The expense of dealing with a ransomware attack is far in excess of what was previously thought, according to a report published on Tuesday by cybersecurity company Emsisoft.

Emsisoft’s higher estimate for the total ransom payments demanded in 2019 was $25 billion. But this is only one seventh of the actual cost to the companies affected, which could be as much as $170 billion, according to its estimates. Most of these costs arise from downtime and are associated with dealing with the attack, rather than the ransom itself, according to the report. 

Ransomware demands double in three months

Ransomware is malicious software that encrypts files, unlocking them only if the victim pays a fee—often in cryptocurrencies such as Bitcoin.


Attacks increased 41% in 2019, with 205,280 enterprises throughout the world affected, according to Emsisoft data submitted to the New York Times.

The price of the ransom demanded also doubled from $41,198 six months ago to $84,116 at the end of 2019, according to data from security firm Coveware. This increase is largely attributed to the increasing sophistication of new malware such as Ryuk and Sodinokibi.  

Coveware also suggests that it takes an average of 16 days for enterprises affected by a ransomware attack to restore their networks. While average downtime is hard to calculate, Gartner has estimated that it costs the average firm a staggering $5,600 per minute.

So it’s perhaps unsurprising to learn that 33% of companies pay the ransom demand, in order to mitigate their costs, according to the 2020 State of the Phish Report, published last month by another cybersecurity firm, Proofpoint. 

Evolution of the ransomware ecosystem

Those responsible for the attacks have proved hard to identify. Bitcoin accounted for about 98% of ransomware payments, which are then converted to privacy coins such as Monero. Criminals operate from countries such as Iran, North Korea and Russia, which are beyond the reach of international law enforcement agencies. 


According to Emsisoft, the country most often targeted is the US, followed by Italy and Germany. 

In December, security experts described to Decrypt how ransomware has evolved into an industry, with the evolution of victim-facing software, customer-service centers to deal with payments, and specialist data recovery operations, who deal with hackers on behalf of victims.  

“We have almost certainly significantly understated the cost of both ransom demands and downtime,” Emsisoft concluded in its report.

In October, the startup unveiled a new decryption tool which it claims could stop 56% of attacks.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.