01 Jun Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031
Fastest growing type of cybercrime is expected to attack a business, consumer, or device every 2 seconds by 2031
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Jul. 7, 2023
2023 Ransomware Market Report is sponsored by KnowBe4.
Ransomware, fueled by low prosecution rates and the willingness of victims under duress to pay to salvage their businesses, profoundly impacts the global economy.
It has been six years since a report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion (USD) in 2017, up from $325 million in 2015 — a 15X increase in just two years. The damages for 2018 were predicted to reach $8 billion, for 2019 the figure was $11.5 billion, and in 2021 it was $20 billion — which is 57X more than it was in 2015.
There’s not a glimmer of empathy in today’s ransomware operators.
Ransomware will cost its victims around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack (on a consumer or business) every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The dollar figure is based on 30 percent year-over-year growth in damage costs over a decade.
Cyberattackers will just as quickly strike a hospital as a Fortune 500 organization. The only things that matter are finding an initial access point, encrypting networks, and — when possible — extracting sensitive data to exert pressure on victims for extortion purposes.
As a global threat, the risk of prosecution, in many cases, is low, allowing rogue operators to organize themselves with staff, structures, and processes comparable to modern-day businesses.
Our damage cost estimates may be conservative regarding the true economic damage ransomware causes. Still, with so many dollars at stake, insurers are rapidly rethinking their approach to the ransomware plague.
WHAT IS RANSOMWARE?
Ransomware is a variant of malware that specifically targets files and systems by encrypting them with a protocol that cannot be broken without the correct decryption key.
Ransomware operators will encrypt files and offer their victim such a key in return for payment, typically in cryptocurrencies such as Bitcoin (BTC) to make tracking illicit funds more difficult.
Established and prominent ransomware strains include Ryuk, NotPetya, Cl0P, and Royal. Cybersecurity Ventures tracks around 100 ransomware gangs and strains each quarter.
Approximately half of ransomware attacks tracked in 2022 started with attack surface exposure. Common entry methods include the use of stolen credentials, vulnerability exploitation, and cyberattacks launched against unsecured online services.
EXTORTION AND THEFT
In recent years, ransomware has expanded far beyond its origins in malicious drive-by downloads on pirate and adult content websites.
Ransomware has now become a weapon of choice for threat actors worldwide, intent on disrupting critical services, blackmailing businesses, or stealing information of benefit to nation-state sponsors.
A troubling trend in the ransomware space is the transition from encryption-only practices to threats, extortion, and theft. Backups are no longer a sufficient defense: many of today’s most prominent ransomware groups, including LockBit, BlackCat, and Black Basta, will conduct covert surveillance on their targets, steal data, and will threaten to publish information online unless a ransom demand is met.
HardBit ransomware operators highlight another troubling trajectory in ransomware tactics that impacts the insurance market. During negotiations, HardBit will entice victims to reveal the details of their cyber insurance policies to set a ransom price.
Double or triple extortion is now commonplace, as well as repeated attacks on the same targets by different ransomware operators.
TARGETS BY SECTOR: HUNTING BIG GAME
In Q1 2023, the manufacturing and industrial sectors experienced the most ransomware incidents, with 45 percent of ransomware and extortion attacks taking place in the United States, according to KELA.
Professional services, engineering, construction, healthcare, and education were also commonly targeted. Victims “named and shamed” on leak sites increased 30 percent year-over-year.
Cybersecurity Ventures’ daily ransomware feed highlights how often a major business is targeted for financial or political purposes.
Dish Network, ScanSource, ABB, and AvidXchange are recent examples of enterprise firms experiencing ransomware attacks, extortion, and data theft as “Big Game” targets, a practice in which cyberattackers will focus on large enterprise firms for the highest returns.
The consequences of a ransomware attack can be catastrophic for a business that must foot the bill for downtime, system recovery and remediation, cyber forensics, upgrades, compensation, and legal issues that may arise.
