Live Webinar 11/20: SMB Cyber Survival Guide 2025
Cyber Incident? Get Help

How Using Backups Can Save an Organization from a $1M Ransom

Featured Image for Why using backups can save your business a $1M ransom

Ransomware attacks are one of the most widely acknowledged cyber threats in the world. High-profile incidents make the news almost every day, so it should come as no surprise that ransomware is one of the most common causes of cyber insurance claims.

The low-effort, high-reward nature of ransomware crimes is an appealing business model for bad actors. Not only has the frequency of these incidents been steadily increasing over the last few years, but their focus has shifted from consumers to businesses. Understandably, there’s significantly higher risk (and much deeper pockets) for companies, who often end up paying an average ransom amount of roughly $150,000 per incident.

As the ransomware business model has become more sophisticated, the ransom demands have skyrocketed.  At Coalition, we’ve seen extortion demands jump from an average of less than $10,000 across earlier strains of ransomware, including SamSam and Dharma, to over $100,000 in 2019 with the introduction of Bitpaymer and Ryuk.  These demands are even higher alongside newer threats such as Sodinokibi.

The highest demand witnessed year-to-date totaled over $6 million.

As with all cyber risk, organizations are never able to entirely prevent these attacks — but you can manage the risk you experience as a business. The risk associated with ransomware attacks can be mitigated by using a thoughtful data backup strategy. Which, thankfully, is less complicated than it sounds.

A recap of ransomware

Ransomware is a specific category of cyber attack where malicious software is covertly installed on a computer with the goal of making some or all of its files inaccessible (removed from the computer, encrypted, etc.) These attackers are motivated by large payments, the collection of sensitive data, reputational harm, and overall destruction.

The malicious actor often leaves a message providing instructions for how to regain access to your files, usually in the form of a ransom note.

There are multiple ways attackers gain access:

  • Brute force remote connection

    – This is often done through remote desktop computers.

  • Email phishing

    – This is the act of sending a malicious attachment to the entire company, hoping at least one person clicks.

  • Software vulnerability

    – This involves downloading illegitimate software, not patching software regularly, or failing to update software.

Is your business at risk?

Unfortunately, you can (and should) always assume that hackers are passively searching for companies with publicly accessible security vulnerabilities. This means that you should always be on alert.

Your business may be more at risk than others simply by virtue of your industry. When assessing potential payoff, hackers are thinking about the type of data you have, how sensitive the information is, and the value of that data (to you and others).

Businesses that may be high risk are:

  • Managed Service Providers (MSPs)

    – Providers who may outsource administrative work like information technology (IT), making them an information-dense target.

  • Healthcare Providers

    – Organizations with sensitive data who may not have the funds or the expertise to set up robust security solutions.

  • Law Firms and Consultancies

    – Companies with access to a significant amount of data from many different companies with high reputational risk.

Preventing the risk

In order to best protect your business against the risk of ransomware, you’ll need to develop a strategy that’s tailored to your business.

Making yourself a smaller (and less vulnerable) target

80% of ransomware incidents may have been prevented by the company having implemented two-factor authentication (2FA) or protecting their remote desktop access protocol with a Virtual Private Network (VPN). We also suggest implementing security awareness training for staff, which will help everyone keep their eyes open for suspicious activity.

Proactively triage your data

Think comprehensively about all the data residing in your systems across teams like Sales, Finance, Marketing, and Operations – particularly data needed to interact with clients or other team members.

  1. Determine what would be required to restore critical business operations.

  2. Consider what would be required to restore all business operations.

  3. Identify where this data is stored (on a computer versus in the cloud).

  4. Evaluate the least and most amount of data you could lose access to (being completely locked out from all devices vs. a subset of files on one device)

Do the math

After stack-ranking your data, try to assess the cost of the best and worst-case scenarios. It’s helpful to consider the following:

  • Data recovery time frames can take as little as 50 minutes or as long as over a year to be fully resolved.

  • The average ransom size we’ve observed at Coalition is over $150,000 USD, though we’ve seen ransoms well into the millions.

  • Cyber forensics firms that assist with incident response for ransomware attacks usually cost around $50,000 USD. Teams like these help by providing forensic evidence for insurance claims, negotiating with malicious actors, and more.

  • The starting point for total losses incurred, before taking into account business interruption costs and legal fees, could cost your organization well over $250,000.

Using backups to prepare for the worst

The danger of ransomware attacks is that you’ll no longer have access to the information that your business needs. By assessing what that data is, and where it's stored, you can set up an effective contingency plan.

Pick a backup solution

Maintaining updated backups of your data is key, but not all backup methods are created equal. We recommend using offline backups to store critical data completely separate from the primary network. Cloud backups with a username and password combination not associated with an organization’s domain are another alternative.

Our claims data suggests that onsite software backups are, by far, the least effective. Attackers are familiar with many of onsite backup methods and know exactly how to corrupt or delete them.

Keeping your data safe means you need to find a secure, easily-accessible means of storing it. We recommend the following providers for secure cloud storage:

Develop a plan

While selecting a storage option won’t take too long, setting up a reliable backup solution will require more thoughtful planning.

Based on how much data you have, and how critical it is, you’ll want to consider:

  • What data should be backed up and where it should be stored

  • How frequently data backups should occur

  • How quickly you could restore your data from that system in the event of an incident, and at different times (right now and years down the line)

  • How you can test and iterate on your backup solution to ensure it’s working as intended and accommodates changing business needs

Avoid ransomware attacks

Ransomware events are extremely disruptive to organizations. While the best cure is to avoid ransomware infections in the first place, the best way to recover from a ransomware attack is by having good backups.

There are many cloud options available, but the most important criteria are that access is not limited to a single device, your local computer cannot delete files within that storage solution, and that it works for your business – even if that means your backup solution consists of a weekly manual backup to a USB thumb drive.

If your organization is experiencing a cyber incident, Coalition’s team of in-house security experts is available 24/7/365 to help you recover! If you believe you have been infected by malware, contact Coalition immediately for breach assistance.