Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013.

The real cost of ransomware is downtime and lost productivity due to lack of access to systems for customers and employees. Damage to brand or reputation that occurs as a result of the downtime can also be substantial.

In November 2016, the FTC issued guidance for businesses on how to avoid and respond to ransomware attacks in its How to defend against ransomware1 and Ransomware – A closer look.2

The following provides a snapshot of information concerning ransomware:


The number of entities that reported being victimized by ransomware in 2016.3


The average ransom amount associated with ransomware.4

1 in 5

Businesses that paid the ransom never got their data back.5

Every 40 seconds

A company is hit with ransomware.6

$5,000 - $20,000

Typical range per day of lost business and damages due to ransomware downtime.7

What to think about if your organization is impacted by ransomware:

  1. Is the ransomware designed to export data before encrypting it?
  2. If so did the impacted data contain any personally identifiable information that might implicate a data breach notification statute?
  3. Is it possible for your organization to recover the impacted files using backup systems?
  4. Is the variant of ransomware involved associated with a known criminal enterprise?
  5. Should your organization contact law enforcement?
  6. Should your organization make the attack publicly known?
  7. If your organization were to pay the ransom demand, is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
  8. Is cyber-extortion and/or ransomware covered under your cyber insurance policy?
  9. What systems within your organization are at the greatest risk of a ransomware attack, and are they protected?
  10. Have you prepared sufficient backups of critical systems and data?