The Real Costs of Ransomware: Hidden Costs

As threat actors continue to target organizations, the direct costs of a ransomware attack are often easy to calculate. For the most part, news outlets will report the ransom requested and the amount paid. However, organizations that get hit with a ransomware attack know that the reported amounts are only a small portion of the total costs. When trying to place a value on the real costs of a ransomware attack, the hidden costs are just as important as the direct costs. 

Crisis Communications

Effectively communicating with internal and external stakeholders after a ransomware attack happens is fundamental to managing your reputation risk. However, if you’ve never had to do this before, you likely have little knowledge around all the time, financial, and workforce resources you need. 


Benjamin Franklin once said, “an ounce of prevention is worth a pound of cure.” If he hadn’t died in 1790, you might think that he was talking about ransomware, not fighting fires. 

Preparing your crisis communications team means:

  • Setting out a clear plan for each phase of incident response including pre-, during, and post-crisis
  • Appointing and preparing spokespeople
  • Identifying audiences, including employees, customers, shareholders, executive leadership team members, news outlets, business partners, and the public
  • Identifying communication channels, including website, news outlets, and social media

When thinking about how to calculate costs, it’s important to consider the following:

  •  2 hours to draft a plan
  •  2 hours to prepare a spokesperson in advance
  • 2 hours to identify audiences and communication paths

According to Sonia Awan, a public relations (PR) professional, the average hourly fee most companies charge is anywhere between $60-$100/hour. 

Additionally, according to one report, the average CISO salary is $145,667. Assuming a 50 week year, that equates to approximately $73 per hour. 

This means that the preparation costs, at minimum:

  • PR firm: $360 (involved in all three steps)
  • Spokesperson preparation: $146
  • Total: $506. 

The Direct Aftermath of the Attack

While your security team works around the clock to restore services, your crisis communications team is also working nearly around the clock. 

In general, this team works on some of the following types of communications:

  • Blog posts
  • Press releases
  • Social media posts
  • Written press inquiries
  • Messaging and preparing spokespeople for video and audio media inquiries

A crisis communications team can spend an average of 4-6 hours per day until you resolve the ransomware attack and restore systems. Your designated spokesperson will spend an average of 4 hours, although they should remain on call. Internally, your Communications and Social Media Manager will be handling blog posts and social media. The average annual salary in this position is $68,820. Assuming a 50 week year, that equates to $34/hour. 

According to one article, more than half of organizations say it would take them at least five days to fully recover from a ransomware attack. With that in mind, the crisis communications in the direct aftermath cost, at a minimum:

  • PR Firm: 5 days x 4 hours/day x $60/hour = $1200
  • Spokesperson: 5 days x 4 hours/day x $73/hour = $1460
  • Internal communications: 5 days x 8 hours/day x $34/hour = $1360
  • Total: $4020

Long Term Crisis Communications

The problem with a ransomware attack is that managing the communications doesn’t stop after you pay the ransom. According to Awan, PR teams spend an average of 4 hours per day over the next three months monitoring continued mentions in the news and talking to the IT team. 

Assuming four weeks in a month, calculating the long term costs of crisis communications then looks like this:

$14,400 = 60 working days x 4 hours/day x $60/hour

In other words, paying the ransom doesn’t mean you’re entirely out of the crisis. 

Legal Costs

Every data breach encompasses legal costs at some point. As part of your ransomware cost analysis, you need to consider the impact that legal defense and settlement costs have on your bottom line. 

While the NetDiligence 2020 Cyber Claims Study doesn’t focus on ransomware specifically, it does provide insights into the average legal costs associated with data breaches between 2015 and 2019, noting the following:

  • $1.4 million: Defense costs for large companies
  • $61,000: Defense costs for Small and Midsize Enterprises (SMEs)
  • $2.6 million: Settlement costs for large companies 
  • $134,000: Settlement costs for SMEs

Regardless of size, legal costs arising from data breaches can be equal to or more than the ransom itself. 

