TORONTO -- Ransomware attacks, where a virus infects a computer or network and holds a user or organization’s data “hostage” until a ransom is paid, cost businesses and organizations in Canada as much as $2.3 billion last year, according to a report released this week.

The report by anti-malware software company Emsisoft estimated that ransom demands in Canada totalled between almost US$65 million to nearly US$260 million last year. When downtime costs were factored in, the impact was between US$440.1 million and US$1.76 billion -- or $2.3 billion in Canadian figures.

“Even our higher-end estimates as to the total costs ... is probably at the lower-end of the scale,” said Brett Callow, a threat analyst with Emsisoft.

The report used an “extremely conservative” figure of US$10,000 per day in downtime cost to illustrate the magnitude. For many businesses, it will likely be much higher, he said. Research and advisory consulting firm Gartner had previously put the average at more than $5,600 per minute.

“It’s absolutely paralyzing. Many businesses completely grind to a halt,” Callow added.

“And if you do the calculation on a per capita basis, Canada is actually fairing worse than the U.S.”

Callow said it was impossible to know whether ransomware groups were targeting this geographic region more heavily or whether organizations in Canada were more vulnerable to attacks.

The report looked at ransom demand costs and downtime costs of 10 countries around the world and estimated a combined total of US$169 billion. It calculated the figures based on the number of incidents that were submitted to ID Ransomware, a service that allows users to identify what kind of ransomware is used in the attack and whether it can be decrypted free.

“Ransomware attackers generally take a ‘spray and pray’ approach. It’s a matter of scanning the internet for vulnerable systems that they can exploit,” Callow said.

Ninety per cent of successful hits are initiated through things like email, malicious attachments, improperly secured remote access solutions, internet-facing services that need to be patched, or aren’t protected by two-factor authentication. An attack typically encrypts as much of a victim’s data as possible.

Not everyone who has been breached will report the incident, said Callow. Some recover their data from a back-up, others may not be aware data recovery services are available and simply pay the ransom.

In the beginning, ransom demands were for a few hundred dollars, Callow said. Today, the average is US$84,000. “Based on what we’re seeing over recent weeks, that’s probably closer to US$100,000 now, perhaps even above that.”

Ransomware is also becoming more and more specialized, and targeting larger businesses, prompting more businesses to take out further insurance, Callow said, “which means they can afford to pay more. And the threat actors are taking advantage of that and gradually pushing up the amounts they’re asking for.”

Attackers have also begun stealing a copy of the data to threaten organizations who refuse to pay. In the U.S., companies, health care providers, law firms, and even a local government have all seen their data released online as a consequence, Callow said.

To mitigate an attack, companies should filter their email, provide staff with security awareness training, make sure systems are properly patched, and that remote access into a company’s network is secure, said Callow.

Smaller organizations and businesses who outsource their IT need to be aware that attacks can also come through third-party service providers who are breached. There is no ideal way to vet the security of these third-party firms, Callow said, but asking questions and seeking advice from peers to find out which companies they recommend are helpful.