A major global ransomware attack could cost organizations an estimated $193bn, with those in the US worst affected, according to a new cyber-risk report.
Bashe attack: Global infection by contagious malware, was produced by the Singapore-based Cyber Risk Management (CyRiM) project, of which Lloyd’s of London and other insurers are founding members.
It paints a scenario not unlike WannaCry or NotPetya, in which a ransomware ‘worm’ goes global, causing untold damage.
The report’s hypothetical attack begins with a malicious email directed at one organization, which is opened, triggering the ransomware download. The malware then spreads itself to connected networks and forwards itself to all contacts.
The report estimates that as many as 600,000 businesses globally could be affected by such an attack, with the resulting financial damage hitting anywhere between $85bn and $193bn.
In the most severe scenario, US organizations lose $89bn, European firms suffer $76bn in losses and those in Asia escape relatively lightly with a $19bn hit.
In this scenario, retail and healthcare (both $25bn) would be the worst affected industries, with payment system disruption crippling commerce and lengthy delays in recovery due to infection of legacy healthcare IT systems.
Manufacturing is the next most impacted sector, suffering $24bn in losses thanks to encryption of production equipment and inventory management systems. This will also have a major knock-on impact for the supply chain, the report claimed.
With a staggering 86% of total economic losses currently uninsured, organizations could be on the hook for $166bn if such an attack hit home, the report concluded.
Ed Macnair, CEO of CensorNet, argued that with the right email security, most organizations could mitigate the risk of a global threat on this scale.
“This research has been based on a phishing attack and the kind of spread they are talking about would be prevented if just a couple of companies had email security in place. The chances are many more than that do,” he claimed.
“Cyber insurance is a good idea to have, but without preventative tools in place it’s the same as insuring your home contents and leaving the door unlocked. It’s there as a back-up and, if you do everything right, shouldn’t be needed.”