We are sorry but your browser is not supported by Marsh.com.

For the best experience, please upgrade to a supported browser:

X
Qatar qa
Americas
Asia Pacific
Europe
Middle East & Africa
ENGLISH EN

Cyber Risk

Ransomware: What You Need to Know Before, During, and After an Attack

“Your files have been encrypted. You have 5 days to submit the payment, or your files will be lost.” The ominous message glaring out from your screen isn’t farfetched—or even unusual. Instead, this common scenario plays out continually. By the end of 2021, ransomware attacks are expected to target global businesses every 11 seconds.

Ransomware is on a meteoric rise – increasing in frequency, severity, and sophistication. As ransomware has proliferated over the past year, more than half of organizations have fallen victim to an attack. With increasing attacks come higher financial and operational impacts, including ransomware payments and associated costs, operational downtime, and remediation efforts. In Q3 2020 alone, the average ransomware payment increased more than 30% over the previous quarter.

Driven by the COVID-19 pandemic, businesses have greatly accelerated their digital transformation efforts. From healthcare organizations to government agencies to manufacturing companies and every industry in between, the rapid shift to remote work generally has created wider attack surfaces and less secure environments. The result? A boon to cybercriminals.

What is ransomware exactly?

Ransomware is a type of malware that prevents access to a system or data until the victim pays a ransom. Using a variety of methods, attackers typically encrypt a victim’s files and render them incapable of opening. The attacker then provides instructions and requests a fee (aka, the ransom) in cryptocurrency from the victim, dangling a carrot in the form of a decryption key to unlock the encrypted data. Whether the victim pays or not, there is no certainty that the files will be returned or access restored.

In the world of ransomware, cybercriminals are the most common culprits. Cybercriminals conduct ransomware attacks for economic benefit. Ransomware tool kits are widely available for purchase on the dark web (think RaaS – Ransomware as a Service), enabling even less skilled cybercriminals to carry out ransomware attacks for profit. The ease with which attackers can execute ransomware attacks also contributes to its continued growth, notes the 2020 Data Breach Investigations Report.

Is my organization at risk?

Ransomware attacks impact individuals and organizations across industries and around the globe – no organization is immune. Small and medium-sized businesses remain popular targets, representing 62% of incidents (Beazley 2020 Breach Briefing). In contrast, 38% of ransomware incidents target the middle market.

While ransomware is an issue across industries, some are harder hit than others. Healthcare, professional services, and financial services alone account for more than half of ransomware incidents. The healthcare industry is among the most targeted, with financially motivated cybercriminals using ransomware attacks to exploit sensitive patient data.

Ransomware By Industry

 

What can we do?

A ransomware incident can cause significant damage. And while a business cannot anticipate a specific ransomware attack, you can plan for the potential impact. Preparation makes all the difference. Businesses should carefully consider—in advance—how they would manage a ransomware attack: before, during, and after.

Before a ransomware attack occurs, it’s critical to:

  • Know your options.
  • Develop internal policies and guidance.
  • Understand regulatory implications and potential sanctions.
  • Secure board approval.
  • Examine impact on and how to leverage insurance.
  • Seek legal counsel.
  • Engage outside expertise.
  • Consider how to access a cryptocurrency account.

During a ransomware attack, focus on how to:

  • Minimize exposure and maximize backup.
  • Tap into insurance, claims, and vendor expertise.
  • Follow your internal and external guidance.
  • Determine whether to pay the ransom.

And after a ransomware attack, consider how to:

  • Update internal guidance.
  • Bring in external expertise.
  • Identify and remediate weaknesses.
  • Review backup strategy.

How can Marsh help me with ransomware?

Our full suite of ransomware offerings encompass cyber risk management and insurance. This includes:

Ransomware Readiness: How would your organization fare in a ransomware event? This quick, simple assessment efficiently analyzes and provides insights into your ransomware preparedness. It delivers numerical scores, benchmarks from de-identified Marsh data, and provides findings via an executive-level report. Organizations are assessed across ransomware-specific preparedness indicators in seven critical areas, including employee awareness, backup policies and procedures, and technical controls.

Ransomware Insights: What is my ransomware risk profile? This offering provides clients with insights to better understand, measure, and manage ransomware as a business risk. It models potential attack severity, pinpoints potential vulnerabilities, and identifies areas of improvement for insurance underwriting. This includes analysis on both historical and recent ransomware events. Clients can also tap into thought leadership resources, review potential vendors, and browse best practices – all in one central location.

Ransomware Incident Response Planning: Have you created a thorough incident response plan specific to ransomware? It is critical to develop a comprehensive incident response plan that enables organizations to prepare for, detect, respond to, and recover from a ransomware incident. This offering includes the identification of key stakeholders and their roles/responsibilities; development of response guidelines, procedures, and processes; establishment of event tracking; execution of detailed tabletop exercises; analysis of the financial impact of a ransomware incident; and identification and assessment of vulnerabilities in the plan itself. In collaboration with your counsel, we can help develop and implement a sanctions compliance program.

Cyber Insurance: Have you evaluated your cyber policy? Marsh can help design a cyber insurance program with comprehensive coverage for ransom payments and associated costs. Cyber policies may also include preparation and response support (such as resources for clients on incident response planning, employee training, legal and forensics, and breach notification services), as well as balance-sheet protection for first- and third-party costs and liabilities (lost revenue and extra expenses, regulatory fines and penalties, data and hardware restoration and repair, and reputational harm).

Our cyber risk and insurance specialists are available to help you prepare in advance for a potential ransomware attack by assessing your readiness and building a complete response plan. We can also help you craft a cyber policy designed to provide broad coverage for cyber and technology risks that includes ransomware.

Ransomware can seem overwhelming and how to best respond can be confusing – we get it. We’ve helped clients across industries and around the world prepare for and respond to the unexpected.