Ransomware attacks can cost organizations huge amounts of money, and their frequency is on the rise. Ransoms range from thousands to millions of dollars. If the ransom isn’t paid or the attacker withholds the decryption key, the resulting data loss and downtime can cripple a business.
But how do investors react to ransomware attacks? Do share prices on Wall Street reflect the damage and security posture of attacked companies? In this report, we’ll attempt to answer those questions.
Comparitech researchers analyzed historical share price data of 24 companies listed on the New York Stock Exchange. For each stock, We pulled the closing share prices ranging from six months prior to a ransomware attack being publicly reported up to three years afterward. We additionally broke down the data by the type of malware used, time of the incident, and industry.
Our findings show that Wall Street investors are largely unconcerned with ransomware attacks aside from a very brief sell-off when news of the attack is first published.
Some highlights of our analysis include:
- Share prices plummet 22% on average immediately after a ransomware attack
- The initial dip is short lived. Prices mostly recover within a day, and stocks are back to outperforming the market within 10 business days on average.
- Share prices rose 4.4% on average six months after a ransomware attack, outperforming the NASDAQ by 11.2%
- Of all the strains we examined, Ryuk ransomware had the largest negative impact on share price
- Although tech companies’ share prices suffered a larger initial drop following public disclosure of an attack, they outperformed non-tech companies 6 months after
The negative impact on share price following a data breach is extremely shortlived. Share prices plummet 22.9% in the 24 hours following public disclosure of an attack. That’s a big drop, but prices recover almost immediately the next day, and by day 10, are performing better on average than they were prior to the attack.
Six months prior to attack, the average share price of the companies we examined fell about 4.4%. Six months after, prices rose by 11.9%, showing that the average share price actually improved following a ransomware attack.
Strain of malware
We wanted to know if the strain of malware has any influence on share price. This might suggest that certain strains of malware has a more severe impact on a company.
Maze, Ryuk, and REvil were the most common strains of malware used in the attacks we examined. Each strain is maintained by a different group of hackers, but can also be used by others who purchase or steal it from them.
Maze ransomware is known for exfiltrating data before encrypting it. It can do so automatically, without manual input from the attacker. This gives the attackers extra leverage and the option to double dip; they can threaten to sell or leak data online if the victim doesn’t pay up.
Companies hit by Maze ransomware fared quite well. They still experienced an initial drop in share price, but at the end of six months they outperformed the market and prices ballooned 42% on average. This might seem counterintuitive because Maze attacks usually steal data on top of encrypting it, compounding the effects of the attack. But as we mentioned before, Wall Street does not seem too concerned about cyberattacks in general.
Ryuk is designed to target enterprise-scale Windows systems. Once it gains access, usually via phishing, it’s self-spreading and can defeat many malware countermeasures. Because it targets big organizations, attackers who use it usually demands big ransoms. In addition to private companies, it also targets government agencies, schools and hospitals. Although Ryuk doesn’t always steal data before encrypting it, hackers can use it manually to do so.
Share prices of companies hit by Ryuk suffered far more than those hit by Maze. Share prices fell nearly 44% initially, and although they recovered, at the end of six months, the average share price was about 41.8% lower.
Due to lack of data, we grouped all of the other types of ransomware together: Conti, Network, ProLock, RagnarLocker, RansomExx, REvil, Snake, and WastedLocker.
On average, share prices dropped 16.8% the day following a breach, and soon recovered. By the end of six months, prices were up 10.3%
We don’t have a big enough sample size to make statistical observations about whether specific types of companies suffer more from cyber attacks than others. But we can loosely divide the companies into technology and non-tech companies.
The tech companies we examined include device manufacturers, data center operators, software developers, and managed IT services. You might expect that tech companies’ share prices would suffer more than non-tech companies because, well, they’re supposed to be good at this sort of thing, right?
Indeed, the initial drop following public disclosure for tech companies is greater: -25.8% compared to -19.8%. But at the end of six months, prices had risen 17.4% for tech companies, outperforming non-tech companies’ 5.9% average increase.
If the market is any indication, Wall Street knows cybersecurity is a good investment. Cybersecurity stocks rallied over the summer, driven in part by headlines about ransomware attacks and data breaches.
But that sentiment isn’t mirrored when a company gets attacked. Despite data loss, downtime, and possibly paying a ransom or fine or both, share prices for attacked companies continue to outperform the market following a very brief drop. Even cybersecurity firms themselves seem insulated from any prolonged dip in share price when their own cybersecurity fails in the face of a ransomware attack. The exception is Ryuk ransomware, which had a more severe negative impact on share price than other types of ransomware.
Data breaches have a larger and lengthier negative impact on share price than ransomware, according to our other study, but only marginally so. And bear in mind that these two attacks are often combined.
We analyzed the share prices of 24 NYSE-listed companies that suffered successful ransomware attacks in which company-owned data was encrypted. One company ($PBI) suffered two ransomware attacks, for a total of 25 attacks analyzed.
Given that stock share prices prices fluctuate with investor sentiment, we chose to pull historical closing share prices based on the date that the attack was first reported to the public: six months prior to public disclosure and up to three years after. Most incidents are younger than three years old, and hence have less data, so most of our analysis is focused on the six months post-incident.
