"WannaCry" ransomware attack losses could reach $4 billion

Global financial and economic losses from the "WannaCry" attack that crippled computers in at least 150 countries could swell into the billions of dollars, making it one of the most damaging incidents involving so-called ransomware.

Cyber risk modeling firm Cyence estimates the potential costs from the hack at $4 billion, while other groups predict losses would be in the hundreds of millions. The attack is likely to make 2017 the worst year for ransomare scams, in which hackers seize control of a company's or organization's computers and threaten to destroy data unless payment is made. 

In 2016, such schemes caused losses of $1.5 billion, according to market researcher Cybersecurity Ventures. That includes lost productivity and the cost of conducting forensic investigations and restoration of data, said Steve Morgan, founder and editor-in-Chief of Cybersecurity Ventures.

"The massive WannaCry attack will be a major contributor" to those losses he said in an email to CBS MoneyWatch.

Cybersecurity firms report a spike in concerns from customers worried about WannaCry since reports of the malware infecting computers surfaced this weekend. Indeed, security companies saw their stock price rise after news of the hack.

While the potential losses from reduced productivity and efforts to mitigate the damage from WannaCry are expected to be significant, the actual ransom collected through the attack is likely to be modest. Cybercriminals behind the scam are typically demanding $300 in Bitcoin to unlock a company's computers.

Matthew Anthony, vice president of incident response at security firm Herjavec Group, said that as of Friday the total amount paid by victims to regain access to their information systems was under $100,000. In part, that's simply because of the logistical complications involved in paying ransom to unlock thousands of computers within the short time frame demanded by the hackers behind the WannaCry attack. 

"Most of the organizations won't pay," he said. "They will rebuild and recover from their backups or other sources."

Though a few companies in North America were hit by WannaCry, such as FedEx (FDX), U.S. businesses were largely able to avoid the malware because a 22-year-old British security researcher accidentally found a "killswitch" that halted its spread. Computers with an out-of-date version of Microsoft Windows were appeared to have been hit especially hard.  

According to Rob Wainright, director of the European Union Agency for Law Enforcement Cooperation, more than 200,000 computers are affected by WannaCry, most of which are outside the U.S.  Both the scale of the attack and the virulence with which it spread from computer to computer surprised many cybersecurity experts.

"There is no precedent for a ransomware attack of this kind of scale," Anthony said. "This is the first one that we have seen … that has been able to attack computers directly with this kind of success."

Developers of the WannaCry malware were able to use a tool developed by the National Security Agency called EternalBlue, which exploited vulnerabilities in Microsoft Windows XP. The software giant had previously released a fix, but many organizations had not updated their systems. 

"When you are talking about patching with large corporations, it's not a question of do we patch or do we not patch," said John Miller, head of Threat Intelligence at security firm FireEye. "Everyone that we are talking to is treating this as a priority. Usually, there are many different patches that need to go into the environment. It's a question of prioritizing them."

For businesses, the costs associated with protecting their tech systems go beyond the need to safeguard data. The market for insurance against such attacks is expected to triple to $10 billion by 2020, Bloomberg News reports. Broker Marsh & McClennan notes that rates for such coverage has consistently risen in recent years. 

"It's very likely that we can see additional systematic types of attacks in the future," said Stephanie Snyder, senior vice president, AON Risk Solutions. "The challenge for cybersecurity professionals, as well as the cyber insurance industry, is that we don't necessarily know what types [of attacks] we are going to see."

  • Jonathan Berr On Twitter»

    Jonathan Berr is an award-winning journalist and podcaster based in New Jersey whose main focus is on business and economic issues.