Ransomware attacks can cost organizations huge amounts of money, and their frequency is on the rise. Ransoms range from thousands to millions of dollars. If the ransom isn’t paid or the attacker withholds the decryption key, the resulting data loss and downtime can cripple a business.
But how do investors react to ransomware attacks? Do share prices on Wall Street reflect the damage and security posture of attacked companies? In this report, we’ll attempt to answer those questions.
Comparitech researchers analyzed historical share price data of 106 companies listed on the New York Stock Exchange. For each stock, we pulled the closing share prices ranging from six months prior to a ransomware attack being publicly reported to six months after. For better context, share price fluctuations were measured against the NASDAQ over the same periods of time. We additionally broke down the data by the type of malware used, time of the incident, and industry.
Key findings
On the whole, ransomware attacks don’t appear to have much of an impact on share prices. But when we break down the data by date, industry, and ransomware strain, we can see which factors have a greater influence.
- Six months after a ransomware attack, share prices went up 10.6% on average, but underperformed the market (NASDAQ) by 2.05%
- Immediately after an attack, share prices fall 0.76 percent (-1.2% vs NASDAQ) and recover to their prior prices after four days on average
- Ransomware attacks that occurred in the last three years had a more dramatic impact (-12.01% vs NASDAQ) than earlier ransomware attacks (+16.26% vs NASDAQ)
- Companies in the finance industry saw the biggest drops in share price following a ransomware attack, followed by food and beverage companies and business and professional services
- Dunghill Leak, ALPHV/Blackcat, and BlackBasta ransomware strains had the greatest impact on share price
Do ransomware attacks influence stock market share prices?
Across all stocks analyzed, share prices during the six months prior to attack rose 1.12% on average, and underperformed the NASDAQ by 8.2%
In the six months following an attack, share prices rose 10.59% on average, and underperformed the NASDAQ by 2.1%.
Immediately following an attack, stocks dropped 0.8% on average (-1.2% vs NASDAQ), but on average they recovered back to their pre-attack prices after four days.
If you were to only look at overall averages, you might be led to believe that ransomware only has a negligible impact on share price. But keep reading to see what factors influence share prices the most following a ransomware attack.
Year of attack
Investors have started taking ransomware attacks much more seriously now than in the past, according to our analysis.
Companies that disclosed attacks prior to 2022 ultimately outperformed the NASDAQ by 16.6%. Companies that disclosed attacks in or after 2022 underperformed the NASDAQ by 12%. That’s a difference of 28.6% in share price performance versus the market. The date of attack has a stronger correlation to share price than any other factor we looked at.
Industry
We assigned each stock an industry: business and professional services, construction, entertainment, finance, food and beverage, healthcare, manufacturing, retail, technology, transportation, travel and hospitality, and utilities.
Finance companies took the biggest hit following a ransomware attack, underperforming the market by 24.3 percent after six months. Finance was followed by food and beverage (-18.4%) and business and professional services (-17.9%).
Companies in travel and hospitality (+28.7%) and entertainment (+20.79%) were the most resilient.
The remaining industries only saw small ups or downs versus the NASDAQ: healthcare (+2.87%), manufacturing (-2.52%), retail (-2.96%), and technology (+1.97%).
Ransomware strain
Ransomware comes in many strains, and typically each strain can be attributed to a specific group of cybercriminals. Which ransomware strain a company is attacked correlates somewhat with share price performance.
Dunghill Leak had the greatest influence on stock price, though it only accounted for four attacks in our data set, which is not very statistically significant. Share prices of companies hit by Dunghill Leak underperformed the market by 29.8% after six months.
Dunghill Leak is followed by ALPHV/BlackCat (-16.4%), BlackBasta (-14.7%), and Lapsus (-8.0%). These strains appear to have a greater impact on the companies they attack than others.
Maze (+5.67%) and REvil (+5.1%) had the least impact on share prices.
Methodology
Comparitech analyzed historical stock data for 106 companies listed on the New York Stock Exchange that have confirmed ransomware attacks. For each stock, we pull closing share prices for the six months prior to reporting the incident, and the six months after.
Looking at whether share prices simply went up or down has limited usefulness, because it doesn’t take into account external market forces and trends. To account for this, we also gathered historical share prices for a NASDAQ composite index. We compared the percent change in share price of each stock versus the percent change in the NASDAQ index price over the same period of time.
Here’s the formula:
(((Share price on day X after attack)/(Share price on day prior to attack)-1)100) – (((NASDAQ price on day X after attack)/(NASDAQ on the day prior to attack)-1)100)
Historical stock data was downloaded in March 2024.
We use daily means to present our findings in this article, but we additionally include polynomial trend lines in our visualizations to better represent the data.
Limitations
When Comparitech first ran this study in 2018, we only had 24 companies to analyze, which was too few to derive much useful information. The 2024 update covers 106 companies, which is much more statistically significant.
As with any financial market study, a huge slew of factors could affect stock price that we cannot account for. While we’ve tried to minimize blind spots by comparing share price performance against that of the NASDAQ, there are bound to be some unexplained inconsistencies.
Ransomware attacks are often accompanied by data breaches. A data breach or some other cybersecurity misstep could have a separate impact from that of the ransomware that is not reflected in the data. For more info, read our report on how data breaches affect stock market prices.
Quarterly financial reports could have an impact on share prices that also results from ransomware. Companies might reveal information that influences investors in a requisite quarterly report, such as damages resulting from ransomware and investments in data security. Because we analyze historical data based on the date that a ransomware incident is reported, the impact of a financial report released months later would not be reflected in our findings.
Although our performance analysis starts on the day of disclosure, ransomware attacks often begin days or weeks earlier. It’s possible that some investors found out about an incident and swayed the share price prior to public disclosure.
Unless expressly stated, we do not know whether ransoms were paid. Many companies who do pay ransoms prefer not to disclose whether they did so or the amount so as not to encourage more attacks.