Some forms of cyber extortion are automated and not targeted at any specific victim. For example, “ransomware” refers to a type of malware that prevents users from accessing their systems unless, and until, a ransom is paid. Although variants of ransomware operate differently many encrypt the contents of a victim’s hard drive using asymmetric encryption in which the decryption key is stored on the attacker’s server and is available only after payment of the ransom. Victims typically discover the ransomware when they receive an on-screen message instructing them to transfer funds using an electronic currency, such as bitcoin, in order to receive the decryption key and access to their files. “CryptoLocker” is the most famous ransomware family and first appeared in 2013.

In November 2016, the FTC issued guidance for businesses on how to avoid and respond to ransomware attacks in its How to defend against ransomware1 and Ransomware – A closer look.2

The following provides a snapshot of information concerning ransomware:


The number of entities that reported being victimized by Ransomware over a six month period.3


The average ransom amount associated with ransomware.4


Percentage increase in new ransomware attacks.5

$200 - $5,000

Typical range of ransomware demands.6

What to think about if your organization is impacted by ransomware:

  1. Is the ransomware designed to export data before encrypting it?
  2. If so did the impacted data contain any personally identifiable information that might implicate a data breach notification statute?
  3. Is it possible for your organization to recover the impacted files using backup systems?
  4. Is the variant of ransomware involved associated with a known criminal enterprise?
  5. Should your organization contact law enforcement?
  6. Should your organization make the attack publicly known?
  7. If your organization were to pay the ransom demand, is it likely that the recipient of the funds may be associated with terrorism or located in a restricted country?
  8. Is cyber-extortion and/or ransomware covered under your cyber insurance policy?
  9. What systems within your organization are at the greatest risk of a ransomware attack, and are they protected?
  10. Have you prepared sufficient backups of critical systems and data?