What generates claims costs from a ransomware attack?

Anthony Hess
October 2020
Part one in our series on ransomware costs, prevention and mitigation

Lately, we’ve been doing a lot of thinking about what makes a good ransomware prevention and response service. As a part of that discussion we’ve been considering where the cost drivers are within cyber claims and I thought perhaps our audience would be interested as well.

In this multi part series, we are going to talk about a range of topics including what generates claims costs and how ransomware trends are changing cost drivers. We will look at how to prevent and mitigate both simple and targeted attacks. We'll also explore data breaches, the pros and cons of paying a ransomware demand, and the impact on overall costs.

Escalating costs

The past few years in the cyber security world have in many ways been the story of the rise of ransomware. Ransomware attacks started decades ago, with an attack reported as early as 1989, PC Cyborg, which used floppy disks sent in the mail! The middle part of the 2010s is really when the ransomware industry began to pick up with malware such as Cryptolocker. However, even at this point the ransomware was comprised of relatively simple attacks against Windows PCs. The ransoms were relatively small with typical amounts of just a few hundred US dollars. For the attackers, it was a lucrative business with total payments likely into the hundreds of millions due to the number of people infected but for the most part it wasn’t a serious problem to deal with for corporate defenders. However, once attackers realised the possibilities available by virtue of having a reliable anonymous payment mechanism like Bitcoin the situation really began to escalate. Attackers pivoted from attacking low value systems to focusing on business-critical internet facing systems like servers and then diversified into large targeted attacks against companies. Today, we see a wide variety of ransomware attacks: untargeted, simple targeted and now complex targeted attacks which include a data breach extortion element.

In the 2014-17 timeframe, when many insurers were adding cover for business interruption generated by a cyber event, the losses generated by these attacks were relatively minor. 2017, which also was highlighted by the NotPetya and WannaCry attacks, was the year when this began to shift and by 2019 the losses generated by ransomware pushed loss ratios upward and have started to cause a market hardening with high limits becoming harder to come by and premiums increasing.

What is generating these claims costs? This is not a scientific examination of a distribution of costs, but the following are typical cost drivers that you would see on a ransomware claim.

Cost of the ransom

These are the direct costs of paying the ransom, including any fees levied by the company doing the payments or the sanctions checks. There has typically been a great deal of focus on the cost of a ransom, as this is a very direct and obvious cost as well as a moral quandary that cyber professionals have debated since the earliest days of ransomware. Although ransoms in the hundreds of dollars were common in the early days, we have direct experience with ransom requests as high as $16 million USD. An untargeted attacker may only request a few thousand dollars in ransom, while a targeted one will demand what their research shows the company is capable of paying. These days, seven figure ransoms are not uncommon, and eight figure ransoms exist but are not the norm. The US law firm GSMS was requested to pay $42 million USD by the REvil group, which also threatened to release the sensitive data stolen from their systems. More common are attacks such as the Netwalker attack against K-Electric, Pakistan’s largest private electric company, which according to Bleeping Computer requested a ransom of $3.8 million USD.

Incident response and forensics

These are the costs for a technical cyber response firm to respond and contain the incident and for forensics experts to research the cause and impact. This is another area that most people tend to consider when modelling the impact of a cyber incident on their company. For simple attacks, where the attacker doesn’t attempt to move laterally through the corporate network, incident response costs are typically fairly low. For example, an attacker might use Microsoft remote desktop to attack a single server or use a phishing email to encrypt a single system. These investigations are often completed for thousands or tens of thousands of dollars at most. More targeted attacks, but still without a data breach element, against a larger company can easily cost into the tens of thousands, but unless the case is particularly complex or the supplier very expensive you wouldn’t normally run into the hundreds of thousands of dollars investigating. However, if there is a data breach element and the attacker has completely infiltrated the network before activating the ransomware it wouldn’t be unusual to see costs run into the hundreds of thousands of dollars.

Legal and privacy advisory costs

These are the costs for a law firm (usually) to advise on any privacy and notification requirements. They may also project manage (“quarterback” in US breach response slang) the cyber incident. This varies significantly by industry and jurisdiction. Depending on the industry, you may have very sensitive data being held, such as health care data, which brings additional notification requirements and heightened sensitivity. For an example of a jurisdictional difference, in the US you typically find much greater fear over the threat of third-party action, in particular class action lawsuits. This leads to a much more active role for the law firms and additional costs to cover their time. However, unless there is a data breach element or some other factor increasing costs these tend to not be a large amount of the overall claim when it comes to ransomware in most situations. It isn’t unusual to see costs of only a few thousand dollars for a basic assessment of the situation and advice as well as some light project management. It is relatively rare for legal costs to exceed $100k USD, unless there is some particular complexity (e.g. defence costs) or scale (e.g. a large company with challenges in project management or technical challenges) to the legal assistance required.

