Ransomware has evolved from a simple nuisance to a full-blown crisis affecting individuals, small businesses, large corporations, and even government entities alike. Recent attacks illustrate just how widespread the problem has become. The FakeUpdates and Raspberry Robin ransomware groups have been targeting individuals through phishing campaigns, stealing credentials and encrypting personal files (AP News). Small businesses are not exempt either—KNP, a 158-year-old logistics company, was forced to shut down after Russian hackers exploited weak passwords and demanded a ransom (InsuranceJournal). Large corporations have been hit hard, too, with the 2023 MOVEit data breach affecting thousands of organizations and nearly 100 million individuals (Wikipedia). Even government entities have fallen victim, as seen in Costa Rica’s 2022 ransomware attack by the Conti group, which disrupted key government operations (PurpleSec).
The latest evolution, “Double Extortion Ransomware”, not only locks users out of their own data but also threatens to leak sensitive information and data unless a ransom is paid. While major corporations often make the headlines, individuals and small businesses are increasingly becoming prime targets due to having less awareness, weaker security measures, and lack of the expertise to prevent and deal with it. They are also much less likely to report it to federal agencies.
What Is Double Extortion Ransomware? How It Works & Why It’s Growing
Traditional ransomware, simply encrypts files and then demands payment to decrypt the data. Failure to pay often results in a permanent loss of access to those files. Double extortion takes things a step further. Attackers first steal / download sensitive files before encrypting them. Then they use the threat of public exposure as additional leverage to extract payment from the victim. These new types of attack often target businesses with regulatory concerns or individuals with personal or financial data. For example, hackers may threaten to release confidential customer records, financial statements, private emails that could damage reputations. In some cases, they have targeted law firms with sensitive client information or a medical institutions (HIPAA-protected patient data is especially valuable). Cyber criminals know that the vast and far reaching legal and ethical implications of such a data leak could force victims to comply with their demands.
Typically, a ransomware infection begins with a phishing email, a malicious attachment, hacked software, malicious browser plugins, or a compromised website. Cyber criminals use deceptive tactics, such as posing as trusted contacts or disguising malware as legitimate software, to trick users into executing the malicious code. Once inside a system, double extortion ransomware silently exfiltrates data before encrypting it. In some cases, the malware may then spread laterally across the network, compromising multiple devices and increasing the attack’s impact. In the end, the victim is then left with a very difficult choice: either pay the ransom or risk losing their data AND having their private information exposed at the same time. Organizations handling sensitive client data, such as medical records, legal files, or financial transactions, are particularly vulnerable, as attackers leverage the fear of regulatory fines, lawsuits, and reputational damage to pressure victims into compliance.
Why Small Businesses & Individuals Are Easy Ransomware Targets
While large corporations often have the juiciest data and the deepest pockets, they also typically have robust cybersecurity defenses, dedicated IT teams, incident response plans, good backups, and better security tools (usually used in defensive layers), individuals and small businesses typically lack the resources to implement enterprise-level security. Cyber criminals know this all too well and see these groups as “soft targets” who are more easily infected. A single, generic (meaning non-targeted) malware campaign will likely snag multiple smaller and less protected targets. Even though many individuals and small businesses won’t (or can’t) pay, the strategy remains effective because of the sheer number of likely infections. It’s the power of numbers. Think of it this way…
This is much like the way businesses flood inboxes with spam emails advertising a product. They know that most recipients will ignore or delete the message. But, sending millions of emails costs them next to nothing. Even if only a fraction of recipients (say 0.1% or 1,000 out of a million) click the link and make a purchase, the campaign is still highly profitable. Well, generic ransomware attacks operate on the same principle. By casting a wide net, they don’t need every target to pay up because just a small percentage is enough to make their relatively low efforts worthwhile.
For individuals, they often believe that only big companies are a target, or that they dont really have anything to lose.. Until they do… Personal devices store critical financial data, accounts & passwords, and private files, making them highly attractive to attackers. Many people also reuse passwords (don’t get me started on this one…) across multiple accounts, making credential theft even more valuable to cyber criminals. Once ransomware infects a personal system, it can lock up everything from historical documents to tax records to sentimental family photos, etc…, leaving victims with little choice but to pay up or lose their data forever.
