How Much Does The Average Ransomware Attack Cost?

Managed service providers (MSPs) may not realize that they are part of a growing trend in cybersecurity, but they are part of the increasing attacks on the world’s supply chain. In 2019, almost 300 cyberattacks were launched against supply chain targets in the U.S. In 2020, that number grew to almost 700, most notably the SolarWinds and Colonial Pipeline attacks.

Targeting a less secure company in the supply chain often means getting access to larger organizations with more assets, resulting in higher ransom demands. The recent Kaseya attack not only targeted its supply chain, but also the supply chain of its customers. Since many of Kayesa’s customers were MSPs, the ransomware attack spread to multiple companies that had outsourced their IT services to the infected MSPs.

In the case of Kaseya, 50 MSPs were infected, impacting 800 to 1500 of their customers. It is too early to know how much the Kaseya attack cost the company and its clients, but it will be in the millions.  According to the FBI, ransomware compromises cost the country $29 million with the financial impact lasting years.

So how much does a ransomware attack cost an MSP?

According to an IBM report, the financial consequences of a cyberattack can extend at least two years beyond the compromise. In looking at the total costs, IBM divided attacks into four phases:

  • Detection and Escalation
  • Notification
  • Response and Remediation
  • Post- response

The costs associated with each phase depend on the preparedness of the compromised organization.

Detection and Escalation

Supply chain attacks are more than a “spray and pray” attack. These compromises are carefully planned attacks initiated by known cybercrime groups such as REvil in the case of Kayesa. In most instances, the bad actors have been in the target’s system for weeks or months before launching the attack. They are using the time to locate valuable digital assets, encrypt local backups, and exfiltrate data. As a result, targeted companies may incur costs related to the following, even if the attack is unsuccessful.

  • Forensic and investigative activities to assess and remediate the attack.
  • Audit and assessment services to ensure the integrity of the system.

To mitigate the risk to their customers, MSPs should deploy detection tools to alert them to potential compromises. When possible attacks are discovered and contained before they are launched, the costs for this initial phase are reduced.


No MSP wants to make the call to inform their clients that they have been compromised. What is worse is having customers call to say they have been attacked because of weaknesses in the MSP’s services. Notification requirements may extend to businesses using the services. Depending on the industry, organizations may be required to notify regulatory agencies of the attack.

For example, if consumers’ financial data is compromised, companies must notify authorities within 45 to 90 days from detection. Failure to comply with notification regulations often results in fines. MSPs may have payment information for their clients, but their clients may have protected data belonging to their customers. The ripple effect can be costly.

The notification process takes resources. MSPs must prepare written notification of the impact of the attack on their clients who must, in turn, notify their customers. If outside regulators are involved, staff must be made available to assist in their investigations. This process may extend to an MSP’s clients.

MSPs should have a documented plan that identifies any regulatory requirements and contact information. They should have processes in place that demonstrate their efforts to ensure compliance. The better prepared an MSP is to address the notification process, the less time and resources it takes.

Response and Remediation

A significant percentage of the financial impact comes during the response and remediation phase because that is the period when MSPs like other companies lose business. IBM’s report identified three ways a cyberattack can result in lost business.

  1. Downtime. When an MSP is shut down because of ransomware, it loses money. If their clients shut down, they lost money. Depending on the company, the cost of business disruption and revenue loss can run into the millions. For example, an unplanned hour of manufacturing downtime costs $260,000. Multiply that times a 24/7 operation and the financial impact can be catastrophic.
  2. Lost Business. If 56% of consumers will stop doing business with a company that suffers a cyberattack, how many organizations are going to continue to do business with an MSP? It doesn’t matter if the compromise was part of a supply chain attack, MSP clients expect to be protected no matter where the breach started.
  3. New Customers. To survive MSPs must acquire new customers which costs money. Precisely how much depends on the MSP.

While MSPs are working to remediate and restore their operations, they are also trying to stay afloat as are their affected customers.

Post Response

The post-response period may be the most costly. MSPs may be subject to banking and transaction processing regulations depending on how payments are accepted. Their customers may also be subject to consumer privacy laws if they accept credit or debit cards as a form of payment. If organizations are found to be out of compliance, no payments are processed until they are brought into compliance.

After the initial response phase, MSPs may need to add staff to address the questions raised by the media, their clients, and regulators. They may have to offer incentives to retain or attract new customers. The post-response phase can last years depending on the size of the attack and the industries involved.

Minimize the Impact

As supply chain attacks continue to rise, Atlanta’s MSPs need to ensure that they have end-to-end protection. As an MSP, Teamspring has invested in the right tools to detect and protect against cyberattacks. They ensure that their vendors are held to the same level of accountability as they demand of themselves. That’s why they can protect their clients from the growing threat to their livelihoods. To learn more, contact us.