One cybersecurity firm estimates that extortive attacks now cost small and medium companies at least $75 billion in expenses and lost productivity each year.
ADAM CHANDLER | SEP 3, 2016
In recent months, a proliferation of ransomware attacks has affected everyone from personal-computer and smart-phone owners to hospitals and police departments. An attack works like this: A virus arrives and encrypts a company’s data; then a message appears demanding a fee of hundreds or thousands of dollars. If the ransom is paid in time, the information is restored. “At the heart of this new business model for cybercrime is the fact that individuals and businesses, not retailers and banks, are the ones footing the bill for data breaches,” Josephine Wolff noted in The Atlantic back in June.
According to an FBI tally, ransomware attacks cost their victims a total of $209 million in the first three months of 2016, a stunning surge upward from $24 million in all of 2015. However, that figure was based only on the complaints that victims reported to the bureau. In a new report, Datto, a Connecticut-based cybersecurity company, offers an alarmingly higher estimate that accounts for unreported incidents and lost productivity, which costs businesses far more than paying ransoms does.
The company’s survey of 1,100 IT professionals found that nearly 92 percent had clients that suffered ransomware attacks in the last year, including 40 percent whose clients had sustained at least six attacks. The report found that “less than 1 in 4 ransomware incidents are reported to the authorities.” Factoring in the cost and average amount of time lost to infections—an overwhelming majority of small businesses hit by ransomware face at least two days of downtime—as well as the number of businesses affected by them, Datto suggests that the financial impact of this brand of cybercrime starts in the range of $75 billion each year.
The company arrived at this figure based on an estimate from the Aberdeen Group, a consultancy, that an hour of inactivity costs small companies an average of $8,581 per hour. By comparison, Datto’s survey indicated that about three-quarters of the IT professionals said the ransoms paid were somewhere between $100 and $2,000. Overall, Datto estimates that $375 million has been paid out in ransoms in the past year, making lost productivity the much bigger concern.
Joe Gleinser, the president of GCS Technologies, an Austin-based IT support and services company, walked me through just how time-consuming it is for companies to deal with ransomware attacks, which generally starts with the appearance of “unusually named files” or files that suddenly can’t be accessed. “Locking the network down”—freezing some or all of a company’s systems—is typically the first step after the attack is recognized, in an effort to stop the damage and look for fixes.
“So that’s productivity hit number one,” he said. For a small business, that can mean an entire operation; for a larger one, it could mean a section or a division. “Obviously in certain industries that’s a lot more painful,” Gleinser added. “In health care, that can mean patients going untreated. If you don’t have that information, you don’t know what drugs were prescribed and sometimes it’s tough to make decisions.” Earlier this year, operations at a Los Angeles hospital came to a near halt, leaving staff to use faxes and paper notes to communicate before a $17,000 ransom was paid.
If a business has a well-maintained back-up system in place, data may be restored with only some small delays and limited expense. Should a sufficient back-up not be possible and should the inaccessible files be deemed important enough, the second step is paying the ransom, a practice that the FBI discourages, but says is not illegal under most circumstances.
“Paying the ransom is tricky business,” said Gleinser. “You’re dealing with criminals.” While many ransomers operate quickly, even attentively, that is not always the case. Datto’s survey found that 7 percent of IT professionals reported incidents where data was not restored even after a ransom was paid.
But even paying the ransom can be tricky. “If you don’t have Bitcoin right now, you’re probably not going to get it before the timer expires on the infection,” Gleinser said. “Many of these infections, as soon as you start the process to engage with the ransomer … you have about 48 hours before the data is non-recoverable to encourage you to move quickly.”