The Cost of Attacks Has Dropped to ‘Almost Zero’—With Ransomware Now Utilizing AI Agents, What Is the Monthly Cost for Small and Medium Enterprises to Defend Themselves?

The Cost of Attacks Has Plummeted. What Should Defenders Do? Let's get straight to the point. AI agents have begun to b

By Kai

|

Related Articles

The Cost of Attacks Has Plummeted. What Should Defenders Do?

Let’s get straight to the point. AI agents have begun to be used in ransomware attacks. This is not about “attacks becoming smarter.” It’s about the dramatic decrease in the cost of attacks.

Until now, launching a ransomware attack required a person with a certain level of skill. They would investigate the target’s network configuration, search for vulnerabilities, and design an intrusion path. This process took time and incurred labor costs. Therefore, attackers targeted large companies that were “worth it.”

That structure is beginning to break down.

The ransomware group known as “JadePuffer” is reported to have automated the processes from reconnaissance to phishing email generation, vulnerability scanning, and initial intrusion using AI agents. By having AI replace tasks previously performed by humans, the cost per attack has significantly decreased.

What this means is simple. The notion that “small companies won’t be targeted” no longer holds.

As the cost of attacks decreases, even small and medium enterprises with a ransom of 1 million yen become “worth it” targets. If they attack 500 companies simultaneously and manage to extract 1 million yen from 10 of them, that’s 10 million yen. The operational cost of AI agents is nearly zero. This presents a lucrative business for attackers.

What Has Changed—The Content of Attack “Automation”

What stands out about JadePuffer’s methods is that each phase of the attack is executed in a chain by AI agents.

Phase 1: Automation of Reconnaissance
AI agents crawl publicly available information (company websites, social media, job postings, etc.) to automatically grasp the software being used, naming conventions for email addresses, and organizational structure. Tasks that previously took attackers several days can now be completed in just a few minutes.

Phase 2: Generation of Phishing Emails
Based on the information gathered during reconnaissance, AI automatically generates phishing emails tailored to the target company’s industry, clients, and contact names. Instead of generic phrases like “Please check regarding the invoice,” highly accurate emails using real client names are created. Security companies have reported that AI-generated phishing emails have an opening rate approximately 2.5 times higher than traditional ones.

Phase 3: Vulnerability Exploration and Intrusion
Once malware is executed via email, AI agents scan the internal network and automatically identify unpatched servers and outdated VPN equipment. This phase also requires no human intervention.

In other words, it’s not that the “quality” of attacks has improved, but rather that the “mass production” of attacks has become possible. This is the fundamental change.

The Reality of Damage—In the Case of Small and Medium Enterprises

So, how much would it actually cost if an attack occurred?

Based on reports from the IPA (Information-technology Promotion Agency) and various security vendors, the structure of damages incurred by small and medium enterprises with fewer than 100 employees in the event of a ransomware attack is as follows:

Item Amount (Approximate)
Ransom (if paid) 1,000,000 to 5,000,000 yen
Lost profits due to business interruption (average 23 days) 2,000,000 to 8,000,000 yen
Recovery and investigation costs 1,000,000 to 3,000,000 yen
Damage to reputation and client relations Difficult to quantify
Total 4,000,000 to 16,000,000 yen

A rough estimate of the median would be about 7,000,000 yen. Even without paying the ransom, business interruption alone can result in losses of several million yen. If a company with 30 employees is out of operation for 23 days, that alone could lead to losses in the hundreds of thousands of yen based on revenue.

Moreover, this is the cost of a “single” incident. Companies that have been attacked once are reported to be listed as “paying companies” and may be targeted again.

How Much Should One Pay Monthly to “Break Even”?—Organized in Three Levels

Now we get to the main topic. Based on the damage amount of 7,000,000 yen, let’s consider the break-even point for security investments.

Level 1: Under 10,000 yen per month—”Locking the Door” Level

What to Do:

  • Lease a UTM (Unified Threat Management) device (5,000 to 8,000 yen per month)
  • Implement cloud-based antivirus (500 yen per month × 20 devices = 10,000 yen per month)
  • Automate Windows updates and firmware updates

Monthly Cost: Approximately 15,000 yen (Annual Cost: 180,000 yen)

To be honest, this level is insufficient against attacks using AI agents. However, the state of being “left unpatched” or “without a firewall” is akin to leaving the front door wide open. Simply closing this door could significantly reduce the chances of being on the “easy target” list generated by automated scans.

