Skip to main content

The cost of ransomware attacks

August 1, 2020


  • The average enterprise ransom payment is $111,605.
  • 205,280 organizations were affected by ransomware attacks in 2019.
  • The average cost for victims of ransomware attacks to recover more than doubled in the final quarter of 2019. According to a new report from Coveware, a typical total now stands at $84,116. That’s a little over double the previous figure of $41,198.


In today’s ever-evolving and tech-forward world, cyberthreats are an unfortunate reality. Cybercrime impacts businesses regardless of their size, industry focus or cybersecurity budget. These threats are increasingly complex as cybercriminals deploy new and sophisticated tactics to exploit business networks for financial gain.

A laptop, a cup of coffee, and a notebook with ripped pages sit on a wood tableOne common and damaging way cybercriminals target businesses is through ransomware attacks, which are among the most costly cyberthreats faced by organizations. In fact, by the first quarter of 2020, the average enterprise ransom payment was $111,605.1

The volume of ransomware attacks against commercial entities has increased significantly. Emsisoft, a security firm that helps companies hit by ransomware, reports that 205,280 organizations were affected by ransomware attacks in 2019 — a 41% increase from 2018.2 And while many organizations understand the importance of preparing for attacks such as these, few understand the mechanics of ransomware attacks and the true extent of the damage they can cause.

What are ransomware attacks?

Ransomware refers to a type of malware that gains access to and encrypts a victim’s systems, devices or files, locking users out of their own networks. Once ransomware has infected a network, the victim is forced to pay a ransom to regain access to their data or systems. If the demands are not met, the encrypted files remain unavailable, or data may be deleted.3 In more sophisticated schemes, attackers may exfiltrate data before locking systems, allowing them to extort even more from companies by threatening to disclose or sell their data if they don’t pay.

How are ransomware attacks deployed?

Criminals can infect a business network with ransomware in a variety of ways, including tricking users into clicking malicious links in an email (i.e., phishing scams), taking advantage of poorly secured network ports or using “wormable” forms of ransomware that exploit network vulnerabilities. Victims are targeted through two types of campaigns4:

Opportunistic ransomware campaigns: Cybercriminals cast a wide net to gain access to a business’s system. In these campaigns, ransomware attacks are mostly automated and are primarily spread through user-initiated actions. For instance, an employee could unknowingly open a malicious attachment in an email or visit a compromised website.

Strategic ransomware campaigns: Cybercriminals select a target or group of targets. In these campaigns, ransomware attacks are not as automated and are instead based on a victim’s profile. Strategic ransomware campaigns target victims based on their reliance on computer systems, the sophistication of their network protections and whether or not the victim is believed to have the means to pay the ransom. These higher-effort campaigns generally result in much better payouts for criminals.

Ransomware attacks are constantly evolving, and it’s easier than ever to conduct these attacks. Deploying basic ransomware attacks requires minimal technical know-how, particularly during ransomware-as-a-service transactions in which ready-to-deploy ransomware campaigns can be purchased and distributed at will.5

What’s at risk?

Many businesses wrongly assume they aren’t attractive to cybercriminals, whether that’s because they believe their operations aren’t big enough to become a target or they feel the data they store isn’t lucrative enough to seek out. The truth is that every business has some form of cyber exposure, and cybercriminals don’t discriminate based on a business’s operations or size. In fact, research has found that there is only a small difference in ransomware attack rates for small organizations (less than 1,000 employees) and larger organizations (more than 1,000 employees).6

Ransomware attacks are particularly harmful because businesses won’t have access to critical data until they’ve paid up. Attackers may ask victims to pay anywhere from a few hundred dollars to millions of dollars before releasing ransomed data. Additionally, whether the ransom is paid or not, businesses have to contend with significant business interruption expenses, which have also been increasing in recent years. The average cost for victims of ransomware attacks to recover more than doubled in the final quarter of 2019. According to a new report from Coveware, a typical total now stands at $84,116. That’s a little over double the previous figure of $41,198.7

Even if businesses pay the ransom, there’s no guarantee they will get their files back or that they will be returned in a usable state. Some data even suggests that paying a ransom often doubles the cost of dealing with a ransomware attack.6 Ransomware payments are typically completed using bitcoin or other cryptocurrencies, which are nearly impossible to track.5 Furthermore, once a business has been infected, they may face long-term reputational harm, have to pay a considerable sum for forensics experts to investigate their system, or invest in additional IT expenses to prevent future attacks. Thankfully, though, when it comes to ransomware, businesses aren’t without recourse. Cybercrime victims or third parties can file an internet crime complaint with the FBI’s Internet Crime Complaint Center.

How businesses can protect themselves

To protect their operations, businesses should consider the following strategies recommended by the Cybersecurity and Infrastructure Security Agency (CISA)8:

    • Train employees on the different kinds of ransomware and what to look out for; employees should know how to spot potentially malicious links, attachments and websites, and understand how to report issues to their IT department
    • Create a data backup and recovery plan for all critical information
    • Block malicious IP addresses using firewalls
    • Use application whitelisting to execute only programs known to be safe
    • Patch networks and update systems regularly; vulnerable applications and operating systems are the targets of most attacks, and patching them reduces the number of entry points available to an attacker; businesses should also ensure that antivirus software is up to date and that they use strong spam filters to prevent malicious emails from reaching end users
    • Restrict employees’ ability to install and run potentially malicious software; employees should be able to access only the systems required for their roles, ensuring that employees don’t have access to more data than they need, which can help businesses contain an attack more quickly should one occur

Above all, companies need to have an incident response plan for ransomware and other cyberattacks. Plans should account for employee training and drills to ensure that staff members understand what to do in the event of a cyberthreat. Plans should also include clear communication strategies to ensure that key stakeholders can disseminate critical information during emergencies, especially while computer systems are compromised. Plans should also be reviewed regularly to ensure they account for the latest threats.

Businesses can prevent and mitigate cyberattacks by building a culture around cybersecurity. Employee training, investing in the right technologies and partnering with the right experts helps in this endeavor. The cyberthreat landscape is incredibly complex, and it’s crucial for businesses to work with proven experts who understand the most common threats and the strategies that organizations should employ to safeguard their data and their business.

Businesses should also secure a cyber insurance policy that’s customized to the unique needs of their organization. This policy should be reviewed regularly with their agent to ensure it addresses evolving threats and business practices.



  1. One common and damaging way cybercriminals exploit businesses is through ransomware.
  2. Ransomware refers to a type of malware that gains access to and encrypts systems, devices or files, locking users out of their own networks.
  3. Companies need to have an incident response plan for ransomware and other cyberattacks.