In The State of Ransomware in the US: Report and Statistics 2019, we examined the number of ransomware attacks on the U.S. public sector and the cost of those attacks. In this report, we will examine the number of attacks on both the public and private sectors for a number of countries and estimate the cost, including the cost of downtime, of those attacks on a country-by-country basis as well as estimate the overall global costs.
The calculation method and assumptions
- The number of incidents is derived from submissions to ransomware identification service ID Ransomware. Every submission to this service represents a confirmed incident, and there was a total of 452,151 submissions during 2019.
- Approximately one-half of all submissions to ID Ransomware relate to a type of ransomware called STOP which has a below-average ransom demand and mainly affects home users. We shall, therefore, be reducing the submission numbers by 50% for the purpose of our calculations (the number stated in the tables is the actual number of submissions, but the calculations are based on half that number).
- We believe that only approximately 25% of public and private sector organizations affected by ransomware use ID Ransomware and so shall be providing two cost estimates: a minimum cost based on 50% of the actual number of submissions and an estimated cost based on that reduced number x4.
- The average ransom demand is $84,0001. Note, however, that while we have based our calculations on $84,000, recent evidence suggests that this amount may have increased significantly in recent weeks.
- 33% of companies pay the ransom demand2.
- Ransomware incidents result in an average of 16 days downtime1.
- We were unable to find a reliable estimate for downtime costs across all sectors and sizes of businesses – Gartner previously put the average at more than $5,600 per minute – so we have used the extremely conservative figure of $10,000 per day. This figure has no basis in reality and we have included it simply to illustrate the enormity of the costs. The actual costs are almost certainly much higher. As downtime is experienced whether or not a ransom is paid, the minimum cost is based on 50% of the submissions to ID Ransomware while the estimated cost is based on that reduced number x4. As above, we have reduced the numbers by 50% to exclude STOP from the calculations.
Country-by-country breakdown
Ransom demand costs
| Country | Total submissions | Minimum cost (USD) | Estimated cost (USD) |
| United States | 24,770 | 343,312,200 | 1,373,248,800 |
| Canada | 4,689 | 64,989,540 | 259,958,160 |
| Germany | 10,688 | 148,135,680 | 592,542,720 |
| UK | 4,999 | 69,286,140 | 277,144,560 |
| France | 8,754 | 121,330,440 | 485,321,760 |
| Australia | 2,874 | 39,833,640 | 159,334,560 |
| Spain | 8,840 | 122,522,400 | 490,089,600 |
| Italy | 11,580 | 160,498,800 | 641,995,200 |
| Austria | 1,698 | 23,534,280 | 94,137,120 |
| New Zealand | 467 | 6,472,620 | 25,890,480 |
|
Global total (all countries) |
452,151 |
6,266,812,860 |
25,067,251,440 |
Total cost: ransom demand costs + downtime costs (16 days)
| Country | Total submissions | Minimum cost (USD) | Estimated cost (USD) |
| United States | 24,770 | 2,324,912,200 | 9,299,648,800 |
| Canada | 4,689 | 440,109,540 | 1,760,438,160 |
| Germany | 10,688 | 1,003,175,680 | 4,012,702,720 |
| UK | 4,999 | 469,206,140 | 1,876,824,560 |
| France | 8,754 | 821,650,440 | 3,286,601,760 |
| Australia | 2,874 | 269,753,640 | 1,079,014,560 |
| Spain | 8,840 | 829,722,400 | 3,318,889,600 |
| Italy | 11,580 | 1,086,898,800 | 4,347,595,200 |
| Austria | 1,698 | 159,374,280 | 637,497,120 |
| New Zealand | 467 | 43,832,620 | 175,330,480 |
|
Global total (all countries) |
452,151 |
42,438,892,860 |
169,755,571,440 |
Conclusion
The data in this report is partly derived from third party statistics which may be based on limited datasets and, consequently, the costs stated above may be significant over- or underestimates. The calculations are, however, based on the best information currently available and we have almost certainly significantly understated the cost of both ransom demands and downtime.
While the above costs may seem extraordinarily high, it should be remembered that ransomware incidents can be exceptionally expensive – for example, Norsk Hydro estimated its ransomware-related losses at more than $50 million,
The intention of this report is not to accurately estimate the costs, which is impossible due to a dearth of data, but rather to shine a light on the massive economic impact of these incidents in the hope that doing so will help governments and law enforcement agencies formulate a proportionate response to the ransomware crisis.
Sources
1 Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate – Coveware
22020 State of the Phish Report – Proofpoint