Small businesses also often assume that they’re too insignificant to be targeted, but that assumption leaves them vulnerable. Many small businesses lack dedicated IT staff, fail to implement robust cybersecurity measures, and operate on tight budgets that make significant security investments difficult. Hackers know this, which is why small businesses are frequently attacked. A single ransomware infection can cripple operations, disrupt customer service, and erode trust. Worse still, businesses that handle sensitive customer data, such as medical offices or financial and legal consultants, may face legal repercussions and fines if that data is stolen or leaked as part of a ransomware attack.
Real-World Examples of Ransomware Attacks
A small medical practice in Michigan was forced to shut down permanently after a ransomware attack encrypted all patient records. The attackers demanded a ransom, but the practice refused to pay. Without access to critical patient data and no viable backups, they had no choice but to close their doors. (Workplace Privacy Report)
A local retail shop was hit by ransomware that locked them out of their point-of-sale system, bringing their business to a standstill. With no other option to continue operations, they paid a $10,000 ransom. Unfortunately, just months later, they were attacked again. This highlights the risk of paying ransoms. Doing so doesn’t guarantee protection from future attacks. (Cybersecurity Dive)
Stoli Group USA and Kentucky Owl, subsidiaries of Luxembourg-based Stoli Group, filed for bankruptcy after a severe ransomware attack in August 2024 disrupted their operations. The attack crippled their centralized business software, forcing reliance on manual bookkeeping and preventing them from providing financial reports to lenders. This led to a default on $78 million in debt, loss of financing, and restrictions on inventory sales. The bankruptcy will allow time for recovery and debt restructuring. (Reuters)
AI & Ransomware: How Hackers Are Using AI to Supercharge Cyber Attacks
Cyber criminals are now using artificial intelligence to enhance their ransomware tactics. Not only are they using AI to make phishing emails and other attack vectors seem more legitimate, another part of their strategy is determining how much ransom to demand. Unlike Hollywood-style cyberattacks where criminals demand millions of dollars from an unsuspecting victim, real-world ransomware gangs are generally more calculating. They conduct background research on their targets, often scouring financial records or industry reports to gauge how much money a business or individual might reasonably afford to pay. If they are targeting a small business, they may demand tens of thousands of dollars, knowing that the business owner might struggle, but ultimately pay to keep operations running. Large corporations, especially those in critical industries, face higher demands (sometimes in the multi-millions) because attackers assume they have cybersecurity insurance and the means to pay.
Although not common yet, hackers may also utilize AI to factor in target location data, adjusting ransom amounts based on the target’s country and local economic conditions. Additionally, they analyze past payment behaviors. If a company has previously paid a ransom, they might be hit again with an even larger demand. Smart ransomware groups have learned that setting a ransom too high means the victim is less likely to pay, but setting it at a painful yet “affordable” amount increases their chances of getting paid. Sometimes, most of the process is automated, with AI-driven algorithms helping attackers refine their strategies based on collected data. AI-driven tools allow hackers to automate phishing attacks, generating emails that are nearly indistinguishable from legitimate communications. AI can also help attackers scan for vulnerabilities across thousands of systems in seconds, making it easier for them to target small businesses that have outdated security measures.
Legal & Financial Consequences of a Ransomware Attack
For small businesses, ransomware attacks don’t just cause immediate financial losses, they can lead to lawsuits and regulatory penalties if customer data is compromised. Many industries (Medical, Financial, and Legal just to name a few) are required by law to protect customer data, and failure to do so could result in heavy fines. Additionally, data breach notification laws mean businesses must inform customers if their personal data has been stolen, further damaging reputation and trust.
Should You Consider Cyber Insurance?
As ransomware threats increase, many businesses are turning to cyber insurance to cover potential financial losses. Policies vary, but cyber insurance can help pay for ransom demands, recovery costs, and even legal fees. However, some insurance providers are tightening their policies and may not cover attacks if proper security measures were not in place beforehand. While cyber insurance is commonly associated with businesses, some providers (Such as AIG, NFP, and Blink by Chubb) do offer cyber insurance policies for individuals. These personal policies typically cover expenses related to identity theft, data recovery, and even ransom payments in some rare cases. Costs vary widely based on coverage, but plans generally range from $100 to $500 per year.