Systems restoration costs

These are the costs for IT experts to come in and rebuild the systems that the ransomware has taken out. Not long ago you could pay the ransom and be back up and running relatively quickly and easily. These days, recovery is often a long and difficult process whether you pay the ransom or not. In order to accelerate this, we have seen the rise of ransomware recovery experts who focus on the recovery of these systems rather than the initial response and investigation. As these are experts who come into a company and support their recovery the most common skills are an understanding of incident response and forensics, experience building desktop and server Microsoft Windows operating systems and of course project management. Less common for external teams are skills in specific business systems, databases and networks or in particular home-grown and company specific applications. The costs of remediation teams are typically in the tens of thousands of dollars at a minimum, but quickly escalate to the hundreds of thousands of dollars level and with larger clients engagements into the millions of dollars are possible.

Data breach specific costs

These are the costs related to the loss of personal or other sensitive data. This can include regulatory fines, class action costs, notification costs and especially but not uniquely in the US, credit monitoring costs. Not too long-ago data breach costs were not generally expected to result from a ransomware attack, but that has been changing quickly. First, some data breach laws such as GDPR may actually require data subject notification for a ransomware attack without a confidentiality breach if it is believed there is a high risk to the rights and freedoms of individuals due to the lack of availability of important data. Even more worrying is that attackers have now begun to react to better preparedness on the part of defenders by stealing data so that a ransom will have to be paid either way. Unfortunately, even if the ransom is paid in these cases there are very likely to be notification and other privacy related costs. These can reach extraordinary heights very quickly, especially in the US where credit monitoring is a norm and snail mail-based notifications are typically required.

Outside of the US, the situation can be somewhat different. For example, GDPR brings with it the risk of large fines, but we haven’t seen fines resulting from a cyber incident happen very often to date. In addition, notifications are often done using email or web site notices. Another innovation we see outside of the US is the use of dark web monitoring for indications that the stolen data is being sold instead of rather than in addition to credit monitoring. In data breaches with very large amounts of impacted personal data it is not unusual to see costs in the hundreds of thousands or even millions of USD.

Business interruption costs

These are the costs of the loss of revenue due to the impact of the cyber incident. With a ransomware attack, these are usually due to the loss of revenue from the business being in a non-functional state. There may also be other resulting damages that one could consider a form of business interruption ("BI"), such as spoilage of product or loss of customers due to reputational harm. These are relatively rare compared to the overall number of cases, but they do happen. BI can be difficult to predict as its based heavily on the number of affected systems and their importance to the business, the nature of the business (for example, professional services firms can often “make up the loss” later by having their employees work additional hours on the weekends and evenings) and the expertise of the remediation teams (both internal and external). BI costs can also be difficult and challenging to model after the event and are often a source of friction between an insurer’s claims team and the insured. BI costs can range from relatively small amounts (e.g. thousands) up to the tens of millions very quickly. In fact, in our experience ransomware claims with heavy business interruption are probably the simplest way to exhaust the limit on a cyber policy. This holds true especially if the policy had been purchased a few years ago in a company without much data breach exposure and the risk management department or broker didn’t go back and ensure sufficient limits.

In summary

These are the common sources of cyber claims costs, but it’s important to remember that cyber incidents can have negative business impacts in unexpected ways. The comprehensive impact of ransomware is essential for companies to consider in order to prepare a response to mitigate the damage. The key isn’t just the amount of the ransom, or the investigation costs, but rather a balance between a number of different potential sources of costs that may offset each other depending on how you respond.

Coming up next

In our next instalments, we will discuss ransomware trends and how you can focus on key factors to either prevent or mitigate the losses stemming from these incidents.

Find out more

If you are facing a ransomware attack, please request emergency assistance immediately.

To find out more about any of our services, please contact us. To start a conversation or to report any errors or omissions, please feel free to contact the author directly.

Anthony Hess
LinkedInenvelope by Bluetip Design from the Noun Project
Anthony is Asceris’ CEO. He has over 20 years of professional experience in technology and has worked with leading cyber insurers for the past seven years. His focus is on building high performing cyber claims and response services, as well as creating impactful cyber risk management services for insurers.

About Asceris

Our mission at Asceris is to reduce the financial and business impact of cyber incidents and other adverse events. By understanding the cost drivers of claims and addressing these proactively through automation and continuous process refinement, we are able to deliver high quality incident response services in close collaboration with our industry partners.

Follow us on LinkedIn or subscribe to our RSS feed to make sure you don’t miss our next article.

Other recent insights