Loss data reveals the link between cybersecurity measures and the loss magnitude caused by ransomware.
An insight into the study on financial losses caused by ransomware attacks.
Marta Pukite | 26.10.2023.
Stories of businesses hit by ransomware attacks keep reappearing in the news headlines. The notorious reputation of ransomware is, among other things, related to the extreme losses, which can reach tens of millions in damages for the victim companies (few examples from the earlier past: Kaseya $70m, Acer $50m, JBS $11m, Colonial Pipeline $4.4m). [1]
When looking at the development of average losses over the past years, depending on the source, the numbers have either been rising or remained stable. [2] Meanwhile, cybersecurity spending by businesses has steadily increased over the past decade. [3] This raises a question about the effectiveness of cybersecurity measures in protecting businesses from losses.
What makes the difference in the size of losses caused by ransomware? Is it a matter of luck, or can we identify the impact of cybersecurity measures? To understand the relationship between ransomware-induced losses and security measures, we conducted extensive case studies of ransomware events. The findings offer new insights into loss size, loss composition, and, most importantly, demonstrate that adequate cybersecurity measures have a significant impact on the size of the losses.
Loss Data, Scope and Approach
We have built a database containing different types of cyber loss events including ransomware, malware, data breach, wire transfer fraud and other events. This study focuses on events classified as ransomware attacks that have led to operational disruptions.
When collecting the data, we looked beyond the total losses and gathered as many details about the events as possible. This included information about the duration of the operational interruption, the affected parts of the company, the composition of the losses (how much was spent on what), as well as indicators that reveal the company's state of cybersecurity at the time of the attack.
The scope of this study includes insights from 35 case studies on ransomware events in companies from the manufacturing and logistics sectors. Distinction is important at this point because our findings demonstrate that the loss size and its composition can vary significantly from sector to sector. Additionally, we have excluded all events where the reported damage consists solely of the ransom payment.
Financial losses caused by ransomware
The dataset includes losses ranging from $0.1m to $740m, whereas the company’s revenue size varies from $20m to $40bn. Accordingly, not only the largest top companies are victims of ransomware attacks, but also smaller and medium-sized enterprises.
Before we dig deeper, let's examine the total losses in relation to the revenue size of the affected companies. Just by looking at the graph, it's evident that there is a strong correlation between the total loss and the company's revenue. However, the few largest data points seem to be stealing the “show” leaving the rest squeezed in that bottom-left corner.
Therefore, we have determined the linear correlation. The correlation coefficient is 0.86, statistically significant (p<0.001). This means that company’s revenue size is a significant factor in determining potential losses caused by ransomware attacks. However, it is not the sole determining factor; otherwise, all data points would be evenly distributed along the line.
Relative losses - loss as a portion of revenue
Next, we examine the losses as a proportion of company’s monthly revenue. The average is 10%, the median is 6.8%.* This corresponds to the histogram in Figure 2. It shows that in roughly one-third of the cases, the magnitude of the loss falls between 5% and 10% of the monthly revenue. However, there are numerous cases both below and above this range. Approximately another third of the losses are below 5% of the monthly revenue, while in 15% of the cases, the loss-magnitude is significantly higher, exceeding 15% of the monthly revenue.
This means there is a significant difference in relative losses. However, the question remains: What is causing this difference?
*The next time you need a "quick and dirty" answer for the loss potential of a ransomware incident for your management, you could say it's something around 5-10% of comapny’s monthly revenue.
What makes the difference?
We conducted detailed case studies on ransomware attacks and the resulting financial losses. Specifically, we were looking for information and details that could provide insights into the state of cybersecurity in the affected companies. Our analysis allowed us to categorize the loss events into a few groups with similar characteristics. For a matter of simplifcation, the results are described based on three broader groups.
Group 1
0,7 - 5%
Business operations could be continued.
Internal corporate functions were affected (some reports reveal that the core operations were on a separate network).
Immediate actions were taken to isolate the attack, the cyber emergency plan was executed.
Some reports indicate that only 2 forensic experts were involved in handling the attack and/or it took only 2 days to restore the affected parts of the company.
Group 2
5 - 12%
Operational recovery took around 1 – 2 weeks.
Operations could be continued based on workarounds. Some reports reveal lower production levels or production shortages covered by other facilities).
Noticeable parts of the company’s business were affected (e.g., depending on case >20%-60% of the employee count, functions like operations, sales, some facilities were affected).
At the lower end of the loss range: proactive shut-down of the systems when the attack was identified.
Some report on deficiencies in critical access controls.
Group 3
> 18%
Operational recovery took longer than 2 weeks (partially ≥ 4 weeks).
The ability to produce or deliver to customers was affected.
Systems that are critical for business operations were affected.
Significant parts of the company’s business were affected (e.g., several business segments, > 50% of the employee count).