For individuals who don’t want or can’t afford cyber insurance, there are alternative protections. Identity theft protection services, such as those offered by LifeLock or Aura, can help monitor for suspicious activity. Cloud backup services with built-in ransomware protection, such as CrashPlan, Backblaze or Acronis, can ensure data is recoverable without paying a ransom. While cyber insurance can be a safety net, the best protection remains strong security practices, regular backups, and user awareness to prevent infections in the first place. As the old say goes, “An ounce of prevention is worth a pound of cure”.
How to Prevent a Ransomware Attack
Preventing ransomware starts with strong digital habits and a proactive approach to cybersecurity. Yes, even individuals need to take a more active role in protecting themselves through implementing better cybersecurity practices. The best defensive posture is to have security in layers. While no amount of security can prevent a determined and skilled hacker or group (with enough time and resources) from infiltrating your systems or accounts, having multiple layers of security does increase your odds of successfully thwarting an attack. Below are some practical steps an individual or business should take to protect themselves.
Anti-virus / Anti-Malware software – It is always advisable to have solid anti-virus/ ant-malware protection on ALL of your devices. Yes this includes your phones and tablets too and YES that includes your Apple products as well (contrary to popular beliefs, they can be infected too). But there are several other really good Anti-virus software vendors to choose from. Personally I would avoid the free ones as many of them might as well be malware themselves with the constant scare tactics they throw at you. I also tend to avoid the old “Anti-virus giants” such as McAfee and Norton’s as they tend to be bloated and nowhere near as effective as they were 25 years ago (in my opinion). Get yourself a good, reputable, paid Anti-virus / Anti-malware software for all your devices. Personally I prefer ESET Anti-Virus as it has served well (me both personally and professionally) for many years. Some other honorable mentions are BitDefender and Malwarebytes. Just keep in mind that no anti-virus program alone can give you all the protection you need. They can all be defeated at times. Also, as an additional resource, scan any attachments that you download or that come in via email at VIRUSTOTAL.com BEFORE you open or execute the downloaded file. Virustotal.com offers a free service that will scan whatever file you send it with many different anti-virus programs at one time. While not a full time anti-virus for your computer, this is wonderful (and free) website is a great resource for those looking to double-check files before running them.
Keeping software updated – This is a simple yet critical thing to do. Hackers frequently exploit vulnerabilities in outdated operating systems, applications, and firmware. Enabling automatic updates wherever possible ensures security patches are applied immediately, closing several potential entry points for attackers. And, do not rely on your operating system updates to patch all of your software. If you have installed software beyond what came with the operating system, you need to keep that updated as well. As a few examples just to illustrate what I mean.. Browser software like Chrome, FireFox, Brave – PDF software like Adobe Acrobat, FoxIt, and SumatraPDF – Media players and editors like VLC, KODI, Gimp – Communication programs like Zoom, Slack, Discord – Password managers like 1Password, Bitwarden, Keepass – Cloud Storage like DropBox, OneDrive, Google Drive… You get the idea…. You need to keep all of these things updated.
TIP: Many programs have a “Check for updates” option built into their menus – Typically but not always they can be found under the Help or About sections. And some programs may have an auto-update feature built in but you may need to enable it.
Having really good backups – One of the most important steps is implementing a robust backup strategy. Relying solely on cloud storage services like Google Drive, Microsoft OneDrive or Dropbox is risky, as they only sync files to the cloud rather than create true backups. This can leave many users with a false sense of security. But often times, if the files on one of your devices gets hit with ransomware, the changes to those files will quickly sync to the cloud and may overwrite the good files there with the bad/encrypted ones from your device.
Instead, users should try follow the 3-2-1 backup rule: keep three copies of your data, stored on at least two different types of media, with one copy kept offline and disconnected from the network. This ensures that even if ransomware encrypts your primary files, a clean version remains available for restoration once the ransomware has been removed. Personally, I keep multiple local copies of my data stored on encrypted, external hard drives. These drives are only connected long enough to backup my data to them and then they are disconnected (to prevent ransomware from infecting them). I also rotate them so that I always have the last two versions of my files stored offline at all times. In addition to this, I use a Synology NAS which comes with “Synology Backup for Business”. This will automatically pull a copy of all my files nightly AND, it uses versioning to keep several previous versions ready for restore.