Break-even Point: 180,000 yen per year × 39 years = 7,000,000 yen. Calculating that you would break even only if you have zero incidents for 39 years is misleading. The percentage of small and medium enterprises experiencing ransomware attacks is increasing year by year, with some surveys indicating that about 1 in 4 small businesses have experienced some form of cyber attack. Considering expected loss amounts, an annual investment of 180,000 yen is quite cheap as “insurance.”

Level 2: 30,000 to 50,000 yen per month—”Detect and Stop” Level

What to Do:

  • Implement EDR (Endpoint Detection and Response) (20,000 to 30,000 yen per month)
  • Automate cloud backups (5,000 to 10,000 yen per month)
  • Conduct phishing training emails twice a year (100,000 yen per year = about 8,000 yen per month)

Monthly Cost: Approximately 40,000 yen (Annual Cost: 480,000 yen)

I believe this level represents the practical defense line for small and medium enterprises. There are two reasons for this.

First, by implementing EDR, you can detect and isolate threats “after an intrusion.” While attacks by AI agents are automated up to the point of intrusion, many cases are caught by EDR during the lateral movement that follows. It’s not perfect, but the probability of stopping the spread of damage increases significantly.

Second, cloud backups. The essence of ransomware is to “take data hostage.” If backups are stored in a separate location and managed in generations, there’s no need to pay the ransom. The time required for recovery can be reduced to a few days. If the business interruption of 23 days is shortened to 3 days, lost profits can decrease by several million yen.

Phishing training may seem mundane, but it is effective. Data shows that the phishing email opening rate among trained employees decreases by about 60% compared to those who are untrained. Even if AI creates sophisticated emails, if employees have the habit of “not opening emails they find suspicious,” initial intrusions can be prevented.

Break-even Point: An investment of 480,000 yen per year can recover about 14.5 years of investment if it prevents a 7,000,000 yen loss once. Considering the probability of experiencing a ransomware attack within three years, this is a sufficiently “worthwhile” investment.

Level 3: 100,000 to 150,000 yen per month—”Sleep Easy” Level

What to Do:

  • Outsource SOC (Security Operations Center) (80,000 to 120,000 yen per month)
  • Conduct regular vulnerability assessments (quarterly)
  • Outsource initial incident response actions

Monthly Cost: Approximately 120,000 yen (Annual Cost: 1,440,000 yen)

It’s impossible for small and medium enterprises to monitor 24/7 on their own. Outsourcing SOC is like “renting a security expert team for 120,000 yen a month.” Previously, this would have cost over 500,000 yen per month, but the proliferation of cloud-based SOC services has driven prices down.

However, to be honest, whether this level is necessary for companies with fewer than 50 employees depends on the industry. There are increasing cases in healthcare, finance, and manufacturing where clients demand “proof of security measures.” For such companies, this level of investment is not a “security cost” but a necessary expense for continuing business.

So, What Should Small and Medium Enterprises Do?

While I’ve laid out the three levels, the first step should be Level 2. 40,000 yen per month.

The reason is simple. Level 1 only “makes you less likely to be targeted” but does not stop you if you are targeted. Level 3 is highly effective but is overkill for many small and medium enterprises. The combination of Level 2’s “EDR + Backup + Phishing Training” offers the best balance of cost and effectiveness.

Additionally, there’s one more important point. This is not just an “IT department’s job”; it’s a “management decision.”

If you feel that 40,000 yen per month is “expensive,” consider this: When your business is halted for 23 days due to a ransomware attack, who bears that loss? Delays in delivery to clients, leakage of customer data, and loss of trust. If you can hedge these risks for 40,000 yen a month, it offers better cost-effectiveness than fire insurance.

What Defenders Should Do in an Era Where Attackers’ Costs Have Decreased

With the emergence of AI agents, the cost structure of attacks has fundamentally changed. This is not a temporary trend. The automation of attacks will continue to advance.

However, defenders also have the same weapons at their disposal. EDR and SOC are evolving with AI. The costs of cloud backups are decreasing year by year. A defense system that cost 300,000 yen per month five years ago can now be established for 40,000 yen per month.

If the cost of attacks has decreased, the cost of defense has also decreased. The question is whether you are aware of this and whether management will take action.

“Small companies like ours won’t be targeted”—that common belief has been shattered by AI agents. There’s no reason to postpone the decision of 40,000 yen until next month.

POPULAR ARTICLES

Related Articles

POPULAR ARTICLES

JP JA US EN