How Cyberattacks Directly Impact Your Bottom Line

Ransomware attacks are growing more costly, enough so to merit finance concern, ranking as a fundamental business challenge. In the face of total operational disruption, cybersecurity has become a strategic risk that can impact brand trust, operations, revenue and more. The real-world consequences of these attacks stretch far beyond just the ransom payment, directly impacting a company's bottom line.

As organizations suffer extended downtime, strain on partner and customer relations, as well as bottom-line impacts, attackers gain more leverage through disruptive techniques and demanding increased payments. Our 2025 Unit 42 Global Incident Response Report saw the median initial extortion demand increase nearly 80% from $695,000 in 2023 to $1.25 million in 2024.

But the ransom payment isn’t the full price tag. The recovery and remediation required to get systems back online, as well as damaged trust, missed opportunity costs, compliance fines and other costs can stretch into the billions. As attackers become more sophisticated and cause more significant downtime, they are forcing businesses to accelerate digital transformation and strengthen their cybersecurity postures, becoming an unintentional catalyst for business resilience and innovation.

Let’s look at ransomware attacks from a profit-and-loss perspective and talk about how to dial in your recovery strategy to ensure business continuity.

What We’ve Learned about Ransomware Demands

The initial demand of a ransom will likely fall between 0.05% and 5% of your perceived annual revenue (PAR). According to our research, the median initial ransom demand in 2024 was 2% of PAR, which attackers assess using ZoomInfo and other publicly available data.

The real question: Should you pay?

The answer varies wildly from case to case, client to client and attacker to attacker, but paying is an option worth considering. In 2024, about 48% of ransomware victims paid. Ransomware groups generally tend to fulfill their demands, because if they didn’t, they would lose credibility and diminish any incentive for future victims to pay. Assuming everyone keeps their word, paying the ransom can often be the fastest path back to normal operations for organizations without a battle-tested disaster recovery plan or where backups were adversely impacted in the attack.

With the right help, the ransom demand has some wiggle room. Most of the time, it’s quite a lot. At Unit 42, we’ve been largely successful in negotiating the demand down to a median of 0.6% of the PAR. The median percent reduction for paid ransoms that Unit 42 negotiated was about 53%. Perhaps this is the reason the median ransomware payment only rose $30,000 from 2023 to 2024.

That’s the good news. The bad news is that attackers are finding ways to gain more leverage. More often, they’re turning to disruptive tactics that take critical operations offline, drastically driving up the costs of recovery and remediation, as well as other associated expenses. In fact, our 2024 case data shows that 86% of incidents we responded to involved significant business disruption in the form of operational downtime, reputational damage or both.

Ransomware in the Age of Disruption

Ransomware cases were once relatively straightforward. Attackers would break into an organization, encrypt critical files, and then demand payment in the form of cryptocurrency to decrypt those files. But over time, organizations got much better at backing up their data. Instead of paying the ransom, they could just revert to a backup and continue operating.

If encryption was the first wave of ransomware, the second wave was characterized by data exfiltration and harassment. Instead of just locking up your files, attackers started stealing sensitive data and threatening to make it public. They even found a new revenue stream by auctioning off the stolen data on dark web marketplaces. They often set up “leak sites” to malign their alleged victims, sometimes harassing employees with malicious messages.

Today, as data breaches frequently make headlines, consumers have become desensitized and apathetic to their occurrence. Data breach fatigue weakens the value of stolen data on the dark web and erodes the leveraged attackers’ hold in ransomware extortion. To regain control, attackers are now escalating their impact on organizations’ systems, marking the third wave of ransomware as disruption.

Let’s be clear, attackers are adding disruptive tactics on top of exfiltration and harassment. In fact, we’re seeing higher rates of data exfiltration and harassment than ever before. For attackers, the name of the game is maximizing leverage.

More often, organizations are developing backup strategies that help mitigate the impact of an attack. In 2024, nearly half of impacted ransomware victims were able to restore from backup, which is about five times as many as in 2022.

But not all backup strategies are created equal.

Caveats about Backups

Having a backup plan is great, but here are a few opportunities to enhance yours:

1. Test your backup processes.
   Instead of waiting for a live incident, proactive and regular testing of your backups helps ensure that all personnel are familiar with the process and any strategic gaps are identified and addressed before they lead to maximum consequence. This preparedness builds confidence and significantly reduces recovery time.
2. Understand your restoration timeline.
   Thoroughly map the connections between critical services and their supporting solutions. Knowing exactly how long restoration will take and understanding the intricacies of decryption, which isn't always quick or successful, empowers you to set realistic expectations and optimize your recovery efforts.
3. Pick the right backup interval.
   Ensure that your roll-back date predates the attacker’s initial access. Conducting an investigation with speed and precision can eliminate uncertainty during this recovery and prevent the additional work to roll systems back even further than originally anticipated.
4. Protect your backups.
   Implement controls to prevent attackers from deleting recovery vaults, redirecting backups to attacker-controlled storage, or disabling backup software.

