In 2020, the average ransomware payment was $312,493—a 171% year-over-year increase. That’s not a small change, but if you’re thinking that your business leaders could stomach that expense to win back control of data, the actual payment is just the start.

There are the extra people-hours that must be devoted to reassuring customers. There are shareholder lawsuits the business must defend. There are outsourced IT and cybersecurity that may need to be deployed. And, in regulated environments, that’s just the start of the additional pain to come.

Now you’re looking at more like $1.85 million. That’s the average bill for rectifying a ransomware attack, including downtime, network cost, and lost opportunities, according to Sophos. And in some industries and at certain times, downtime could cost millions of dollars per minute in lost revenue alone. Below, I’ll line up some of the more unexpected costs associated with recovering from a ransomware attack. Then, I’ll share ways to deflect attacks and minimize the impact of an attack if your organization becomes a victim.

Where the Money Goes After a Ransomware Attack

The price of ransomware almost always amounts to more than the cost of the ransom. New York’s Erie County Medical Center was hit by a massive ransomware attack in 2017, according to the Buffalo News. Hospital officials said the costs of getting the hospital’s computer systems back up and running were about $10 million. (The attackers requested a ransom of $30,000, which the hospital did not pay.) Here’s where the $10 million went, as the Buffalo News reported:

  • New hardware and software
  • Third-party cybersecurity consultants
  • Staff overtime pay
  • Lost revenues during system downtime
  • Ongoing costs of $250,000 to $400,000 a month for upgraded technology and employee education to reduce the risk and impact of future attacks

The list goes on. Organizations hit by ransomware attacks may also have to pay for:

  • Shareholder lawsuits
  • Regulatory compliance lawsuits and fines
  • Increased insurance premiums (or possible cancellation)
  • Loss of intellectual property
  • External media relations

How to Minimize Costs from a Ransomware Attack

The most important strategy for avoiding the giant bill for ransomware recovery is to avoid getting attacked in the first place. It’s better to prepare for the worst and assume it may happen. You need an advanced recovery strategy that helps you get back to business promptly and cost-effectively, without teams of consultants and a complete hardware and software overhaul.

  1. Back up your data and frequently test your backups. If you’ve made an external backup of your files, you should still have access to your data if cybercriminals try to steal and hold it hostage. But what about the speed of your recovery? Regularly testing your backups—which too many organizations don’t do—can help ensure backups are actually recoverable and how quickly they can be restored. Read this post for a closer look.
  2. Adopt tiered security architectures. Talk with your CISO about the value of tiered security architectures and “data bunkers,” which can help retain large amounts of data and make it available immediately. Tiered backup architectures use different logical and geographic locations to meet a wide range of backup and recovery needs, thereby improving the accessibility and speed of data recovery.
  3. Create immutable data snapshots. Ransomware attackers are more often going after your backups to really put you in a bind. Pure’s multifactor-authenticated, immutable SafeMode™ snapshots can’t be edited or deleted even if admin credentials are compromised—effectively giving ransomware attackers no backups to ransom.
  4. Confirm what your cyber insurance covers—and what it doesn’t. Make sure you know and understand the limitations and coverages provided by your policy, what you have to do to use your coverage, and how long it will take for your insurer to engage.
  5. Double down on compliance and data retention and deletion policies. I mentioned how costly compliance and regulatory fines can be when data you’re hanging on to is compromised during an attack. Data retention and deletion policies can help you make a plan for what data is worth retaining, what should be deleted or anonymized, and how you can minimize what you have on hand. Brush up on data retention and deletion policies.