First we examine whether share prices increase or decrease, giving us a crude idea of how share prices behave on average. But this method fails to account for broader market forces that might have caused share prices to fall or climb, such as a recession or market boom.
To control for this, we also compare each stock’s closing price history with a general NASDAQ index over the same period of time. We then calculate the difference in performance between each stock and the NASDAQ, which gives us a more accurate impression of share price performance following a ransomware attack. Here’s the math:
(((Share price on day X after breach)/(Share price on day prior to breach)-1)100) – (((NASDAQ prices on day X after breach)/(NASDAQ price on the day prior to breach)-1)100)
Some of the questions we wanted to try to answer included:
- Does ransomware have any effect on share price?
- If so, how much?
- If so, does the effect last, and for how long?
- Does strain of ransomware or industry of the attacked company affect the answers to the above questions?
Historical share price data for all companies was downloaded in August 2021. All of the attacks occurred between 2019 and mid 2021.
Stock exchanges are only open on business days, which means no weekends or holidays. Here’s a quick reference that roughly converts business days to total time:
- One year: 253 business days
- 9 months: 198 business days
- 6 months: 132 business days
- 3 months: 66 business days
- 1 month: 22 business days
- 1 week: 5 business days
While we use daily means to present our findings in this article, we additionally include polynomial trend lines in our visualizations to better represent the data.
In addition to share price performance, we also wanted to examine share price volatility. We found the average volatility increased from 1.97% in the six months prior to attack to 2.82% in the six months after. Share prices were indeed more volatile after a ransomware attack on average.
To calculate volatility, we first converted the absolute values of closing price changes to percentage changes for each stock. We then took the percent average of the closing price changes every 10 business days (this corresponds to 14 days, or 2 weeks) for 6 months prior and 6 months after news of the attack was published.
Here’s the formula:
SUM[ (P(i) – P(i-1)) / P(i-1) ] / n
- P = Stock Close Price
- n = 10 (number of days in the selected timespan)
- i = 0 to 10, sequentially
Our researchers note that if we change the parameters of this calculation, e.g. changing the timespan or the calculation method, this result can easily be reversed.
Sample size is the biggest limitation in this study. Not many NYSE-listed companies have successful ransomware attacks on public record.
As with any financial market study, a huge slew of factors could affect stock price which we cannot account for. While we’ve tried to minimize blindspots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.
Ransomware attacks are often accompanied by data breaches. A data breach or some other cybersecurity misstep could have a separate impact from that of the ransomware that is not reflected in the data. For more info, read our report on how data breaches affect stock market prices.
Quarterly financial reports could have an impact on share prices that also results from ransomware. Companies might reveal information that influences investors in a requisite quarterly report, such as damages resulting from ransomware and investments in data security. Because we analyze historical data based on the date that a ransomware incident is reported, the impact of a financial report released months later would not be reflected in our findings.
Although our performance analysis starts on the day of disclosure, ransomware attacks often begin days or weeks earlier. It’s possible that some investors found out about an incident and swayed the share price prior to public disclosure.
In some incidents, the success of the ransomware attack is limited, disputed, or unknown.
Unless expressly stated, we do not know whether ransoms were paid. Many companies who do pay ransoms prefer not to diclose whether they did so or the amount so as not to encourage more attacks.
The ransomware attacks we analyzed
Below are the companies we examined as well as some basic details and sources regarding their respective ransomware attacks:
Arthur J Gallagher ($AJG)
Insurance broker Arther J. Gallagher & Co reported a ransomware incident on September 26, 2020 hit its internal systems. The company in an SEC filing said it took its systems offline. Reports indicate full functionality wasn’t restored for at least three days. We do not know what type of ransomware was used. The company did not say it paid the ransom.
One of the most far-reaching ransomware attacks in history, cloud software supplier Blackbaud was attacked by ransomware in May 2020. Attackers stole and encrypted data belonging to many of the 25,000 organizations across 60 countries using Blackbaud services. Many hospitals and schools were affected.
Blackbaud elected to pay the ransom—an unknown amount—and failed to notify the relevant data authorities in a timely manner or with sufficient information, resulting in a class action lawsuit.
The maker of alcoholic beverages like Jack Daniel’s and Finlandia, Brown-Forman, was targeted by REvil hackers who infiltrated its systems for more than a month. Although Brown-Forman says it was able to intervene before its data was encrypted, the hackers claimed to have stolen a terabyte of data, including employee information.
The Maze ransomware group infiltrated Canon’s network from July 20 to August 6, 2020. They claim to have stolen 10TB of confidential employee information dating back 15 years, including Social Security numbers, financial account numbers, and electronic signatures.
The ransomware crippled Canon’s email system, US website, Microsoft Teams, and other internal applications.
Carnival Corp ($CCL)
On August 15, 2020, hackers accessed guest, employee, and crew information of three Carnival Corp cruise line brands and its casino operations. An undisclosed strain of ransomware encrypted some of Carnival’s IT systems and data. The company suffered three major cybersecurity incidients in a 12-month span of time, this being one of them.
