What is ransomware? The threat that costs businesses $5.75M per attack

What is ransomware?

Ransomware is malware that takes your data hostage. Once executed, it encrypts files across the infected system (and often spreads to connected systems) rendering them inaccessible. The attacker then demands payment, typically in cryptocurrency, for the decryption key that restores access.

Modern ransomware has evolved well beyond simple file encryption:

Double extortion. Attackers exfiltrate sensitive data before encrypting it. Even if you restore from backups, they threaten to publish the stolen data unless you pay. This makes backups necessary but no longer sufficient as a complete defense.
Ransomware-as-a-Service (RaaS). Criminal organizations build and maintain ransomware platforms, then rent them to affiliates who carry out attacks. This business model has dramatically lowered the barrier to entry: you no longer need to be a skilled developer to launch a ransomware campaign.
Triple extortion. Beyond encrypting and exfiltrating data, some groups add DDoS attacks against the victim or contact the victim's customers and partners directly to pressure payment.

Ransomware by the numbers

The financial impact is staggering.The operational disruption is equally severe. The average ransomware incident causes 24 days of downtime before full operational restoration. For a st artup, nearly a month of disrupted operations can mean missed launches, lost customers, and burned runway.

Why ransomware targets startups

A high percentage of total reported randomware attacks are against startups. This isn't random. Small businesses and startups are targeted because:

Weaker defenses. Startups typically have less mature security programs, fewer monitoring tools, and smaller (or nonexistent) security teams. Attackers know they're more likely to succeed.
Higher likelihood of payment. Without robust backup strategies or incident response plans, startups are more likely to see paying the ransom as their only option for recovery.
Valuable data, minimal protection. Startups handling customer data, intellectual property, or financial information have data worth encrypting, but often without the enterprise-grade protections that larger companies deploy.

Ransomware defenses for startups

No single control prevents ransomware. Effective defense is layered:

Immutable, tested backups. Maintain offline or immutable backups that ransomware can't encrypt. Test restoration regularly. Backups you've never tested aren't backups.
Endpoint detection and response (EDR). Modern EDR tools detect and block ransomware behavior patterns (mass file encryption, process injection) in real time.
Email security. Phishing is the most common ransomware delivery vector. Robust email filtering catches most commodity campaigns before they reach inboxes.
Least-privilege access. Limit the blast radius. If ransomware executes under a user account with minimal permissions, it can encrypt less data and spread to fewer systems.
Patch management. Known vulnerabilities (especially those in KEV) are actively exploited by ransomware groups. Prioritize patching KEV entries, since CISA flagged 24 vulnerabilities added to KEV in 2025 as exploited by ransomware groups specifically.
Incident response plan. Have a documented plan that covers ransomware specifically: who makes the call, how you communicate externally, whether your policy is to pay or not pay, and how you restore operations.

Frequently asked questions

Should a startup pay the ransom?

Most cybersecurity experts and law enforcement agencies advise against paying. Paying funds criminal operations, there's no guarantee you'll receive a working decryption key (some groups provide partial or non-functional keys), and paying marks you as a willing payer for future attacks. However, the decision is ultimately a business one based on your specific situation: the value of the encrypted data, whether you have viable backups, the business impact of extended downtime, and legal considerations. Some industries have regulations that complicate ransom payments. Consult legal counsel and your cyber insurance provider before making this decision.

How does ransomware get into a system?

The most common entry points are phishing emails (malicious attachments or links), exploitation of known vulnerabilities in internet-facing systems (especially VPNs, remote access tools, and web applications), and compromised credentials (stolen via infostealers or purchased from initial access brokers). Once the attacker has initial access, they typically spend days or weeks performing reconnaissance, escalating privileges, disabling security tools, and exfiltrating data before triggering the encryption. This pre-encryption phase is where detection and response can prevent the worst outcomes.

Does cyber insurance cover ransomware?

Many cyber insurance policies cover ransomware incidents, including ransom payments, recovery costs, business interruption, legal expenses, and breach notification costs. However, coverage varies significantly between policies. Some exclude ransomware payments entirely, others require specific security controls as conditions for coverage (MFA, EDR, backup practices). Premiums have increased substantially due to ransomware claim frequency. If you're considering cyber insurance, review the specific ransomware coverage terms, understand what security controls the policy requires, and ensure your organization meets those requirements before an incident occurs.

Ransomware