A global ransomware attack affecting more than 600,000 businesses could inflict up to $193 billion of economic damage worldwide, according to a report which studied a hypothetical cyberattack as part of a risk management model.

The report, compiled by a group of leading insurance and risk modelling institutions, including Lloyds of London, Aon and the University of Cambridge, tested the potential impact of a ransomware attack in which malware is sent to a business via an infected phishing email, which is opened by one employee and from there automatically forwarded to all contacts.

The study modelled the impact of three outcomes for the ‘Bashe attack’ scenario, with the lowest scale of economic damage to the world economy resulting in $85 million of losses, the second in $159 billion losses and the third and most extreme scenario $193 billion.

According to the worst-case scenario modelled as part of the project, the virus spreads to infect the systems of 600,000 businesses worldwide and within minutes encrypts the data on 30 million devices, before the ringleaders demand a ransom to decrypt them.

Taking into account the current rates of businesses insured against cyberattacks, the report suggested that the global economy would be underprepared for such a scenario, with 86 per cent of the economic costs related to ransomware attacks uninsured for- equivalent to an insurance gap of $166 billion.

On a sector by sector basis, the worst-case of the three scenarios modelled predicted that 613,000 business would be affected by such an attack, with retail coming out worst hit in terms of economic loss ($25 billion), followed by healthcare ($25 billion) and manufacturing ($24 billion).

Other sectors include business and professional services ($20 billion), finance and banking ($17 billion) and tourism and hospitality ($17 billion).

On a regional basis, the US would be worst hit by such an attack, sustaining $89 billion of economic losses, followed by Europe at $76 billion, Asia on $19 billion and the rest of the world with $9 billion.

The report found particular vulnerability to ransomware attacks amongst sectors that were “highly dependent on connected and IT devices for revenue”.

The after effects of cleaning up a ransomware attack could last up to a year due to business interruption, the unavailability of IT systems or data; data and software loss due to wiped data; cyber extortion loss for ransom payments; incident response costs; liability covering the cost of claims and technology errors arising from third parties.

Other after effects include reduced productivity and consumption, IT clean-up costs, and supply chain disruption.

Trevor Maynard, head of innovation at Lloyd’s, said: “This report shows the increasing risk to businesses from cyber attacks as the global economy becomes more interconnected and reliant on technology.

Share Story: