Ransomware is proving to be a profitable endeavor for cyber criminals. It is also what is driving a newer trend: the business of offering management of ransomware attacks, or Ransomware-as-a-Service (RaaS).

Fueled in part by the ability to use cryptocurrency to avoid detection, cyber criminals are setting up shop as a managed service provider, helping other cyber criminals conduct business on their platforms for a fee. For that fee, cyber criminal groups get personalize access to platforms, complete with dashboard capabilities, that allow them to easily distribute their ransomware. Also included – technical support. Such full-service offerings mean that nearly anyone with internet access can launch a ransomware attack without any technical knowledge needed.

And why not? The estimated return on investment from ransomware campaigns can easily reach 1400%. The lure of a lucrative return could well attract beginners or anyone with a grudge. For organizations, the threat coming from a well-backed beginner is as damaging as one coming from a career criminal.

Today’s ransomware victim

While nearly any organization or individual could be the victim of a cyber thief, many cyber criminals have started to conduct more targeted ransomware campaigns. Typical targets for cyber thieves include these organization types:

  • Those that rely heavily on technology to generate revenue. The more a company relies on technology to generate revenue, the more a breach involving downtime will impact the bottom line. While many organizations fit this description, the hardest hit would include retail, financial services, utilities, and manufacturing.
  • Those that have a significant impact on health and safety. Because of the concern for the safety of the patient population, healthcare organizations are a particularly vulnerable target for cyber criminals. Thieves are exploiting the need to keep patients safe and their information private. Cyber criminals have demanded ransoms after encrypting files containing patient prescription information, medical files, and personal information.
  • Those that are unprepared. Thanks to the rising cost of cybersecurity, many small to mid-sized businesses find it challenging to properly protect their businesses from ransomware threats. That makes them an ideal target for cyber criminals. In far too many cases, these businesses are faced with a hard decision: pay the ransom or close up shop.

The total impact of breach

Yet paying ransom is not so simple. Dealing in cryptocurrency is a complex and risky process, and one many organizations are not familiar with.

  • Ransom payments. For example, most Bitcoin exchanges impose maximum purchase limits of $20,000 or less per day. For a ransom of $1 million, a company unfamiliar with the process, would have its operations on hold for 50 days. Fortunately for companies that have cyber insurance, ransomware payments are usually handled on the insured’s behalf by a trusted third party, and the entire ransom can be paid quickly.
    Also, cryptocurrency payments are irreversible. Because payments are made to an address comprised of a string of numbers and letters, one errant character could mean the payment never reaches the hackers, and the money paid is irretrievable.
  • Forensics. Forensics investigations are as good as the information investigators have to go on. Many organizations realize too late that their audit logs are not gathering the right information. Plus, many breaches are discovered months or even years after they occur, which means data for the event may not have been stored for that length of time.
  • Legal. There are also legal requirements when a system is breached. Because each state has its own breach notification laws, some organizations could have difficulty complying, particularly if there are locations in other states. And in most cases, forensics investigations must first determine if any legal requirements have been triggered.
  • Public relations/Crisis communications. Also, few organizations are equipped to handle inquiries and damage control once a breach becomes public knowledge. Hiring outside help to manage the situation is essential. If the breach is large enough, a company may need to set up a call center.
  • Business interruption/Reputation damage. Then there are the costs associated with the interruption of normal operations. Such interruptions damage a company’s reputation far beyond the cost of the ransom demand. It is this vulnerability that makes a company a much more appealing target for cyber criminals.
  • Data restoration.Once ransom is paid, organizations must rebuild or restore their systems. Full restoration can take days or weeks, depending on the number of systems involved.
  • Equipment damage/Bricking.Some ransomware renders the infected equipment permanently unusable. The cost of repair can exceed the cost of replacing the damaged devices.

“The first line of defense is a well-designed, layered cybersecurity plan to detect and address threats as well as prevent infections.”

Defending against attack

As cyber criminals continue to innovate, organizations must work harder to defend the business and adapt quickly to change. The first line of defense is a well-designed, layered cybersecurity plan to detect and address threats as well as prevent infections.

  • Identify. First and foremost, organizations must conduct a risk assessment. Know what data is vulnerable, where it is held, and what risks are associated with it – confidentiality, integrity, access.
  • Protect. Back up data regularly and store them offline. Train all staff on how to handle emails with links or requests for proprietary information. Use an email security solution to help block known threats and flag potential threats. Install an intrusion prevention system (IPS) to limit inbound/outbound connections that are needed for ransomware transfers.
    Also, ensure your cyber insurance policies cover your organization’s needs. Review your policy regularly with your broker, especially when there are changes or additions to your technology or business methodology.
  • Detect. When ransomware is installed, it attempts to encrypt all it can reach, or initiate unusually large, incremental backups. A file integrity monitoring solution (FIM) can help the security team see activity and respond quickly.
  • Respond. The faster the response to a ransomware attack, the lower the cost and impact on the business. To respond quickly, IT teams need:
    • A well-defined incident response plan
    • A ransomware response plan
    • Simulated or tabletop exercises to test and improve response plans
    • A list of questions designed to understand the breadth of the breach
  • Recover. Fast recovery requires preparation long before a breach occurs. AXA XL recommends a 3-2-1 strategy, which includes:
    • Having 3 copies of your data at all times (1 production copy, and 2 additional backups)
    • Having the 2 additional backups on different storage media
    • Having 1 of the backups offsite and disconnected from the network (offline)
    • Backups should be tested to ensure that all information and applications can be restored.


With the rise of Ransomware-as-a-Service platforms, distributing ransomware has never been easier. One ransomware attack can bring down a company and effectively close its doors permanently. Cybersecurity is essential and must address the specific issues each company faces.

As the costs associated with ransomware attacks increase, having the right cyber insurance coverage in place is a critical piece of your defense against attack. With the right combination of prevention and recovery, your business can get back to normal operations quickly.

About the authors

Marcin Weryk is Head of Cyber for the AXA XL Cyber & Technology team’s West and South regions. He can be reached at marcin.weryk@axaxl.com. Aaron Aanenson is Director of Cyber Security for S-RM. He can be reached at A.Aanenson@s-rminform.com.

This article was first published on AXA XL’s blog, Fast Fast Forward.