pixel_dreams - Fotolia
Major news organizations stated that cybercriminals had raked in more than $209 million in the first quarter of 2016, more than an eight-fold increase compared to the entire previous year. Citing data from the FBI, CNN predicted that 2016 would see cybercriminals collect more than $1 billion via recent ransomware attacks by the end of the year. Both the Los Angeles Times and Reuters cited the $209 million figure, the Times calling it profits and Reuters portraying it as damages.
The origin of that number is a mystery, however.
Even a few months later, in August 2016, the FBI could not confirm the number, but cited a dramatically smaller figure -- $2.69 million -- as damages from ransomware for the first six months of the year. The agency had worked through the data and discounted large damage figures from certain companies, an FBI spokesperson said.
In May of this year, the FBI released its "2016 Internet Crime Report," and the number had shrunk even further: 2,673 complaints identified as ransomware accounted for losses of $2.43 million for the entire year.
"While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement," the FBI stated in a call for victims to report incidents.
Yet more details of recent ransomware attacks have underscored that a single incident can have massive repercussions -- especially if a company's operations are compromised.
Global shipping conglomerate A.P. Moller-Maersk suffered significant losses due to the fast infiltration of the NotPetya ransomware attack on June 27, 2017. Three of the conglomerate's business units were affected. Two days later, Maersk could only accept bookings from existing clients, but its ability to operate gradually recovered between July 3 and July 9, according to an interim report released by the shipping giant.
"These system shutdowns resulted in significant business interruption during the shutdown period, with limited financial impact in Q2, while the impact in Q3 is larger, due to temporary lost revenue in July," the company stated. "While the businesses were significantly affected by this cyber-attack, no data breach or data loss to third-parties has occurred."
Overall, the outage and recovery will cost the company somewhere between $200 million and $300 million.
So, are recent ransomware attacks overblown, or have they reached epidemic proportions?
Such incidents underscore the potential impact of ransomware -- and any attack that targets operations, such as the Sony Pictures hack. At the same time, there is a lack of reliable data on ransomware cost and the vast majority of small attacks -- which is unsurprising, given that gathering data on ransomware, like with other cybercrimes, is notoriously difficult. The FBI estimates that only 15% of cybercrimes are reported, and that number may be lower for ransomware.
Many companies do not report compromises by ransomware because -- in most cases -- they are not required to do so. The Health Insurance Portability and Accountability Act, for example, does not require reporting if protected health information is encrypted.
"There is no reporting requirement, ordinarily, for a ransomware event, and the dollars involved are small enough because they are not materially impacting the company, so they are not required to report," said David Bradford, co-founder and chief strategy officer for insurance data firm Advisen.
Unfortunately, that leaves the industry reliant on unsupported damage numbers that tend to take on a life of their own. In its "2017 Midyear Cybersecurity Report," Cisco stated that ransomware caused $1 billion in damages in 2016. When asked about the source, the company's response sounded eerily similar to the early, but no longer supported, data from the FBI.
"Their research confirms what has been reported by other vendors, showing 200+ (million) range in the first three months of 2016 and the expected growth to 1 (billion) in overall payout and related business costs by the end of 2016," a Cisco spokesperson clarified.
Cisco is not alone. Without specifics regarding its calculations, the Cyber Threat Alliance -- a group of a dozen antivirus and security vendors -- estimated in 2015 that the third version of CryptoWall collected $325 million in revenue for its operators. The report states that 406,000 attempted infections had been identified, but does not describe how the group calculated the profits, and in the conclusion describes the $325 million as damages. The authors did not respond to a request for clarification on the calculations.
Ransomware payments rarely exceed tens of thousands of dollars, and most often cost $300 to $1,000. Yet risk experts point out that those numbers do not include the much higher ransomware cost of lost business and productivity. Before 2017, companies rarely had to halt operations to deal with ransomware -- the most notable case being Hollywood Presbyterian Medical Center, which paid a reported $17,000 and had to turn away some patients.