Ransomware on the Balance Sheet

The full picture of a ransomware incident extends beyond cybersecurity to include risk, insurance, finance, legal, as well as other nontechnical stakeholders.

That’s a good thing. Each stakeholder brings a different piece of the puzzle to the table:

• Legal thinks of data retention in terms of time related to compliance.
• Finance thinks about the costs to store backups and other disaster recovery functions.
• IT thinks about storage size, such as how many petabytes will be required to retain backup data.

To take a proactive approach to your recovery processes, here are a few questions you can ask yourself:

Which operations are critical to maintain business continuity?

The first step is to map your operations by criticality – the higher the tier, the faster they must be able to recover and the more frequently they must be backed up. Top-tier operations and their supporting systems are those that have an immediate impact on revenue, safety or compliance. Second-tier operations include ancillary functions (e.g., internal communications, support ticketing, data analytics), which can be down for up to 24 hours without causing major damage. Finally, noncritical systems are ones that can tolerate outages of several days, like training portals, archive systems or marketing tools.

What is your recovery point objective (RPO) and recovery time objective (RTO)?

Your RPO is the amount of data your organization can stand to lose, measured in time. This depends on how current your recovered data needs to be and will dictate how frequently you need to back up your data. Your RTO is the length of operational downtime your organization can tolerate. This will be your target for getting systems back online after an attack. Does your disaster recovery plan account for these metrics and have you tested it?

Which partners will become disconnected?

In a connected world, attacks can spread. Valuable partners need to feel confident that it’s safe to reconnect to your organization in the wake of a ransomware event. You should assess how long it will take to recertify and reconnect them to the network. Remember, this is more about trust than technology. Often, partners will only accept assessments through vetting by a reputable third party, like Unit 42.

It will take your entire team to fully answer each of these questions and allocate priorities and investments in your backup strategy.

Insulating Your Organization

In addition to refining your backup strategy, organizations should also take a proactive approach to hardening the standard security pillars of any organization:

• Network
• Identity
• Endpoint
• Cloud and apps
• SecOps

Adopting zero trust has become even more important. Fundamentally, zero trust limits a ransomware attacker’s ability to move laterally, escalate their privileges, access critical systems and gain control of sensitive data.

Blocking access and protecting data at rest can prevent the encryption and exfiltration of your data. Segmentation can reduce the blast radius of a ransomware threat by limiting attack paths, a critical control for protecting legacy systems that can’t be patched or upgraded. Multifactor authentication (MFA) can defend against compromised credentials, and continuous monitoring can detect ransomware-associated behaviors for faster detection and response, including requiring MFA for lateral movement to critical internal systems.

Zero trust can seem daunting, but it isn’t impossible, and it isn’t all-or-nothing. An incremental approach helps achieve steady progress toward zero trust. Why not see where your organization stands with a Unit 42 Zero Trust Advisory assessment?

Get Ahead of the Next Wave

Ransomware is here to stay, and the stakes will only get higher. Aligning security and ransom risk with financial strategy can help your organization plan for and mitigate a ransomware attack. Unit 42 is ready to help.

• AI Security Assessment: Our experts help you achieve full visibility and set the strategies to empower safe AI use and development across your organization. Our industry-leading threat intelligence and AI expertise deliver tailored best practices to mitigate risks specific to your AI footprint.
• SOC Assessment: We’ll deliver an actionable framework to transform your SOC into a highly efficient, proactive detection and response leader, powered by AI and automation. Your SOC will transition from reactive firefighting to proactive cyber resilience aligned to your organization’s business goals.
• Cloud Security Assessment: Get cloud confidence by aligning your security program to the dynamic and distributed nature of modern cloud environments, helping ensure effective protection from development through deployment.

Why not consider a Unit 42 Retainer? With a Unit 42 partnership, our experts become an extension of your team, well versed in your environment so they can respond quickly and accurately should an incident occur. Contact Unit 42 to get started.

FAQs on Cyberattacks’ Impacts:

• What is the primary financial impact of ransomware attacks on businesses?
  Ransomware attacks significantly impact a company's bottom line. They extend beyond just the ransom payment to include recovery and remediation costs, damaged trust, missed opportunity costs resulting from operational down time, as well as compliance fines potentially stretching into billions.
• How has the nature of ransomware attacks evolved over time?
  Ransomware has evolved past simple file encryption, moving through data exfiltration and harassment, and now uses disruptive tactics to take critical operations offline. In fact, 86% of incidents that Unit 42 responded to in 2024 involved business disruption.
• What are key strategies organizations can implement to enhance their ransomware recovery plan?
  Key strategies include regularly testing backup processes, understanding restoration timelines, picking the right backup interval to predate initial attacker access, and protecting backups from deletion or redirection by attackers.