There were nearly half a million ransomware infections reported globally last year, costing organizations at least $6.3bn in ransom demands alone, according to estimates from Emsisoft.

The security vendor analyzed submissions to the ID Ransomware identification service during 2019 and found a total of 452,121 records.

However, around half of these were related to a type of ransomware called STOP which is mainly targeted at home users, so its financial calculations are based on more like 226,000 victims.

What’s more, the firm estimated that only around 25% of organizations affected by ransomware use the ID Ransomware service, so it provided both a minimum cost based on 50% of submissions and a larger figure based on four-times that number.

With the average ransom demand around $84,000 and roughly a third of firms paying up, Emisoft estimated minimum global costs at $6.3bn and a higher figure at $25bn.

Working out downtime costs was harder, the firm admitted.  

“Gartner previously put the average at more than $5600 per minute – so we have used the extremely conservative figure of $10,000 per day,” it explained. “This figure has no basis in reality and we have included it simply to illustrate the enormity of the costs. The actual costs are almost certainly much higher.”

When combined with ransom payments, downtime of 16 days would mean that globally, firms spent at least $42.4bn on ransomware last year. The higher figure, taking into account those that didn’t report incidents to ID Ransomware, is estimated at a staggering $170bn.

That’s in stark contrast to the FBI report released this week, which claimed that losses reached just $9m last year. However, the caveats are that just 2047 cases were reported to the Feds in 2019, and the FBI admitted that its calculations did not include “lost business, time, wages, files, or equipment, or any third party remediation services acquired by a victim.”

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

Emisoft claimed that an accurate estimation of the scale of financial damage caused by ransomware was not the point of the exercise.

“The intention of this report is not to accurately estimate the costs, which is impossible due to a dearth of data, but rather to shine a light on the massive economic impact of these incidents in the hope that doing so will help governments and law enforcement agencies formulate a proportionate response to the ransomware crisis,” it concluded.