The Maze ransomware group launched an attack on cybersecurity insurance company Chubb in March 2020. Chubb stated the company had no evidence the attack affected Chubb’s own network. However, Maze claimed to have encrypted its systems and threatened to release stolen data if the ransom wasn’t paid. To date, the allegedly stolen data has not been published.
Cognizant Technology Solutions ($CTSH)
IT managed services company Cognizant was hit by hackers wielding Maze ransomware in April 2020. The company emailed clients to warn them so they could disconnect from Cognizant’s network before the malware spread. Cognizant stated that some unencrypted data was stolen, including employee Social Security numbers, tax IDs, and other financial info might have been stolen. Although Maze ransomware was reportedly used, the Maze ransomware group denied being behind the attack.
IT services firm Conduent failed to patch a known vulnerability in software made by Citrix, which was exploited by the Maze ransomware group on May 29, 2020. The gang posted stolen financial data from Conduent as proof. Conduent stated its European operations were partially interrupted, and that systems were restored on the same day.
Data center company CyrusOne was attacked with the REvil ransomware in December 2019. Six of its managed service customers experienced availability issues due to the encryption, the company said.
Customs broker and freight forwarder Daseke was targeted by the Conti ransomware group in October 2020. The group claimed to have stolen data from Daseke’s subsidiary, E.W Wylie, which they posted online. Daseke said the attack did not impact operations, but that an unauthorized party did attempt to gain access to “select servers”.
Diebold Nixdorf ($DBD)
ATM maker Diebold Nixdorf on April 25, 2020 was hit with a ransomware attack that affected more than 100 of its enterprise customers. The attackers used ProLock ransomware.
DXC Technology ($DXC)
Insurance software maker DXC Technology runs a managed IT services business in Australia called Xchanging. In July 2020, an undisclosed strain of ransomware caused an outage for many Xchanging enterprise customers.
Emcor Group ($EME)
Fortune 500 construction company Emcor was hit by Ryuk ransomware on February 15, 2020. The incident wasn’t disclosed until three weeks later. The company has been tight-lipped about the incident. Reports indicate no data was stolen but some systems were affected and had to be taken offline.
Entercom Communications ($ENT)
Attackers demanded radio conglomerate Entercom pay half a million dollars in exchange for decrypting its systems. The ransomware attack brought down email, billing, and shared network drives at the company.
Data center company Equinix acknowledged a ransomware attack in September 2020 by the Netwalker group, who demanded $4.5 million. A screenshot posted by the hackers indicates the hackers may have stolen data containing employee financial records, among other information.
GPS gadget maker Garmin suffered a WastedLocker attack on its website, customer support, and apps. Although the company did not confirm it, reports suggest it paid $10 million to decrypt its systems. It says no user personally identifiable information was affected.
Honda Motor Co ($HMC)
Snake ransomware, a.k.a. Ekans, was used to attack Honda‘s company network in June 2020. The attack disrupted Honda’s global network and factory operations. Honda says none of its data was stolen.
IP Photonics ($IPGP)
A RansomExx infection shut down IP Photonics IT systems worldwide in September 2020. The laser developer and manufacturer makes weapons for the US military, as well as lasers for medicine and construction.
In its quarterly SEC report, Mattel disclosed it was the victim of a ransomware attack that took place on July 28, 2020. The attack encrypted data on a number of the company’s systems, which temporarily impacted its business functions. No data was stolen, according to the company. The strain of malware was not disclosed.
Semiconductor manufacturer MaxLinear disclosed a ransomware attack impacted its IT systems in May 2020, and that hackers had access to the system since mid-April. The attack was disclosed in the company’s June quarterly SEC report. Attackers were able to access employee personal information including Social Security numbers. No interruptions were caused, according to the company.
Pitney Bowes ($PBI)
Package and mail delivery company Pitney Bowes is the only company on this list with two ransomware attacks on record. It suffered both attacks in a seven-month span of time. The first attack in October 2019 came from the Ryuk ransomware gang and caused downtime to package tracking systems. The Maze ransomware group launched the second attack, posting screenshots of directory listings from inside the company’s network. Pitney Bowes claimed none of its data was encrypted in the second attack.
Tyler Technologies ($TYL)
An undisclosed strain of ransomware took down government software provider Tyler Technologies‘ internal network, phone, and email systems in September 2020. Reports say the company paid the ransom, but not how much. No customer systems were affected.
Universal Health Services ($UHS)
400 Universal Healthcare Services care sites were hit by Ryuk ransomware in September 2021. The attack cost $67 million in lost income, labor expenses, and recovery costs. The attack caused computer and phone outages at UHS facilities across the USA, including patients’ electronic health records. The recovery effort took three weeks. Some patients had to be diverted to other facilities due to the disruption. Reports do not indicate that any data was stolen.
Xerox Holdings ($XRX)
The Maze ransomware group posted screenshots as evidence of breaching Xerox’s systems, stealing data, and deploying ransomware in July 2020. More than 100GB of files were allegedly stolen and held for ransom, possibly including financial documents and user information.