Posted In: Business Transactions & Corporate Counseling & Cybersecurity & Data Privacy
Corporate TIPS Blog: Ransomware Attacks: Protections Against the Greatest Online Threat for Business
By Craig S. Horbus & Jarman J. Smith (Summer Associate) on June 12, 2019
As cyberattacks become more prevalent, ransomware stands out as one of the most dangerous threats to businesses. In the past two years, ransomware attacks have increased over 97%,i yielding yearly revenues of $25+ million for hackers and costing businesses more than $75 billion per year.ii In 2018, companies spent an average of $369,000 responding to ransomware attacks, and over 60% of businesses reported being hit by one or more of these attacks globally.iii With the number of yearly ransomware victims being estimated in the millions, larger companies have become popular targets.iv
Ransomware is a form of malware that has become the tool of choice for cybercriminals. During a ransomware attack, the hacker breaches a business’s data and/or computer network and uses encryption methods to prevent users from accessing it.v The data or network is held hostage until a ransom is paid, and the ransom demand typically requires victims to pay through Bitcoin or other forms of untraceable cryptocurrency.v Attacks often begin when an employee receives a deceiving “phishing” email that tricks the user into clicking a malicious attachment or a URL link.v However, this is not the only vector for ransomware attacks. Hackers can exploit several vulnerabilities within a user’s computer system to launch the virus, and the resulting impact of a ransomware infection can be devastating. A virus can begin on one device and rapidly spread throughout an entire corporate network, encrypting everything from shared devices to backup servers -- potentially crippling all of a company’s operations.v
Hackers are targeting larger entities and demanding higher ransoms, making the threat of ransomware more alarming now than ever before.vi Recent data breaches and attacks demonstrate how vulnerable businesses and organizations are to ransomware. For example, WannaCry, a ransomware variant that emerged in 2017, attacked over 200,000 computers in approximately 150 countries in just four days.vii Britain’s National Health Service, a victim of WannaCry, reported costs totaling more than $100 million to mitigate the ransomware damage.vii In that same year, FedEx reported that it spent over $300 million in response to an attack by another ransomware variant known as NotPetya.i Ryuk, yet another ransomware variant, extorted 705 Bitcoins from corporate victims in a matter of five months in 2018, for an estimated worth of $3.7 million.viii The lowest Ryuk ransom demand was 1.7 Bitcoins which roughly converts to $14,000 and the highest Ryuk ransom was for 99 Bitcoins which roughly converts to $830,000.viii Moreover, the City of Atlanta was targeted by the SamSam ransomware variant in 2018, which demanded a ransom of $50,000.i Atlanta ultimately spent over $5 million in response efforts,i which demonstrates how the total cost of an attack can far exceed the initial ransom demand due to expenses related to system downtime, hiring IT support, and restoring data and/or computer networks.
More recently, a ransomware attack disabled email, flight and baggage information screens at the Cleveland Hopkins International Airport in April 2019.ix The airport’s computer systems involved in the attack were offline for nearly a week.ix
What precautions can be taken against ransomware?
Malware developers are continually creating and releasing over 100,000 new variants of ransomware daily, thus making it impossible to attain absolute protection against an attack.x However, implementing the following security measures can greatly reduce the risk of a ransomware attack or diminish its impact.
- Seek advice from your legal counsel who can provide a variety of services to inform users of important data privacy and cybersecurity information, and to assist with implementing security protocols. Gaining an understanding of data privacy laws can help your business avoid potential state and/or federal violations.
- Regularly conduct system backups and instruct your IT staff to re-engineer backed-up data so that it is not vulnerable to attack. If ransomware hackers gain access to your data backups, their ransom demands may increase. It is also important to regularly update your computer networks and to patch any known vulnerabilities.
- Hold end-user training sessions to educate employees on how to identify suspicious communications that may contain ransomware. A single training session can reduce the risk of a successful phishing attack by 20%.x
- Use firewalls, antivirus software, ad-blockers, and email scanning services to prevent suspicious communications from reaching your network and to warn users of suspicious websites, links, and attachments.
- Stay updated on cybersecurity information by following sources such as the ABA’s Cyber Security Legal Taskforce, the Better Business Bureau, FTC scam alerts, and the FBI’s ransomware prevention and business continuity guidance notes.
What should be done in response to a ransomware attack?
Despite putting forth your best efforts, your computer system may still be attacked by ransomware. If this occurs, you should take action immediately to mitigate the damage.
- Contact your legal counsel for assistance with incident response and compliance requirements for consumer breach notifications that fall under specific data privacy regulations.
- Contact your IT department to determine whether data restoration is feasible and to reassess your network’s security to determine how the breach occurred.
- Work with your team of advisors to consider whether paying the ransom is a viable solution. Although there is no absolute guarantee that you will regain access to your data or network when dealing with variants that rely on exceptionally strong encryption methods, your options may essentially be limited to paying the ransom or losing the data. It’s certainly a tough decision, but it’s one you won’t have to make alone.
i Bojana Dobran, 27 Terrifying Ransomware Statistics & Facts You Need To Read, PhoenixNAP (January 31, 2019), https://phoenixnap.com/blog/ransomware-statistics-facts.
ii Sam Cook, 2017-2019 Ransomware statistics and facts, CompariTech (Aug. 25, 2018),
iii Najiyya Budaly, Law360, Cyberattack Reports Surge to 61% in 2018, Insurer Reveals (April 23, 2019).
iv Juliana De Groot, A History of Ransomware Attacks: The Biggest and Worst Ransomware Attacks of All Time, Date Insider (Jan. 3, 2019), https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time.
v John R. Stark, Ransomware’s Dirty Little Secret: Most Corporate Victims Pay, Law360 (Feb. 6, 2019), https://www.law360.com/articles/1123819/ransomware-s-dirty-little-secret-most-corporate-victims-pay.
vi Michele Gorman, GC Cheat Sheet: The Hottest Corporate News of The Week, Law360 (May 24, 2019), https://www.law360.com/articles/1162527/gc-cheat-sheet-the-hottest-corporate-news-of-the-week.
vii Chris Brunah, Ransomware News: WannaCry Attack Costs NHS Over $100 Million, Datto (Oct. 18, 2018), https://www.datto.com/blog/ransomware-news-wannacry-attack-costs-nhs-over-100-million.
viii David Canellis, Ryuk ransomware earns hackers $3.7M in Bitcoin over 5 months, TNW (Jan. 14, 2019), https://thenextweb.com/hardfork/2019/01/14/ryuk-bitcoin-ransomware/.
ix Mark Naymik, Cleveland Breaks Silence on Airport Ransomware Attack, Government Technology (April 29, 2019),
x Sharon D. Nelson, John W. Simek, Column, Managing Your Practice: The Ransomware Epidemic and How to Protect Your Law Firm, 78-MAY OR. ST. B. BULL. 26 (2018).
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.