Ransomware warning: A global attack could cause $200bn in damage - and we're just not ready

WannaCry and NotPetya just scratched the surface of the damage ransomware could do. This gloomy scenario looks at what could really go wrong.
Written by Danny Palmer, Senior Writer

A worldwide cyberattack could cost global economic losses of almost $200bn as organisations across sectors are still unprepared to face the consequences of a malicious global cyber campaign.

The report by the Cyber Risk Management (CyRiM) project — a collaborative partnership including Lloyd's of London, the Cambridge Centre for Risk Studies, the Nanyang Technological University in Singapore, and others — uses a theoretical catastrophic ransomware attack to model the broader impact.

While fictional, the 'Bashe' ransomware campaign uses past global cyberattacks including WannaCry and NotPetya as a basis for how hackers could spread malware around the world.

Indeed, the report sets out how the cyber criminal group behind Bashe has learned from the mistakes of previous ransomware campaigns — such as including a killswitch — in order make the campaign "the most infectious malware of all time" when it comes to the number of targets infected.

In the scenario, Bashe is delivered to targets via phishing emails which appear to come from the target's payroll departments, with the subject of 'Year-End Bonus' — a the lure of money in what looks like an official message likely to make many click through and follow whatever instructions they're told. In this instance, it's to open an attachment titled 'BonusScheme.pdf' which triggers the ransomware. 

The malware is so potent that once one employee runs the ransomware on their computer, it's enough to spread the file-locking malware around the network, with a demand of $700 in cryptocurrency on each machine. Around 30 million devices at organisations around the globe are locked in just 24 hours

Consequences of the attack are catastrophic, with organisations of all sizes in all sectors unable to perform day-to-day operations. As a result, some organisations opt to pay ransoms — including healthcare companies, due to the need to keep life-saving equipment online. The report suggests it's healthcare, retail and manufacturing organisations that would suffer most in such an attack.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Other firms opt to replace devices instead of paying criminals — like Maersk did in the aftermath of NotPetya — but this also costs money, with the report putting the estimated cost of this approach at $350 per device.

No matter how companies choose to deal with the attack, the CyRIM report predicts that such an event would cost a total of $193bn around the world as a result of cyber incident response, damage control and mitigation, business interruption, lost revenue, and reduced productivity. To put that figure into perspective, it's estimated that WannaCry caused a total of $4 billion in damages.

Such a catastrophic attack might seem unlikely, but the aim of the report is to show that the global economy is still under-prepared for a massive cyber event and that companies need to act to make sure they're systems can withstand such a scenario.

"This report shows the increasing risk to businesses from cyber attacks as the global economy becomes more interconnected and reliant on technology. Companies must ensure they are better prepared for ransomware attacks," said Dr Trevor Maynard, head of innovation at Lloyd's.

"The reality for business is it's not if you get attacked but when," he added.

The CyRIM report comes shortly after the World Economic Forum listed large-scale cyber attacks and data breaches as some of the biggest risks facing the world today.


Editorial standards