Ransomware is a top threat for advisors, accounting for a high percentage of cyber attacks. Yet more than half of organizations may be underprepared.

For non-technical professionals, questions abound. Since incidents vary so much from one attack to the next, many aren’t sure of their risks or what to do about them. Here’s what you should know about ransomware and how the right cybersecurity plan can help protect your firm.

What Is Ransomware?

Ransomware is the term for a type of malicious software or “malware” that involves a demand for ransom. This is a particularly dangerous type of cybercrime due to the far-reaching consequences it can cause for a business, and unfortunately, it’s become very common.

Ransomware works by installing malicious code on a computer or network. This can happen when a user downloads an infected email attachment, clicks a malicious link or visits a fraudulent or compromised website. Computers can also become infected due to incorrect technical settings, when a system or network is missing important security patches or updates, or something else. The ransomware software is usually programed to lock up the files on a device and display a screen with instructions for paying a large ransom with the promise of returning the files.

While most other forms of malware cast a wide net, ransomware tends to target key industries with valuable private data, including law, medicine, finance, government and infrastructure. Of particular concern, ransomware hackers often target specific businesses within these industries. Paying the ransom offers no guarantee that access to your files will be returned and many past attacks have ended with the victim’s affected data being publicly exposed.

What’s Involved in a Ransomware Attack?

Ransomware attacks are more complex than many other types of cyber attacks. They’re designed to have three distinct stages:

  1. Compromise: A ransomware attack compromises your computer system. Methods can vary, from malware and phishing emails to incorrect IT configurations, missing security patches, tainted software installs and removable media like USB drives. But one way or another, the threat actor gains the ability to install malicious code on a computer terminal or its network.
  2. Deployment: The ransomware attack is deployed after gaining access to the system. Once the malware is on your computer or its network, the ransomware hacker can get to work. They start by looking for high business-impact resources — files that are crucial to managing the organization or its operations, fulfilling orders or serving clients or customers. This data is read, and sometimes copied or removed, and then finally your copy is typically locked with some type of ransomware software encryption.
  3. Extortion: The ransomware attack prompts the user for payment of a ransom. This tactic of figuratively holding the user’s data hostage is where ransomware gets its name. With critical files or even your whole computer system locked up, you face business interruption, missed deadlines, reputational damage, revenue losses or worse. Hackers hope to extort you into paying them in order to quickly get things going again. These ransoms are almost always requested in the form of bitcoin or another common cryptocurrency, making it nearly impossible to trace the transactions back to the ransomware attacker after the money is sent.

Not all ransomware attacks will include all three of these attack stages. Some may be discovered and stopped before they can be completed, either by automated cybersecurity tools or IT personnel. In other cases, a threat actor may abandon a particular attack, though they may return to try again later.

Notably, about 30% of recent attacks did not involve the victim’s data being locked up or encrypted so that it was inaccessible — instead, a copy was merely stolen. While this sounds preferable to days, weeks or potentially months of interrupted operations, the theft of business files, IP and customer records is high risk. Such data is often exposed publicly or sold on the dark web, even if a ransom is paid.

What Are the Risks to Businesses?

Cybercrime is a broad category of risks, but the ransomware risk stands out from the rest. In one IBM report, over one-quarter or 27% of malicious data breach incidents involved ransomware. The particular risks businesses face from a ransomware attack are many.

Financial Losses

With a ransom demand at the center of the attack, financial losses are a key risk of ransomware. The sums demanded and paid have crept up over the years and now routinely top over a million dollars. According to Sophos, the average initial demand in 2024 was $4.32 million. Not all ransomware victims cooperated with such criminal demands, but for those who did pay ransoms, the average payment made in 2023 was $1.54 million, spiking to $3.96 million in 2024. It’s not clear yet whether this higher cost is an anomaly or will become the new normal.

While ransoms aren’t paid in every case, it’s an increasingly common practice. Businesses often pay a substantial portion of these amounts themselves, with assistance from parent companies or insurance payouts also contributing.

However, ransom payments aren’t the only financial costs a business can expect in a ransomware attack. Technical forensic analyses and other cyber consulting services to handle the attack, incident communications, PR and legal services to manage the business impact, and discounts, incentives and identity theft protection to restore trust with clients and customers all play a role. Work stoppages, diverted resources and lost business opportunities can also have a cost to the business. All told, the average ransomware attack costs a business about $5.13 million according to a 2023 study from IBM.

