ARN

Ransomware costing Australia up to $241M

Minimum cost calculated at $60M

Ransomware attacks in Australia have cost businesses and the public sector up to $241 million in 2019, according to a new report.

Last year, both enterprises and government agencies counted costs of roughly $1.6 billion in downtime as the number of attacks skyrockets globally.

At a minimum, the effect of ransomware -- malware that blocks an organisation's access to their system unless a ransom is paid -- has netted Australia $60 million in costs.

However, a report by security firm Emsisoft, estimated the cost could stand far higher at $241 million. The report, The cost of ransomware in 2020, claimed organisations faced an average of 16 days' downtime in the event of an attack. 

Due to the limited nature of ransomware numbers, the figures presented are “almost certainly significantly understated” for both the cost of ransomware and the resulting impact on downtime, the report claims.

“While the above costs may seem extraordinarily high, it should be remembered that ransomware incidents can be exceptionally expensive,” the report noted, citing the March 2019 ransomware attack of Norwegian aluminium company Norsk Hydro as an example.

This particular case saw ransomware-related losses estimated at over U.S.$50 million.

The report based its findings on submissions to ransomware identification service ID Ransomware during 2019, with the removal of STOP ransomware submissions, cutting down the submissions by half, as it has a below-average ransom demand and mainly impacted residential users.

The figures are also based on the assumption that approximately 25 per cent of public and private sector organisations affected by ransomware use ID Ransomware to report the attack. The minimum cost is based on the relevant half of submissions and the estimated cost is based on that minimum cost multiplied by four.

As for the estimated downtime costs, the report mentions they were unable to find a “reliable estimate” and have used what Emsisoft labelled as a conservative figure of U.S.$10,000 per day. 

“This figure that has no basis in reality and we have included it simply to illustrate the enormity of the costs. The actual costs are almost certainly much higher,” the report noted.