And lastly, use a dedicated File Backup Cloud provider. These are not like the syncing services discussed above. These services are specifically providing backup services with versioning. My personal favorite for this one is CrashPlan. But there are several other reputable providers as well such as BackBlaze, Carbonite, or IDrive. While I would not expect everyone to backup data as many times and ways as I do, the fact is that most people and even small business, really dont have good backups at all. But good backups are often the only viable way to get your data back after a ransomware attack (or some other kind of catastrophes). So I highly encourage everyone to at least utilize one or more of these methods to secure their data. Your data is more valuable that you may realize and these options are relatively cheap to implement to protect it.
User awareness and training – The best defense against ransomware and other types of cyber attacks, is you – THATS RIGHT.. YOU!! Many ransomware infections start with phishing emails designed to trick users into clicking malicious links or opening infected attachments. Individuals and employees should be educated and trained to recognize common phishing tactics, verify email senders before interacting with attachments, and hover over links to check their destination before clicking. While there are some great paid training programs for businesses (like KnowBe4 and ProofPoint), these are often not available for individuals. If your employer does not offer any kind of cyber security awareness training, I encourage you to talk to them about providing some. If all else fails, you can review some of the things found on the CISA website or SANS.org. These websites offer a wealth of updated information regarding all kinds of Cyber Security issues.
Multi-Factor Authentication – Multi-factor Authentication (otherwise known as MFA or 2FA) is another essential defense. While this may not prevent ransomware infections directly, it can thwart Cyber Criminals from directly accessing your online accounts. By requiring a second form of verification, MFA makes it significantly harder for attackers to gain access to your accounts, even if they managed to steal your login credentials. (Also, make sure you are using strong, unique passwords for every account -preferably managed through a password manager- as this further reduces the risk of credential-based attacks.) Setup and use MFA/2FA whenever and wherever it is an option.
For small businesses – In addition to the above suggestions, small businesses should consider network segmentation. – Network segmentation is an effective way to prevent ransomware from spreading throughout an organization. By separating critical systems from everyday workstations, businesses can limit exposure if an attack does occur. Implementing next-generation security tools, such as AI-driven threat detection and behavior-based monitoring, can also help identify anomalies and stop ransomware before it executes.
Ransomware Attack? Steps to Take Immediately
If you suspect a ransomware attack is taking place, immediate action is necessary. Disconnect from the internet to prevent the malware from spreading across the network. Pull the plug if you have to. Identify which systems are affected and determine whether you have secure backups available.
Do not pay the ransom under any circumstances. The FBI and other cybersecurity experts strongly discourage paying ransoms because it does not guarantee that hackers will actually decrypt your files. Furthermore, it fuels further criminal activity. After all they generally dont do this for “fun”. They do this to make money. Some even consider this activity “legitimate” work. But who wants to work without getting paid? See my point? And even if they do decrypt your files after you pay them, there is a really good chance still leak or sell your data, or use it to steal your identity. Additionally, paying a ransom can make you a repeat target, as cyber criminals share lists of organizations and individuals who have previously paid. The FBI explicitly advises against paying, stating that doing so incentivizes more attacks. The NSA echoes this stance, emphasizing that paying does not ensure data recovery and may violate regulatory policies in some jurisdictions.
Report the incident to the authorities such as the Internet Crime Complaint Center (which reports to multiple federal agencies at the same time) and your local authorities. Then consider consulting cybersecurity professionals who may be able to help with decryption tools or alternative recovery options. In some cases, free decryption tools are available for certain strains of ransomware. If necessary, completely wipe infected systems and restore from clean backups. (You do have backups, right?) If you have no idea how to properly wipe and reload your computer, ask a knowledgeable friend or take your computer to a local technician and have them do it for you. Properly implementing these steps can help mitigate damage and prevent future infections.
Final Thoughts
Despite law enforcement efforts to dismantle ransomware groups, new variants continue to emerge. Cyber criminals adapt quickly, making it clear that no one is immune. And with AI in their toolbox now, they are becoming increasingly more sophisticated and moving faster than ever. The reality is that most cybersecurity defenses are reactive. Meaning measures are often put in place only after new attack methods have been discovered. While it may not be possible to always stay ahead of attackers, individuals and small businesses can still take proactive steps to minimize their risk and speed their recovery. The key to staying protected isn’t just about having the latest security tools. It’s about maintaining strong and secure digital habits, staying informed, and having a solid backup plan in place. Ransomware isn’t going away anytime soon, but by strengthening defenses and practicing good cybersecurity hygiene, users can make themselves much harder targets.
Stay Safe Out there, its a dangerous world.
-ByteMaverick