Ransomware attacks on US businesses cost $20.9bn in 2020

In 2020, 186 ransomware attacks on US businesses resulted in the theft and/or misuse of over 7 million individual records. We estimate that these attacks cost businesses almost $21 billion in downtime alone. Most businesses will have also been subject to huge recovery costs, lost revenue, and lack of customer confidence post-attack.

Through our investigation, we found that the average business lost 9 days to downtime and around two-and-a-half months to investigations in 2020. And that’s perhaps why 2021 has already seen some huge ransom payouts ($62.4m paid to hackers in just 5 attacks).

Many cybercriminals now unleash double-extortion attacks that steal data from a system prior to encrypting it. When faced with downtime and data loss, million-dollar ransom payouts might be seen as the wiser option. Paying the ransom can be an attractive proposition for businesses looking for a quick fix. They can pay for the decryption key for their systems and prevent customer data from being published.

Over the last few years, ransomware attacks on businesses have increased at an exponential rate (we noted a 245 percent increase from 2019 to 2020). They take down key systems, disrupt operations, and even result in businesses having to close their doors permanently. Plus, as noted above, the double-dip attacks where customer data is also stolen put businesses under even more pressure.

In the first six months of 2021, over 22 million individual records had been impacted in 91 separate ransomware attacks. That’s over three times the number of records affected in the entire year of 2020, suggesting 2021 is going to be unprecedented for ransomware-led data breaches in particular. This is especially the case when data breach figures are often reported months after an attack.

So, what is the true cost of these ransomware attacks for US businesses, how has the ransomware threat changed over the last few years, and what do 2021’s figures suggest for the year ahead?

To find out, our team of researchers gathered information on all of the ransomware attacks affecting businesses since 2018. However, many entities are reluctant to disclose ransomware attacks, especially when ransom amounts have been paid. It is often only when the business has to acknowledge the breach due to disrupted systems or lost data that information about the attack is released to the public. If the latter is the case, these reports will have been included in our study.

Our team sifted through several different resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US businesses. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to businesses. Due to the limitations with uncovering these types of breaches, we believe the figures only scratch the surface of the problem.

Key findings

In 2020:

  • 186 individual ransomware attacks on businesses–a 244 percent increase from 2019 (54)
  • 7,001,937 individual records affected–a 763 percent increase from 2019 (811,011)
  • Ransoms varied from $500,000 to $21 million
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time
  • On average, businesses lost nine days to downtime and spent 76 days recovering from the attack
  • Hackers received at least $17.3 million in ransom payments
  • The overall cost of these attacks is estimated at around $20.86 billion
  • Service-based businesses were the most heavily targeted, accounting for 24 percent of all attacks. These were followed by computer/technology (16 percent) and manufacturing (14 percent) companies
  • Maze was the most frequently quoted type of ransomware used, accounting for 28 percent of all attacks (where the ransomware type was disclosed)

Which state had the most ransomware attacks on businesses in 2020?

It is perhaps no surprise that the most populated city in the US, California, also had the most businesses hit with ransomware attacks in 2020. With 25 in total, California businesses suffered significantly more attacks than second-place New York (16).

New York was closely followed by Illinois (13), Florida (12), and Massachusetts (11).

Based on the number of records affected by the ransomware attacks on these businesses, the most heavily affected state changes. However, we must note that the number of records impacted within a business may stretch further than the state in which the business is headquartered. But, as individual figures for each state are rarely available, the number of records is assigned according to the headquarter’s state.

Illinois, the state with the third-highest number of ransomware attacks, had the most records impacted, over 2.8 million in total. The vast majority of these records (2.79m) were part of the attack on Arthur J. Gallagher & Co. The international insurance broker was targeted in September but failed to inform customers whose data was stolen for eight months. As a result, the company has had a class-action lawsuit filed against them.