Insurance Costs

The insurance industry continues to increase premiums as ransomware attacks continue to hit the news cycles. A look at the Commercial Property/Casualty Market Index reports from the Council of Insurance Agents & Brokers (CIAB) shows the impact that ransomware has had on the market over the last year. 

For example, over the course of 2020, premiums had the following quarter-over-quarter increases:

  • Q2: 4.4%
  • Q3: 7.7%
  • Q4: 11.1%

The report notes that 66% of respondents also noted increased cyber insurance claims in Q4 2020, corresponding with the rise in premiums. Moreover, according to one respondent, some carriers started quoting coinsurance or sublimits for ransomware.

This increase continued into Q1 2021 with the newest report noting an average cyber insurance premium increase of 18%. 

Finding research related to how a ransomware attack increases an organization’s insurance premium is difficult. However, an argument can be made that after experiencing an attack a company’s insurer would be likely to increase the rates or require additional coverage, self-insured retention, higher deductible, or sublimits. 

Reputation Costs

Customer churn is one way to calculate the impact that a ransomware attack has on your company. Some statistics from a 2020 Arcserve report shows that customers are more aware of ransomware attacks than ever. 

For example, the report found that respondents take action and share their experiences with others: 

  • 37%: Switch to a competitor if they can’t access services within 24 hours
  • 45%: Share negative experiences with family, friends, or colleagues
  • 23%: post negative reviews or share experiences on social media
  • 28%: view the company as less trustworthy and reliable

The problem with these soft costs is that it’s hard to translate them into dollars. However, a look at stock prices can provide some visibility into this relationship. People buy stocks based on their subjective perception of corporate strength. This means that the impact a data breach has on a company’s stock prices provides some insight into how reputation impacts financial bottom line. 

A 2021 article notes that, on average, stock prices fell after a data breach:

  • -3.5%: 110 days after a breach
  • -8.6%: 1 year after a data breach
  • -11.3%: 2 years after a data breach
  • -15.6%: 3 years after a data breach

The report also notes that the stocks underperformed the NASDAQ:

  • -3.5%: 110 days after a breach
  • -8.6%: 1 year after a data breach
  • -11.9%: 2 years after a data breach
  • -15.6%: 3 years after a data breach

Even if your company isn’t listed on the stock market, these metrics provide some insight into how people make choices with their wallets after a data breach. 

Business Interruption Costs

Because ransomware encrypts data, it interrupts employees’ ability to do their jobs. In fact, data indicates that the average days of downtime continue to increase quarter over quarter. For example, Coveware’s Quarterly Ransomware Reports provide visibility into this shift, noting:

  • Q3 2020: 19 average days of downtime (+19 from Q2 2020)
  • Q4 2020: 21 average days of downtime (+11% from Q3 2020)
  • Q1 2021: 23 average days of downtime (+10% from Q4 2020) 

According to Gallagher’s 2021 Cyber Insurance Market Conditions Report, the average business interruption costs associated with a ransomware attack total $228,000 while the average ransom was $81,000. This means that, on average, business interruption costs were 2.8 times the ransom itself. 

Reducing Hidden Costs with SYTHE’s Attack, Detect, Respond (ADR) 

SCYTHE’s ADR platform gives security teams a way to validate their controls, technologies, and processes. Our platform enables them to train against real-world threats by building unique attack paths or emulating tactics, techniques, and procedures (TTPs) found in the wild. 

This hands-on approach enables teams to fine-tune their security tools and gain the skills needed to reduce Mean Time to Detect (MTTD), Mean Time to Investigate (MTTI), and Mean Time To Recover (MTTR). By reducing the time it takes to discover, investigate, and recover, your organization can reduce some of the most expensive hidden costs associated with a ransomware attack. 

With SCYTHE, security operations teams validate their tools and processes, ultimately validating their ability to respond to threats effectively.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.