ransomware attacks & best practices

Ransomware Attacks & Best Practices

By Emily Short

Ransomware Attacks & Best Practices

Ransomware attacks have quickly developed into one of the most significant and lethal threats to companies today.  The frequency and severity of these ransomware attacks has increased over the past year; they’ve also become more lucrative.  According to the 2019 NetDiligence Cyber Claims Study, the ransom demands in 2018 were double the five-year average ($72K vs $36K). The highest ransoms demanded that year were in excess of $1M.  We will spend some time reviewing ransomware attacks & best practices in this post.

This summer, ransomware attacks targeted almost all industries, but cities, towns, and government organizations were hit the hardest.

Ransomware Defined

Ransomware is a type of malicious software, also known as malware, that allows attackers to extort companies for financial gain.  They do this by blocking access to files on a computer or network until the company pays the ransom demand.  This type of malware generally is self-proliferating and encrypts data on the network, rendering it inaccessible and essentially useless. In order to de-crypt the data, companies must pay the attacker a ransom or attempt to recreate or restore the data from backups.  It’s also not a given that you’ll get your data back in full after paying a ransom.

During this process, companies also suffer extended disruptions in their operations, and will likely deal with litigation and regulatory inquiries following the incident.  Once public, the reputational impact can be long-lasting.

Recent Ransomware Attacks

According to recent reports, ransomware attacks have increased by 195% from the fourth quarter of 2018 to the first quarter of 2019.  And no industry is immune: higher education, healthcare, municipalities, and shipping companies have all been hit.  The ransomware attacks on local and state governments have been so prevalent that the U.S. Conference of Mayors agreed it will no longer pay ransom demands from hackers, hoping to discourage continued attacks.

The resolution, which is not legally binding, states in part, “the United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm, therefore be it resolved that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”  The resolution aligns the group with the FBI, which dissuades victims from paying the hackers.

However, the attacks don’t seem to have slowed down.  In August, 23 Texas towns were hit by a coordinated ransomware attack, according to the state’s Department of Information Resources.  The attacks started the morning of August 16th, and the Governor order a “Level 2 Escalated Response” following the incident.  The Governor also deployed cybersecurity experts to affected areas to assist with response.

The attacks in Texas follow recent state and local ransomware attacks in New York, Louisiana, Maryland, and Florida over the course of the summer.

In July, the Governor of Louisiana declared a cybersecurity state of emergency following a series of attacks on school districts throughout the state.  The declaration allowed Louisiana to access resources from the state’s national guard, technology office, state police, and other organizations.  According to the declaration, the state of emergency will remain in place until August 21 unless terminated sooner.  This is only the second time a state of emergency has been declared related to a cyber incident; Colorado declared one in 2018 after the Colorado Department of Transportation was hit with a ransomware attack.

Ransomware attacks have become so prevalent that the U.S. Senate just approved new legislation that authorizes the Department of Homeland Security (DHS) to help government agencies and private-sector companies combat ransomware attacks.  Under the proposed legislation, DHS would create response teams to assist with proactive measures to combat ransomware attacks, and help post-incident to restore infrastructure.  The legislation now goes to the House for approval.

Is it the Best Practice To Pay or Not to Pay?

In June, Lake City, Florida suffered a ransomware attack that crippled their systems for nearly two weeks.  They ultimately decided it would be cheaper and more effective to pay the hackers the 42 Bitcoin (approximately $462,000) demanded.  Riviera Beach, Florida also made the decision to pay the almost $600,000 demand after experiencing nearly two weeks of down time following a ransomware attack.  Based upon reports, both cities had insurance policies that covered the payment.

In contrast, the city of Baltimore refused to pay the $76,000 demand after they suffered a similar ransomware attack in May that resulted in a nearly month-long IT outage.  Recent reports indicate the attack cost the city an estimated $18M, and it will still be months before Baltimore’s systems are fully functional.  It turns out Baltimore did not have insurance to help respond to this incident, but they have since purchased $20M in cyber insurance.

Unfortunately, data recovery is not always a viable option whether or not a company pays the ransom demand.  In August, Wood Ranch Medical experienced a ransomware attack that infected its servers containing electronic medical records, which also spread to its back-up systems.  The medical provider was unable to recover the patient records, and ultimately made the decision to close its doors.

According to research by Sentinel One, 45% of organizations pay at least one ransom when hit by ransomware attacks.  The FBI discourages payment of the ransom demands, however, the determination whether to pay is ultimately a business decision.  Regardless, the FBI should be consulted during a ransomware attack.  In addition to providing resources, the FBI can gather intelligence about who’s conducting these activities, and hopefully that information can be used to apprehend the responsible individuals.

Ideally, the decision to pay or not pay will never come to fruition, but in reality, a company cannot completely prevent a cyberattack, and should be prepared to respond.  A number of “best practices” can be followed to reduce the risk of suffering an attack, and the consequences if one occurs.

Preventative Measures Against Ransomware Attacks & Best Practices

  • Regular Backups

Regularly backing-up systems greatly reduces the impact of a ransomware attack.  If a company is able to access the backups during an attack, the company can restore the encrypted data and files without having to pay the ransom.  The backups need to occur regularly, and should be isolated from the company’s primary network, so the infection cannot spread and infect the backups.  It’s also important to make sure you know how to restore your data from a backup.

  • Patching

Because ransomware often takes advantage of software and computer vulnerabilities, it’s imperative companies keep all systems patched and up to date.

  • Education and Training

Human error is a leading cause of cyberattacks as the criminals prey on a user’s inattentiveness or lack of knowledge.  Employees should be able to recognize the signs of a phishing attack.  Links and attachments should be examined to confirm they are from reliable sources, and employees should never give out company or personal information in response to an email, letter, or phone call.  In addition to proactive education, employees should know who to alert and how to respond to a suspected ransomware attack.  Immediate response is necessary to limit the potential harm.


Even with the implementation of best practices, it’s likely a company will fall victim to a ransomware attack.  As part of a wholistic risk management strategy, companies should consider purchasing a cyber liability insurance policy that can help them respond to a ransomware attack.  The policy will also help cover the financial impacts associated with such an attack beyond simply paying the ransom.

To learn more about some of the best cyber liability insurance carriers who will cover ransomware, check out our blog post on The Best Cyber Liability Insurance Carriers.