Hidden ransomware costs and losses revealed in SEC case report

In 2021, ransomware damage has reached unprecedented levels, and ransomware attackers are demanding and receiving millions of dollars in ransom. JBS, the world’s largest meat processor, paid $11 million in ransom for its operating system in June 2021.
ⓒ Getty Images Bank

US oil pipeline company Colonial Pipeline paid ransomware attackers $4.43 million in May 2021, but the U.S. Department of Justice has since seized $2.3 million of the ransom. That same month, backup appliance supplier ExaGrid paid a ransom of $2.6 million to cybercriminals who attacked with the Conti ransomware.

The actual cost of a ransomware attack, including lost revenue, far exceeds the ransom paid. Most private companies may not disclose the cost of a ransomware attack, as well as the attack itself. So, in the United States, a mandatory ransom payment report for all companies was recently enacted by law.

Meanwhile, listed companies are obliged to report cyber incidents that have a significant impact on their business, such as ransomware attacks, to the Securities and Exchange Commission (SEC). Most publicly traded companies registered with the SEC are required to report cyberattacks to the SEC in an 8-K format. The SEC is planning to require all publicly traded companies to report a cybersecurity incident within four days of becoming aware of it.

In our investigation of 8-K reports filed with the SEC, we found 30 publicly traded companies that reported ransomware-related incidents (paying ransomware ransom or receiving ransomware-related insurance payments) between 2020 and 2021. Many of these reports, which are considered ransomware attacks, lack or omit financial data in their account of the cost of handling the incident. However, only seven cases contain enough cost data to understand how much ransomware incidents cost.

The ransomware cost one company $50 million in litigation costs and lost another $64 million in revenue. The following is a summary of these events.

Sinclair Broadcast Group, the largest terrestrial broadcaster in the United States, reported a ransomware incident in October 2021. Sinclair didn’t pay the ransom and was able to restore the network from a backup, but said he suffered a loss in revenue and money due to some broadcast interruptions.

The incident caused Sinclair to lose $63 million in broadcast advertising revenue and $11 million in repair costs in the fourth quarter. After insurance reimbursement, Sinclair estimated that the cyber incident would result in an unrecoverable net loss of approximately $24 million. However, this estimate could increase as the detailed cost of restoration remains fluid.

Cloud company Blackbaud received a ransomware attack in May 2020, and subsequently blocked the threat actor’s access to the system, successfully blocked file encryption, and kicked the attacker out of the system. However, the attackers removed some copies of the data in the self-hosted private cloud environment, and Blackbaud paid the ransom demanded by the attackers.

In 2020, Blackbaud spent $10.4 million in security incidents, which was offset by $9.4 million in insurance claims. Since then, Blackbaud has received approximately 570 reimbursement claims from customers in connection with the case. In July 2021, a court of law filed the suit, and in February 2022, Blackbaud entered into a credit agreement with an estimate of up to $50 million in non-recurring legal costs in cash related to data breaches and related ransomware attacks.

Large packaging giant WestRock Company was hit by a ransomware attack on January 23, 2021, which brought down its IT and operational technology systems. Westrock said it would lose $189 million in revenue and $80 million in lost operations for the second quarter of 2021, respectively. Westlock also incurred ransomware recovery costs of around $20 million, mostly expert fees. Westlock says cyber and business disruption insurance will be able to recover from ransomware losses.

On December 8, 2021, Radiant Logistics, a North American 3PL logistics intermodal company, was hit by a ransomware attack affecting its operations and IT systems. Radiant said the incident resulted in lost sales and incremental expenses in December, which it expects to negatively impact its second quarter of fiscal 2022 earnings.

Radiant said there was a data breach involving customers and employees on company servers prior to taking the system offline, and said it was actively communicating with those who might be affected by the incident. In its fiscal 2021 detailed financial statements, Radiant said in December that ransomware-related costs were $750,000, including third-party forensic and IT professionals, legal advice, overtime and employee-related incremental costs.

Mineral Technologies, a mineral resources and technology-based company, was attacked by the Egregor ransomware on October 26, 2020. Mineral said it incurred $4 million in costs related to system recovery and risk mitigation following the ransomware attack.

American electronics engineering firm Benchmark Electronics first reported a ransomware attack on November 5, 2019, which disrupted access to systems and services for customers and employees. Benchmark Electronics said the ransomware incident cost $7681,000. The company has since recovered $3989,000 of its losses in fiscal 2021, presumed to be insurance reimbursements.

Faneuil, a subsidiary of ALJ Regional and a provider of business process outsourcing solutions, detected a ransomware attack on August 18, 2021. Funnail launched an investigation, hired legal counsel and incident response experts, and implemented a series of containment and corrective actions to address the situation. It also strengthened the security of its own IT system through a major cybersecurity company.

As a result of the incident, Funnail was liable for costs and fines of approximately $2.8 million. Funnail is expected to receive a total of $1.9 million in insurance, which has so far totaled $1.3 million. The remainder of the insurance payment is expected to be received before March 31, 2022.

Tech Debt Resolved Only After Ransomware Attack

“The recovery process is usually expensive,” said Alan Liska, intelligence analyst at security firm Recorded Future. If you don’t pay the ransom, you’ll have to repair everything yourself. There are incident response costs and accompanying costs, which can run into the millions of dollars.” Liska added that the costs were higher than expected, such as the substantial legal costs of Blackbaud.

Another significant cost of ransomware recovery is the technical debt that is resolved in the ransomware recovery process. They are ‘projects that need to be implemented but have been delayed for years’. “Companies should have implemented multi-factor authentication two years ago,” says Liska. Only after being attacked by ransomware were you able to do it now. After a ransomware attack, it has become almost a common practice for companies to increase their security budgets. This is a fund that has come from somewhere other than the original security budget. So this is also considered a ransomware cost.”
[email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!