“It’s Not in the Budget” The Economic Reality of a Ransomware Attack

Ransomware is Destructive and Expensive

Over the past several years ransomware attacks in the US and abroad have been on the increase and industry experts indicate they expect this trend to continue for the foreseeable future. Despite this threat, very few companies have taken the steps needed to quickly recover from a devastating attack. This paper looks at the total costs of ransomware recovery and what you can do to mitigate your exposure.

For those who have been living under a rock, ransomware is a form of malware that can be introduced to a computer network by any number of attack vectors such as an email attachment. As the malware spreads across the network, it encrypts data files on the infected system and demands payment of a ransom to get the decryption key. In many cases, the ransomware also infects the sites backup files to inhibit data recovery. In June 2019, two small Florida towns were attacked and paid a combined $1.06 million in ransom after everything was encrypted.

To facilitate a ransomware recovery, every infected system must have its operating system (OS) and applications restored. This task is usually done using reimaging, where a copy of the OS and some commonly used applications are pushed out to the infected endpoints from a server. This process is just too slow to be a viable recovery option when hundreds or thousands of endpoints must be recovered. In 2016, the Erie County Medical Center (ECMC) was attacked and 2 weeks later they were still busy reimaging over 6,000 endpoints. In May 2019, the city of Baltimore had its second attack in 14 months and it took them over 4 months to recover nearly 13,000 endpoints. At both sites, recovery costs exceeded $10 million.

All the organizations victimized by ransomware had anti-malware solutions in place, but their attackers were successful anyway. One must recognize that ransomware is a very profitable industry and it invests in developing new ways to penetrate networks. As an IT organization you must guard every possible avenue of attack while the bad guys only need to find one-way in. At the end of the day, you need to assume an attack will be successful and determine what can you do to accelerate the recovery at a reasonable cost.

No one likes to buy insurance, but in the case of ransomware are you willing to trade the cost of that insurance against the cost of days or weeks of downtime for your organization? This is one of those situations where you need to look at the worst-case scenario. If all the endpoints in your organization were infected with ransomware how would you restore them to their pre-attack condition, how long would that take and how much would that cost? If your answer is more than a day and the cost is more than you want to think about, you should look at InstantRecovery™.


InstantRecovery is a patented, high-availability software solution that restores the OS and applications on any Windows platform in the time it takes to reboot.

InstantRecovery creates a bootable snapshot of the system drive and keeps it in hidden and protected folder on the system drive. In the event of ransomware, InstantRecovery boots to the recovery snapshot and restores a “known good” copy of exactly what was on that system in less than 3 minutes. InstantRecovery can also repair the corrupted system in a few minutes as well. https://www.raxco.com/business/products/instantrecovery

If ECMC or Baltimore had InstantRecovery in place when they were attacked, they could have restored their endpoints back to a pre-attack condition the same day. InstantRecovery shortens system recovery from days or weeks to minutes, and that represents a lot of money.

InstantRecovery is designated as Qualified Anti-terrorism Technology by the US Department of Homeland Security (DHS). The technology has been used by the US Marine Corps and the US Navy on over 14,000 combined endpoints worldwide. The product was also vetted by the Army’s Network Command (NETCOM) and the FAA.

“It’s Not in the Budget”

Ransomware is responsible for millions of dollars of downtime and lost revenue, not to mention damage to an organization’s reputation. Why isn’t every organization doing everything it can to ensure a rapid recovery from an attack? A common answer is that “it’s not in the budget”. Ransomware attacks are unscheduled, random events and they come with a host of expenses, none of which are in the budget. Here are some the expenses you can expect:
  • One obvious option is to pay the ransom. The Baltimore attackers asked for $76,000 while the two small communities in Florida coughed up over $1 million. Ransoms are not usually in the budget.
  • In the wake of an attack most victims engage an Incident Response Team to conduct a forensic analysis of the attack. Atlanta paid over $2.6 million for emergency IT services and this was not in the budget.
  • The Incident Response Team usually makes recommendations on how to upgrade hardware and software to be more resilient to future attacks. In Riviera Beach, FL, they spent $1 million on new systems in addition to the $600,000 ransom. This wasn’t in the budget
  • Downtime represents a crippling cost in terms of lost productivity and lost business opportunities. Hospitals have had to cancel procedures and turn patients away, municipal governments have been unable to deliver services and access court records, law firms lose the ability to track billable hours and shipping companies have been unable to deliver goods. Many ransomware articles cite how employees were doing their jobs with pencil and paper and analog fax. This lost revenue wasn’t in the budget.
  • The organization’s reputation also suffers. A prolonged recovery impacts customers, vendors and employees. The longer it takes to recover, the more severe and longer the consequences. Any financial or goodwill damage incurred by an attack is likely not in the budget.
  • While cyber-insurance may offset some of the recovery expense, it does not cover everything. Food giant Mondelez, the owners of Oreo and Cadbury brands, is in litigation over a $100 million claim related to a ransomware attack. Norway’s aluminum manufacturer, Norske Hydro, also has litigation under way related to an attack last spring. Litigation expense was probably not in the budget.


Despite almost daily news about new ransomware attacks, we still see that companies and government agencies appear to be in denial that they could be attacked. The cyber-criminals conducting these attacks are very smart opportunists, they will attack any site where they believe they can get in. Major companies like FedEx and Maersk have been hit as well as a small chain of chili parlors in the Washington DC area and a lot of entities in between. No one is immune.

Investing in a better recovery solution negates the need to pay a ransom, engage an incident response team, incur expensive downtime or have your corporate reputation damaged. InstantRecovery delivers a positive ROI in the event you are attacked and a lot of peace of mind if you aren’t.

For more information on InstantRecovery or a Go-To-Meeting demo contact Bob Nolan at 301-519-7712 or bnolan@raxco.com

Category: InstantRecoveryPC ProtectionransomwareSystem AdministrationSystem RecoveryUncategorized