Considering that some sectors are not well-prepared to cope with ransomware operators, many cyber gangs now specialize in striking vulnerable industries. Royal has been connected to numerous attacks on hospitals, whereas Vice Society is estimated to be responsible for roughly 20 percent of all attacks on educational institutions in the United States.
INDIRECT ECONOMIC COSTS
Hidden economic costs caused by ransomware incidents, regrettably, are often shouldered indirectly by consumers and the general public.
A company that has suffered a ransomware attack may have to pass on remedial costs to its customers. Disruption at a university may impact students and their access to education. In healthcare, the financial burden could lead to budget cuts and the need to scale back the workforce, limiting care options and lengthening the time patients, in turn, cannot return to work. We’ve already seen one hospital close due to ransomware, and in another, a patient died after being rerouted from a hospital under attack.
In the same way that cyber insurers find it difficult to quantify cyber risk when they consider creating or amending policies, the actual economic damage caused by ransomware doesn’t just strike organizations: it impacts many of us individually.
Nation-states are also taking advantage of ransomware’s capabilities to further their own agendas.
The first notable example of a nation-state-sponsored attack was performed in 2017 by Lazarus Group. The hacking collective was deemed responsible for WannaCry, a ransomware variant that caused widespread damage and disruption to Windows machines worldwide.
According to research conducted by the Institute for Critical Infrastructure Technology (ICIT), nation-state-sponsored advanced persistent (APT) cybercriminals are now supporting and leveraging lower-sophistication ransomware groups, taking advantage of the disruption and chaos they cause for their own ends.
Lower-tier attackers often focus on the money at stake and may offer Ransomware-as-a-Service (RaaS) subscriptions to generate further revenue. Nation-state groups then take advantage of RaaS subscriber activities, harnessing the disruption they cause as “components” of broader attacks or cyberespionage efforts.
Hundreds — if not more — of ransomware gangs and APTs are employing these tactics.
Law enforcement agencies, including the FBI and Europol, are actively working to disrupt and seize the infrastructure ransomware gangs use. Private companies, such as Microsoft, frequently launch civil cases to take down the underlying infrastructure of ransomware distributors and remove cybercriminal access to legitimate tools often abused, such as Cobalt Strike, for illegal purposes.
Despite these efforts, ransomware rates continue to escalate. As soon as one group is dismantled, others swiftly emerge to take its place. Furthermore, many criminal gangs disband temporarily — for example, to thwart the efforts of law enforcement — only to reorganize under a new name, posing ongoing challenges to law enforcement and cybersecurity efforts.
Several significant ransomware-related incidents impacting the enterprise have occurred in recent years.
Due to a zero-day vulnerability, the widespread hacks of on-premise Microsoft Exchange servers led to the installation of web shells and ransomware on countless machines belonging to businesses worldwide. Meat processing company JBS paid $11 million to end a ransomware lockdown. A ransomware attack against Colonial Pipeline ignited the panic purchase of fuel across swathes of the U.S., and the company eventually paid out $4.4 million to cybercriminals in an attempt to restore its systems.
These cyberattacks have forced organizations to reexamine their security practices and many consider cyberinsurance as a way to mitigate the potentially ruinous cost of a ransomware attack.
Cybersecurity Ventures predicts the cyberinsurance market will grow from an approximate value of $8.5 billion USD in 2021 to $14.8 billion USD in 2025. By 2031, based on a compound annual growth rate (CAGR) of 15 percent over an 11-year period (2020 to 2031), we expect the market to exceed $34 billion USD by 2031.
While having existed in various forms for several decades, cyberinsurance, with a speed rarely seen, has now entered a state of flux with premiums — and payouts — skyrocketing due to sophisticated cyberattacks and ransomware.
According to the World Economic Forum’s Global Cybersecurity Outlook 2023 report, 48 percent of small organizations do not have any form of cyberinsurance. In contrast, larger firms are more likely to take out a policy.
A successful ransomware attack against an enterprise company can cost millions of dollars. When a cyberinsurance policy with ransomware coverage has been taken out, the insurer has to foot part — or all — of the bill.
