Man using calculator and holding notepad showing the ransomware costs in 2019
Ransomware Costs in 2019 by Alicia Hope

Ransomware Costs in 2019

2019 saw a lot of action. But protests in Hong Kong, Notre Dame burning, and President Trump being impeached weren’t the only things that went on. “In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks,” said Emsisoft’s The State of Ransomware in the US: Report and Statistics 2019. The ransomware costs of 2019 are higher than they ever have been, and are expected to rise even further in 2020.

What happened?

2019 saw the highest number of Ransomware attacks ever, according to the Emsisoft report. The ransomware attacks at least 966 government agencies, educational establishments and healthcare providers. To be more specific:

  • 113 state and municipal governments and agencies
  • 764 healthcare providers
  • 89 universities, colleges and school districts. This means that up to 1,233 individual schools were affected.

What were the ransomware costs?

It’s hard to know exactly how much the costs of a ransomware attack is, but Emsisoft estimates that the costs in 2019 alone could have exceeded $7.5 billion. This could definitely be on the more liberal side of things, as this number is based on an $8.1 million average ransomware costs of infection, but even if the real number is lower it is still a significant threat.

What is the average ransom demand?

This number is hard to know exactly as well, as there is no legal requirement for public entities to share or disclose ransomware costs or malware attacks, but we can look at what Atlanta spent in March 2018 to get an idea.

In March 2018, the city of Atlanta fell victim to a ransomware attack, where the attackers were demanding roughly $50,000 worth of bitcoin. They were using a ransomware variant called SamSam.

The payment portal was taken down very quickly, so they might not have really even had the chance to pay the ransomware costs. Citizens were unable to pay their water bills; law enforcement had to write reports by hand, although 911 calls still went through; the city stopped taking applications for employment.

In the end, the city of Atlanta spent $2,267,328 in recovery costs.

What was affected in 2019?

Ransomware costs not only include a financial burden, but can also endanger people’s lives and health. Here’s how that happened in 2019, quoted from Emsisoft’s report:

  • Medical records were inaccessible and, in some cases, permanently lost.
  • Surgical procedures were canceled, tests were postponed and admissions halted.
  • 911 services were interrupted.
  • Dispatch centres had to rely on printed maps and paper logs to keep track of emergency responders in the field.
  • Police were locked out of background check systems and unable to access details about criminal histories or active warrants.
  • Surveillance systems went offline.
  • Badge scanners and building access systems ceased to work.
  • Jail doors could not be remotely opened.
  • Schools could not access data about students’ medications or allergies.Property transactions were halted.
  • Utility bills could not be issued.
  • Grants to nonprofits were delayed by months.
  • Websites went offline.
  • Online payment portals were inaccessible.
  • Email and phone systems ceased to work.
  • Driver’s licenses could not be issued or renewed.
  • Payments to vendors were delayed.
  • Schools closed.
  • Students’ grades were lost.
  • Tax payment deadlines had to be extended.

How does a ransomware attack happen?

In years past, malware and ransomware attacks would be launched by phishing emails. More recently, the attacks have been the result of weak information security measures being taken by the entities under attack.

According to the Emsisoft report, these weaknesses include not having a security plan or disaster recovery plan, not performing legally mandated risk assessments, and not encrypting sensitive information.

The report also noted that from the results of a 2019 University of Maryland, Baltimore County research report. The results were based on data from a nationwide survey of cybersecurity in U.S. local governments, and were that: Just over one-third did not know how frequently security incidents occurred, and nearly two-thirds did not know how often their systems were breached; only minorities of local governments reported having a very good or excellent ability to detect, prevent, and recover from events that could adversely affect their systems; fewer than half of respondents said that they cataloged or counted attacks.

What do we need to do?

Ransomware costs can be thousands of dollars, for either paying the ransom (which is never advisable) or for recovery costs. According to the Emsisoft report, there are several things we can do to protect ourselves and organizations from ransomware attacks and the costs associated with them:

  • Audits of entities need to happen more frequently and be more comprehensive with their standards. The rules for cybersecurity should also be enforced more strictly.
  • More guidance needs to be provided for how to embark on cybersecurity ventures, especially for smaller organizations and municipalities with limited funds and manpower.
  • More funding needs to be allocated to IT and cybersecurity. The successful attacks are a result of underfunding that creates dilapidated and under-emphasized programs.
  • Public entities should be required to report and disclose ransomware and malware incidents.
  • The public and private sectors should try to bridge the communication gap that separates them so that we can learn as much as possible about this cyber threat.
  • There should be restrictions on ransom payments.
  • Vendors and service providers of cyber security should do more to innovate and create systems that will prevent the malware and ransomware attacks from happening in the first place.

Ransomware costs and attacks are expected to increase in 2020. To stop attacks, it needs to become an unprofitable business for hackers to be in. Better cybersecurity measures must be taken to prevent the attacks, and ransoms must not be paid when the security measures fail.