The Real Costs of Ransomware: Direct Costs

Ransomware is a growing problem for organizations of all sizes and it is becoming a national security threat. As threat actors continue to look for new ways to hold companies and data hostage, security teams can  feel like they’re always one step behind. Meanwhile, it is absolutely crucial for companies to understand  how much ransomware costs. In some ways, the costs are obvious. Understanding the direct costs associated with ransomware attacks can help define risk posture more accurately. 

Understanding the Basics of Ransomware

At this point, everyone is familiar with  the word “ransomware,” but not everyone understands why it’s prevalent across all industries and organizations, big and small. . Yes, money is involved. However, not all ransomware attacks are the same, and each leads  to differing cost models. 

A look at some of the tactics

Threat actors prey on two things when engaging in a ransomware attack: human and technical vulnerabilities. 

According to the 2020 Federal Bureau of Investigation (FBI) Internet Crime Report, the most common ways that cybercriminals infect victims with ransomware were:

  • Phishing campaigns
  • Remote Desktop Protocol (RDP) vulnerabilities
  • Software vulnerabilities

Phishing campaigns prey on human vulnerabilities. For example, during the early months of the COVID-19 pandemic stay-at-home orders, many cybercriminals used the pandemic to prey on people’s fears and concerns.

However, the RDP and software entry points focus on technical vulnerabilities. As companies moved to remote work rapidly, they needed to use more cloud technologies, leaving their IT teams overwhelmed. 

A look at some differences

While it would be a lot easier for companies if all ransomware followed the same patterns, it would result in less profits for cybercriminals. In other words, when people say threat actors “continuously evolve their methodologies,” what they really mean is that threat actors keep changing up the ransomware strains they use. 

A February 2021 report by Chainalysis highlights some of these differences:

  • Ransomware strains vary from month to month.
  • Top “earning” strains vary from month to month.
  • Ransomware operators commonly rebrand or change their Ransomware-as-a-Service (RaaS) “provider.”
  • Ransomware varieties often share the same code rather than being entirely new or different.

The rise of RaaS also changes how ransomware attacks occur. RaaS follows a similar model to other “as-a-Service” providers. With RaaS, “affiliates” pay a subscription fee to use the ransomware strain by giving the administrators, or in “as-a-Service” model lingo “providers,” a percentage of the ransom paid by the target company. With RaaS becoming more popular, it’s logical that ransomware attacks will continue. 

The Data Around Ransomware’s Direct Costs

Different resources provide different numbers around the direct costs associated with ransomware. However, it’s important to consider how the different reports look at the numbers. 

Paying the Ransom

Looking at multiple data sources gives you a better understanding of ransomware attack cost. 

The Data Breach Investigations Report 2021 details ransomware costs:

  • $11,150t: Median loss
  • $70-$1.2 million: range of losses for 95% of the cases 

Coveware released a report detailing ransomware payments for Q1 2021:

  • $220,298: Average payment (+43% over Q4 2020)
  • $78,398: Median payment (+59% over Q4 2020)

Sophos’s State of Ransomware 2021 Report details ransomware payment for 2020:

  • $107,694: Average payment for organizations with 100-1,000 employees
  • $225,588: Average payment for organizations with 1,000 - 5,000 employees

Unit42 also released a report detailing ransomware payments for 2020:

  • $312,493: Average payment (+171% year-over-year)
  • $10 million: Highest payment  (+100% year-over-year) 

The FBI Internet Crime Report detailed total losses from ransomware for 2020:

  • $4.2 billion

The Gallagher Market Conditions 2021 report detailed losses from ransomware:

  • $81,000: Average payment for small and mid-size enterprises 
  • 41%: percentage of losses insurer Coalition paid arising from ransomware

These numbers should be concerning for most organizations, especially the ones with systems containing known vulnerabilities. 

Paying the Negotiator

Most companies look to a negotiator for help. By bringing in a negotiator, organizations can reduce the overall ransomware attack costs and expedite the payment process. Threat actors do their research, knowing how to extract the most revenue from their targets so they can turn a profit. 

