.  

Indirect Costs

Indirect costs may not require a purchase order, but they can cost a company thousands of dollars (or more) in revenue.

Many of the indirect costs incurred because of ransomware are wrapped up in user demand for data privacy and security. Today’s users want their services and applications to be fast, available 100 percent of the time, and highly secure. If your company can’t provide that level of service, your customers will likely find out if your competitors can.

Downtime and data loss are a fast track to lost clients and a tarnished reputation, but these could be the least of your worries. In addition to a diminished standing in the market, a successful ransomware attack—with or without double extortion thrown in—can create an expensive pile of legal and regulatory trouble.

Between privacy regulations, SLAs, and strict compliance requirements, failure to protect your company’s data from exposure or loss can have a substantial financial impact in the form of legal fees, non-compliance fines, penalties, and restitution.  

How to Avoid Being a Victim of a Ransomware Attack

Despite the alarming number of ransomware attacks in the news, it is essential to remember that being a victim isn’t a given. Proactively addressing common vulnerabilities and implementing a comprehensive disaster recovery strategy is essential to mitigating risk and minimizing damage from ransomware.

Here are five key ransomware prevention best practices to help keep your organization out of the headlines: 

  1. Educate employees: Customized security awareness training arms your employees with knowledge so they can become the company’s first line of defense against ransomware instead of a liability. 
  2. Invest in a cybersecurity and data protection solution: Look for a solution that includes both cybersecurity and data protection that will detect and neutralize known and unknown threats and protect every type of workload, all while minimizing complexity.
  3. Adopt a 3-2-1-1 backup strategy: Adapt the traditional approach to securing backups by adding an air-gapped copy that is untouchable by ransomware.
  4. Stay current on patching and updates: IT teams are stretched extra-thin these days. Automating some patching processes can help keep systems secure and free up valuable resources. 
  5. Install antivirus software: Add antivirus protection to every device that can connect to the company network, and be sure to keep it up to date.

When even tech behemoths like Apple aren’t immune from ransomware, it is easy to wonder what chance the rest of us have. But the good news is that ransomware isn’t inevitable. Download Your Guide to a Ransomware-Free Future to learn how to protect your organization from the rising costs of ransomware recovery.