Data Loss

Because ransomware locks up the data of targeted businesses with its malware encryption, data loss is another top risk associated with an attack. In one report from Thales Group, 67% of survey respondents victimized by ransomware in 2023 reported a loss of at least some data as a result of the attack.

Data loss may be temporary, with access regained after paying the ransom or halting the attack and restoring from backups. It also may be partial, since not all ransomware will target every file on your computer system.

However, threat actors know the incentive to pay is heightened if victims don’t have other options. In 2024, Sophos reported that 94% of attacks attempted to target victims’ backup systems in addition to their primary data files. Without such backups, the targeted business may have little chance of getting its client files, business records and intellectual property back without paying the ransom.

Second-Order Effects

Ransomware attacks can have other wider risks, beyond upfront costs and lost data. Full or partial business interruption of a few days to weeks or months are not uncommon. A recent law requires publicly traded companies to report any significant cyber incident to the SEC as soon as it becomes known. These reports are public and can have broad implications for a business. Serious ransomware attacks can also impact businesses over the long term, harming reputations, relationships and annual growth.

What Steps Should Businesses Take?

Another reason the risk of ransomware remains high is that few businesses have properly prepared. Less than 50% of businesses have taken the necessary steps to prevent or mitigate attacks according to Thales Group. However, businesses like yours can take proactive steps that minimize the risk of a ransomware attack occurring and lessen its impact if one does occur.

To start, your firm can collaborate with your experts in IT, security and other areas to implement these basic technical cybersecurity controls:

  • Enable multifactor authentication on all devices
  • Establish the principle of “least privilege
  • Utilize scanning and filtering solutions
  • Implement an antivirus software tool
  • Put firewall protections in place
  • Use endpoint detection and response tools
  • Roll out security monitoring procedures
  • Keep backups off-site, encrypted and tested
  • Update hardware and software regularly
  • Segment your computer network
  • Create and test incident response and continuity plans
  • Audit third-party vendors’ cybersecurity practices

Cybersecurity training for your organization’s leadership and employees can also reduce your risks:

  • Educate employees when to not click on links or open attachments
  • Create an information governance plan with a culture to support it
  • Conduct periodic testing of workforce susceptibility to phishing attempts
  • Establish and promote good cyber hygiene

Organizations can also minimize the risk of attacks that do occur by being ready with these steps:

  • Create an internal incident response team
  • Establish incident communication protocols
  • Designate a key decision-maker and their backup
  • Consider budgeting for and acquiring cyber insurance
  • Review your insurer’s vendor panel proactively
  • Plan ahead with key legal advisors and other vendors
  • Ensure incident response and business continuity plans
  • Store physical copies of key plans and documents
  • Conduct simulations to test and improve your response
  • Know your insurance procedures in the event of a claim

For more details about preparing your business for ransomware threats with these steps, see Lockton’s Ransomware Playbook.

What Protection Is Available?

Cyber insurance used to be something only tech-focused businesses required. But today, every business needs protection against a broad spectrum of risks, including ransomware. Through Lockton Affinity Advisor and CyberLock Defense, a wide variety of cyber coverages are available, including first-party coverage to reimburse a policyholder on the costs of an insured event and third-party coverage to defend against third-party claims of liability.

Lockton Affinity Advisor has options that can help protect your firm from the threat of ransomware. As detailed in our recent cyber coverage explainer, first-party coverages typically deal with:

  • Incident response
  • Data restoration
  • Cyber extortion
  • System failure
  • Business interruption
  • Reputational harm

Third-party coverages are available to address exposures from:

  • Privacy liability
  • System security liability
  • Regulatory liability
  • PCI-DSS fines and penalties

To fully protect your firm from the serious threat of ransomware, make sure to work with an experienced insurance advisor. At Lockton Affinity Advisor, our goal is to help you manage your risks. Our cyber program leads the industry in its protection, with broad coverage and flexible limits tailored to suit the particular risks of RIAs, life agents and financial institutions. Visit us online today or call us at (844) 406-5958 to learn more about our benefits and get started.