Hiring a negotiator with ransomware facilitation experience can drastically reduce the ransom payment. . Negotiators often charge a percentage of the ransom payment for their services, similar to lawyers charging a percentage of court settlement in a civil action. Depending on the case and firm, an organization can expect a payment structure like one of these:

  • 10% - 30% of the initial demand 
  • a fixed dollar amount based on the original demand

Be mindful that  some firms have a different type of payment structure. For example, according to Arcas Risk CEO, Rob Fitzgerald:

We charge 10% of the savings, defined as the difference between initial demand and actual payment, not to exceed 50% of actual paid. 

While that sliding scale can sound a bit too fluid, it’s important to keep in mind several things that make the negotiation more difficult and create more  work for the payment facilitator:

  • Data criticality: If the data stolen is high-value to the organization, then the negotiator loses leverage
  • System criticality: Critical systems need to get up and running faster, which will reduce  negotiator leverage. 
  • Exchange volatility: Cryptocurrency markets are continuously in flux meaning that ransom values can change rapidly, impacting demands and responses during the process. 
  • Delivery process latency: Multiple factors can slow down the negotiation process, including crashing cryptocurrency systems, cryptocurrency exchanges locking out users, threat actor personalities, impacted organization leadership goals, or inability to trust threat actors to deliver data.

Ultimately, while the cost of a negotiator is both fluid and added on to the cost, it also reduces the organization’s financial risk. 

Paying the Incident Response Costs

Even with an incident response team, organizations need to consider remediation costs as part of their risk management process. Data around these costs comes from various reports across the cybersecurity industry. 

Calculating these costs in advance is challenging, especially if your current security team is too small to manage the response alone. 

Tenable offers the following formula that incorporates IT teams recovering from the attack:

(((U*hup)*1.3)*DT) + (((A*hap)*1.3)*RT) = incident cost


  • U = the number of infected users
  • hup = average hourly user’s pay
  • 1.3 = overhead rate (use your organization’s rate)
  • DT = hours of downtime
  • A = the number of computer technicians and administrators
  • hap = average hourly technician/administrator pay
  • RT = hours of repair time

In other words, when calculating recovery costs, you need to consider a number of different factors that impact the costs. Of note here, the first half of the equation focuses on lost productivity for the average employee while the second half focuses on the costs associated with remediating the technical issues. 

Breaking this down to just that half can give some insight into estimated costs. Based on Tenable’s small business example, assume the following:

  • RT = 20 hours
  • hap  = $25/hour for a technician
  • A = 5 technician
  • Total Cost: $3250

If the team can expedite the recovery process, then the cost shifts as follows:

  • RT = 4 hours
  • hap  = $25/hour for a technician
  • A = 5 technician
  • Total Cost: $650

Unlike a small organization that might hire hourly technicians, a larger organization might have staff with more cybersecurity skills and pay them accordingly. This means a higher “hourly” rate. Taking that into consideration, the costs for a large organization might look like:

  • RT = 20 hours
  • hap  = $45/hour based on $90,000/year salary 
  • A = 5 employees
  • Total Cost: $5850

If the team can expedite the recovery process, then the cost shifts as follows:

  • RT = 4 hours
  • hap  = $45/hour based on $90,000/year salary 
  • A = 5 employees
  • Total Cost: $1170

 These numbers are variable. For example, Tenable argues that the 1.3 multiplication factor should be adjusted to 1.6 to account for health benefits from full time employees. Meanwhile, salaries may vary. More endpoints to manage increases the number of hours, and ability to detect and investigate a risk will change the amount of time the recovery process takes. 

SCYTHE: Reducing Ransomware Costs with Attack, Detect, and Respond (ADR) Technology

SCYTHE’s ADR platform enables security teams to train against real-world tactics, techniques, and procedures (TTPs). With our easy-to-use platform, security teams can validate their tools and processes, reducing mean time to detect, mean time to investigate, and mean time to recover. SCYTHE’s platform uses a drag-and-drop interface where users can build unique attack paths or emulate attack paths found in the wild. 

With SCYTHE, security operations teams can feel more validated, knowing that they are training themselves against cutting edge methodologies to reduce the likelihood and impact of a ransomware attack. 


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.