The number of records affected in Illinois was twice second-place Minnesota’s (1,454,413). Illinois and Minnesota were the only states with over 1 million records impacted. Utah had the third-highest with just over 760,000.

Due to the high number of records involved in the attacks across these three states, Minnesota, Illinois, and Utah also had the highest percentage of their populations affected by ransomware attacks. Each had 26, 22, and 24 percent of their populations impacted by ransomware attacks on US businesses in 2020 respectively. These figures are significantly higher than the average percentage of each state population affected–1.9 percent.

How much did these ransomware attacks cost US businesses in 2020?

As mentioned previously, ransom demands varied dramatically from $500,000 to $21 million. Plus, only a handful of providers publicly release the figures involved (we could only find ransom demands for 11 out of the 186 attacks). Understandably, organizations don’t want to discuss ransom amounts or whether they have paid these as it may incentivize further attacks.

What we do know, however, is the following:

  • Garmin is believed to have paid a $10 million ransom to free up its systems after its US subsidiary revealed a ransomware attack on July 23, 2020
  • Travel firm CWT paid a $4.5 million ransom after 30,000 computers were knocked offline in July 2020. Although astronomical, the ransom paid was under half the initial $10 million demanded by the hackers
  • NetGain technologies paid a $2.3 million ransom for decryption keys after its attack in November 2020. But that wasn’t before nearly 1.5 million (and counting) records were affected through multiple entities that use the technology
  • Communications & Power Industries paid the lowest known ransom from last year ($500,000) after an attack infiltrated all computers including on-site back-ups. Despite paying the ransom, the company still wasn’t operating at full capacity nearly two months later

Adding in downtime

While few businesses reveal whether or not they paid the ransoms and how much was involved, the downtime and investigative periods that arise because of these attacks are more frequently reported. This is due to businesses often having to shut for several days and/or systems being down for long periods of time.

As we have already seen, servers may be taken offline for hours, weeks, or months. And in some cases, data, computers, and even businesses are unrecoverable.

According to the figures we did find (for 38 out of 186 attacks), businesses suffered an average downtime of 9 days in 2020. But the investigation process lasted 58 days. Downtime relates to businesses being shut and/or services being largely unavailable, while the investigation period is the time it takes the business to look into the attack and find out just what impact it had and what data/systems were affected.

Based on these figures, ransomware attacks may have caused 340.5 days of downtime and 4,414 days of investigations in 2020.

So how much could this have cost businesses?

A 2017 estimate places the average cost per minute of downtime at $8,662 (across 20 different industries). This would mean the cost of downtime to US businesses in 2020 was around $20.9 billion. This is over $13 billion more than 2019’s figure ($8.2 billion) and over 5 times 2018’s figure of $4.05 billion.

Even though these figures may seem extremely high, they are in line with publicly revealed figures from businesses. For example, Cognizant said it lost $50 to $70 million in revenue and margin after its April 2020 attack, Forward Air Corporation said its business impact was $7.5 million, and Steelcase said it had $60 million worth of shipments delayed due to its October 2020 attack, resulting in a $6 million loss. And more recently, CompuCom revealed it suffered a $20 million cost for recovery on top of $5 to $8 million in lost revenue following the attack on its systems in March 2021.

Key findings from January 2018 to June 2021:

Our team has logged ransomware attacks from January 2018 to June 2021. During this time:

  • 356 separate individual ransomware attacks have been carried out on businesses
  • Nearly 30 million records have been stolen, lost, or affected due to these attacks
  • Businesses have suffered an estimated 3,491 days of downtime due to ransomware attacks with around 22,300 days spent on post-attack investigations
  • 14 businesses revealed the amount involved in their recovery efforts with over $161.5 million spent by these entities in total. This is an average of over $11.5 million
  • Ransom requests varied from $5,500 to $40 million
  • Hackers have received at least $80 million in ransom payments
  • Hackers have requested at least $159 million in ransom payments with the average request being $6.4 million
  • We estimate that downtime has cost businesses over $43.5 billion with potential recovery costs adding millions (if not billions) to the total

How does 2020 compare to previous years?

