This article is more than 1 year old

Ryuk ransomware recovery cost us $8.1m and counting, says Baltimore school authority

Spreadsheet breaks down spend on staving off future badness

An organisation whose network was infected by Ryuk ransomware has spent $8.1m over seven months recovering from it – and that’s still not the end of it, according to US news reports.

The sum, spent by Baltimore County Public Schools, will doubtless raise some eyebrows and the public breakdown of the costs will be eye-opening for the infosec industry and potential corporate ransomware victims alike.

A spreadsheet obtained by Fox 45 News Baltimore, a TV station, revealed the $8.1m spending and also broke it down into individual line items.

Of the full sum, $2m alone was spent on “ERP cloud transition and recovery” with provider CGI. A Dell (VMware) Carbon Black cloud-based endpoint security licence for one year of Windows protection came in at $699,298, while $606,648 was spent on device monitoring and tracking.

Just $2m of the $8m spend was covered by insurance, the spreadsheet showed, also noting $11,500 in ransomware negotiation costs. There was no line item explaining whether a ransom was paid or if so, how much it was.

As we reported when it first happened, the BCPS network was infected by Ryuk ransomware in November last year. 115,000 children were unable to access remote classes (being held online due to the pandemic) and were cut off from school for a week while administrators rebuilt critical systems.

The attention of news outlets moved on after a few days (possibly a result of BCPS’ $50,000 spend with FTI Consulting on PR advice), but the enduring tech and financial damage is still being felt months later.

Infosec firm Sophos said in April that the average cost of getting over a ransomware attack is $2m, a sum that “has more than doubled in a year”. Last year French-headquartered IT outsourcer Sopra Steria said a Ryuk attack was set to cost it between 40 and 50 million euros after “a previously unknown strain” compromised its Active Directory server.

Ryuk is one of a handful of high-profile ransomware strains being deployed as part of the ransomware-as-a-service market against predominantly Western targets.

Today, US president Joe Biden and Russian president Vladimir Putin are due to meet for the first time; among other topics, Biden will be raising the issue of Russia’s shielding of ransomware gangs from legal consequences for their actions. ®

More about

More about

More about


Send us news

Other stories you might like