As the disclosure of ransomware incidents often leads to reputational harm, organizations can be tight-lipped concerning whether or not they have had to make a claim.
WEF research indicates that the majority of enterprise firms with over 100,000 employees are reluctant to disclose if they have made a claim in the past two years; however, out of the small fraction who admitted making a claim (21 percent), only 14 percent of cases were successful.
To date, CNA Financial has made the biggest ransomware payout on record. The Chicago-based company paid $40 million USD to Russian cybercriminals.
Once they have infiltrated a victim network, some cyberattackers specifically look for insurance documents to evaluate how much they “charge” for a decryption key.
When risk increases, so must premiums. According to Marsh’s U.S. Cyber Purchasing Trends report, cyberinsurance premiums increased in cost by 11 percent during Q1 2023. Furthermore, ransomware-related claims rose 77 percent in the same period, compared to Q4 2023.
Rating agency AM Best estimates that direct premiums offered by the U.S. cyber insurance market increased by 50 percent over 2022 to reach $7.2 billion USD.
Bloomberg Law reports that insurers are rethinking their stance on cyberattack-related policies to avoid becoming liable for huge payouts in the wake of ransomware incidents and catastrophic attacks. Coverage limits are being tightened and “basic” coverage may not include ransomware or nation-state-sponsored attacks.
It is extremely difficult to categorize cyberattacks with systemic risk factors that decide a policy’s cost and reach, and as a result, Chubb Ltd. is considering higher pricing; Beazley Plc is developing a separate “war insurance” product outside of standard cyberinsurance policies to cover nation-state attacks, and Lloyds is also considering how to separate what could be considered cyber-terrorism.
There’s a risk that cyberinsurance for some cases, like ransomware and nation-state attacks, could become unviable.
However, as noted by BlackBerry, this is also an area in which the U.S. government may have to step in to protect smaller organizations, and by extension, the economy at large, considering small businesses account for 99.9 percent of all businesses in the U.S.
In a 2022 survey of 415 SMBs and enterprise companies, out of those with ransomware payment coverage, only 19 percent took out policies with limits greater than the median 2021 ransomware demand of $600,000. Furthermore, half of SMB respondents said they hoped the U.S. government would provide financial support to ransomware victim organizations.
THE BOARDROOM FIGHTS BACK
The cost of cybercrime is estimated to reach $10.5 trillion USD annually by 2025 with a 15 percent yearly increase. During the period from 2021 to 2025, global cybersecurity spending is expected to exceed $1.75 trillion USD.
As Cybersecurity Ventures noted in the Boardroom Cybersecurity 2022 Report, if it were measured as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China.
For years, communication was lacking between defenders and business leaders. Cybersecurity has often been overlooked and neglected, considered the sole responsibility of chief information officers (CIOs) or existing IT teams. In many cases, business growth and operations have taken precedence over cybersecurity risk management.
However, boardrooms now have to take a proactive approach to cybersecurity — and, in particular, the business risks associated with ransomware.
Ransomware is a severe threat to businesses and boards must become cyber-aware. Responsibility starts at the top, and if Gartner is correct, 75 percent of chief executives will become personally liable for cyber-physical security incidents by 2024.
KPMG research suggests that 77 percent of CEOs believe cybersecurity is a strategic function and is now potentially a competitive advantage.
Cybersecurity Ventures predicts that by 2025, 35 percent of Fortune 500 companies will have board members with cybersecurity experience. By 2031, this number will increase to 50 percent.
While some businesses can rely on existing cyberinsurance policies to mitigate the damage caused by ransomware, insurers may decide in the future that specific policies, including ransomware protection, are unviable.
Therefore, it is crucial that businesses now consider introducing new members to their boards who have cybersecurity experience, and take a proactive approach to improve their security posture and reduce the risk of a successful ransomware attack.
– Charlie Osborne, Editor-at-Large for Cybersecurity Ventures, co-authored this report.
Sponsored by KnowBe4
KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.