Ransomware within businesses really accelerated in 2020 in complete contrast to the trends we saw in our education and government studies on ransomware. But it does follow a similar pattern to the number of ransomware attacks we saw on US healthcare organizations (a 60 percent year-on-year increase from 2019 to 2020).

So why were businesses and healthcare organizations the target for ransomware attackers in 2020?

If we look at the above table we can see that things really start to take off from May onward in 2020–not long after the start of the pandemic. As many schools and government entities shut down, infiltrating systems perhaps became harder for hackers. But as healthcare organizations and businesses tried to continue throughout (but under an increased amount of pressure), these were likely a far easier target for attacks. They could ill afford a system shutdown and with more employees logging in from home, networks and systems were left more vulnerable to attack.

  • Number of attacks
    • 2021 (to June) – 91
    • 2020 – 186
    • 2019 – 54
    • 2018 – 25
  • Number of records affected:
    • 2021 (to June) – 22,077,964
    • 2020 – 7,001,937
    • 2019 – 811,011
    • 2018 – 51,469
  • Average downtime:
    • 2021 (to June) – 9.7 days
    • 2020 – 9 days
    • 2019 – 11.3 days
    • 2018 – 13 days
  • Average investigation time:
    • 2021 (to June) – 49 days
    • 2020 – 76 days
    • 2019 – 60 days
    • 2018 – 18 days
  • Downtime caused (known cases):
    • 2021 (to June) – 242.25 days (25 cases)
    • 2020 – 340.5 days (38 cases)
    • 2019 – 249 days (22 cases)
    • 2018 – 65 days (5 cases)
  • Estimated downtime caused (based on known cases and average in unknown):
    • 2021 (to June) – 882 days
    • 2020 – 1,673 days
    • 2019 – 611 days
    • 2018 – 325 days
  • Estimated cost of downtime:
    • 2021 (to June) – $11bn
    • 2020 – $20.86bn
    • 2019 – $7.6bn
    • 2018 – $4bn

How is 2021 looking for ransomware attacks on businesses?

If the second half of 2021 sees the same number of attacks as the first half (91), 2021’s figures will be in line with 2020s–over 180 individual ransomware attacks. However, with many attacks often revealed weeks or months after they’ve happened, these figures are likely to rise even higher over the coming months, suggesting 2021 will be a record-breaking year for ransomware attacks on US businesses.

What’s more, vast ransom payments have already been made this year, downtime is on the rise (nearly a day longer than 2020), and the number of records affected in just six months of 2021 was three times higher than 2020’s full-year figure.

With many of these figures likely to rise as the true extent of attacks are revealed, the cost to businesses looks set to be even higher, too.

Methodology

Our research found 356 ransomware attacks in total. From this, we were able to ascertain how much ransom had been demanded, how much had been paid, and how much downtime had been caused as a result of the attacks. We then used the figures we were able to find to create estimates (an average per year) for the amount of downtime caused by a ransomware attack and applied this to the businesses where no downtime figures were available. Using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates for how much business closures and severe disruptions may have cost. This only took into consideration the amount of downtime businesses suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.

Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.

Investigation times are only recorded if clearly stated within the data breach notification letter or a company statement. Investigation times are not calculated based on the difference between the date of the attack and the data of the breach notification as letters aren’t always released immediately after the investigation is concluded.

Ransomware attacks may occur on a third-party provider with breach record figures coming from one or more of their impacted clients, but the ransomware attack is classed as “one.” NetGain is an example.

Where possible, we have tried to find the full number of people affected by the attack. However, in some cases, the only figures available are the number of people affected in a particular state. Nevertheless, the number of records affected is assigned to the state in which the business (or its head office) is located.

Data researchers: George Moody, Rebecca Moody

For a full list of the breaches and their relevant sources, please request access here.