While recent ransomware attacks are highly visible crimes in many cases -- causing operational problems for companies with major infections -- the number of reported cases and damages is much smaller than other internet crimes. In 2016, ransomware was not even in the top 20 crimes reported to the Internet Crime Complaint Center, the FBI's portal for reporting crimes, accounting for less than 1% of the complaints and about 0.2% of losses tracked by the FBI. For comparison, business email compromise -- the top internet-related threat in terms of losses -- accounted for 4% of complaints and 27% of losses.
Even if Cisco's damage figure is not derived from strong evidence, it is probably in the right ballpark, said Brad Stone, a threat analysis and hunting expert with consulting firm Booz Allen Hamilton.
"The number is a lot larger than what is reported," he said. "It is really hard to bound, and it is also really hard to estimate the cost beyond the payment that they report, in terms of the impact on businesses."
Even if ransomware cost did not amount to what security firms estimated in 2016, this year looks to be different. While WannaCry fizzled for the most part, the spread of NotPetya likely did more than $1 billion in damages.
David Bradfordco-founder and chief strategy officer, Advisen
On June 27, 2017, medical and consumer goods maker Reckitt Benckiser suffered a widespread infection of the NotPetya ransomware attack, which "rendered many systems and servers … inoperable very quickly." A week later, the company began recovering, and by July 11, 2017, most of its manufacturing was "producing close to normal capacity." The company did not expect to fully recover until the end of August, suffering delayed shipping, reduced production and lost sales.
The total loss for the British multinational could be about $130 million, according to one estimate based on the firm's restatement of earnings.
"From an operational perspective, as expected we had a tough first half, with challenging conditions exacerbated by a sophisticated cyber-attack," CEO Rakesh Kapoor said in a statement on July 24, 2017, adding, "We still have work to do on addressing the full implications of the recent cyber-attack."
With two companies accounting for more than a third of a billion dollars, it is likely that recent ransomware attacks like NotPetya caused more than $1 billion in damages. The event underscores what insurers like Advisen see as the danger: a ransomware -- or other data-destroying -- attack that exploits a widespread vulnerability.
"The thing that really frightens insurers is not an event that affects any single company; it is the aggregation of events," Bradford said. "Even though each loss may not be catastrophic for the company, that aggregation of exposure is what's really keeping insurers up at night."
Insurance firms have already started looking at the potential for damage from a massive ransomware attack. An estimate conducted by insurer Lloyd's of London and risk-science firm Cyence found that such an attack could cause $10 billion in business losses in North America and Europe, and possibly reach $29 billion.
"One of the things I think we will see is that insurers -- if you look at them in aggregate -- you will start seeing that they will have true economic impact numbers," said Matt Honea, cyber manager at Cyence. "While the FBI numbers are a starting point, not everyone reports to them, and they don't account for all the damages."
Future ransomware may have tricks to make it more damaging as well, Honea said.
"I think there will be a triggered ransomware, where someone will get hit, and it will not encrypt right away," he said. "The criminals will be a little bit smarter and wait for a bigger payoff -- whether that's more valuable data or stopping company operations."
Roughly one-third of companies with 1,000 employees or less have encountered ransomware, according to security firm Malwarebytes' "Second Annual State of Ransomware Report: Global Survey Results." The report, published in July, is based on an independent survey of small and medium business conducted by Osterman Research. Such surveys are often self-selecting because companies affected by ransomware are more likely to take part.
The biggest change for companies is to plan for a ransomware attack, said Adam Kugawa, director of malware intelligence for Malwarebytes.
"We have gone past the days where we would say, 'Hey, you should protect yourself against ransomware so you don't get it,'" he said. "Now you should expect to get hit; it is going to happen."
Strategies to prevent ransomware as a service
Learn more about destruction-of-service malware
How to find the best endpoint antimalware tools