In some cases, the companies reported on encrypted backups, lost work, time-consuming workarounds, partial temporary operational disruptions, and/or affected bottleneck functions in some cases.
The table represents a summary of the information we have identified in course our case studies. It's important to note that the level of detail and depth of information provided by the victim companies varied from case to case. They range from almost no information to details about the number of affected systems and identified cybersecurity defficiencies. The wording and reporting style of these events is also heterogenous. As the main reason we consider the lack of reporting standards in this regard. Nevertheless, the data allowed us to identify similarities in the circumstances of the loss events in each group.
By comparing the groups, several observations can be made. There is a significant difference in the duration of operational disruptions. The disparity in downtime between Group 2 and Group 3 extends up to several weeks. Furthermore, companies in Group 1 were able to continue their operations after the attack, or the disruption was limited to internal corporate functions and was resolved within few days. From this, we conclude that poor response ability and lack of preparation in the form of workarounds and system recovery capabilities may account for part of the variation in the loss-magnitude. A similar observation was made by the Cyentia Institute in their "Information Risk Insight Study 20/20." [4]
Another significant factor is the extent to which the company is affected by the ransomware. Group 3 companies experienced a widespread impact on significant portions of the organization, causing severe disruptions in core business operations and the consecutive losses above 18% of the monthly revenue. Meanwhile, we observe that the ability to contain the ransomware within limited areas of the organizaiton (Group 1) can effectively keep the financial losses below 5% of the company's monthly revenue. It's worth noting that businesses in Group 1 report immediate response, attack isolation, and the execution of emergency plans, all of which are absent in the reports of Group 3. Group 2 appears to consist of companies with adequate response capabilities, but issues related to limiting the spread of ransomware within the company.
The observations are not surprising. In a way, it all makes sense - the magnitude of loss caused by a ransomware attack is determined by the duration of the interruption and the extent to which the business is affected.
What does a ransomware loss consist of?
The composition of the losses reinforces the above findings. One of the most frequently mentioned loss components in ransomware attacks is recovery costs. These are expenses related to IT recovery, including forensics and other professional services. In addition, there are costs associated with the restoration of business operations, such as additional labor hours due to lost productivity.
In addition to recovery costs, victim companies often report on revenue losses caused by operational disruptions.
It's worth noting that in all three groups mentioned above, there are companies that have paid ransoms. This implies that paying the ransom is not a measure that can guarantee a lower financial loss.
Conclusion
Our study reveals the main drivers of ransomware caused losses: company’s revenue size, duration of operational disruption, and extent to which the business is affected. Our observations indicate that by implementing appropriate response mechanisms and reducing the duration of operational disruption, the potential damage can be roughly halved (from >18% to 5-12% of monthly revenue). Further reduction in losses can be achieved by limiting the spread of ransomware within the organization (to 0.7 - 5% of monthly revenue).
Accordingly, the loss data not only emphasize the necessity of adequate cybersecurity measures but also highlight their effectiveness in reducing financial losses.
Interested in more insights, our data or working with us? Reach out! We’d love to hear from you!
Sources
[1] A.M. Freed (2022): Ten of the biggest Ransomware Attacks of 2021. URL: https://www.cybereason.com/blog/ten-of-the-biggest-ransomware-attacks-of-2021 (Last visited: 18.09.2023).
[2] R. Sobers (2022): Ransomware Statistics, Data, Trends, and Facts- updated 2023. URL: https://www.varonis.com/blog/ransomware-statistics (Last visited: 18.09.2023).
Sophos (2023): The State of Ransomware 2023. URL: https://assets.sophos.com/X24WTUEQ/at/h48bjq7fqnqp3n5thwxtg4q/sophos-the-state-ransomware-2023-infographic-1200-1200px_2x.png (Last visited: 18.09.2023).
Sophos (2020): The State of Ransomware 2020. URL: https://www.idric.com.mx/storage/app/media/ebooks/sophos-the-state-of-ransomware-2020-wp.pdf (Last visited: 18.09.2023).
[3] Kaspersky (2020): 2020 IT spending: cybersecurity remains investment priority. URL: https://www.kaspersky.com/about/press-releases/2020_2020-it-spending-cybersecurity-remains-investment-priority-despite-overall-it-budget-cuts-kaspersky-found (Last visited: 20.09.2023).
Statista (2023): Cybersecurity – Worldwide. URL: https://www.statista.com/outlook/tmo/cybersecurity/worldwide#revenue (Last visited: 20.09.2023).
[4] “The median total incident costs for those events with clear issues in response is over two and a half times that of incidents where there was no sign of a poor response.” Quelle: Cyentia Institute (2020): IRIS 20/20 Xtreme. URL: https://www.cyentia.com/wp-content/uploads/IRIS2020-Xtreme.pdf (Abrufdatum: 26.09.2023).