Ransomware basics

Ransomware is a serious form of cyber extortion that employs malware to prevent users from accessing their systems or data, either by locking the system or encrypting critical files until a ransom is paid. The hacker holds the key to unlock the system and usually demands payment in cryptocurrency.

Ransomware has been a known cyber threat vector for over a decade. In recent years, hackers have embraced increasingly sophisticated methods to exploit vulnerabilities and introduce ransomware into systems. They have also expanded the scope of impact by targeting enterprise-wide systems and databases, crippling many companies across industry sectors, including healthcare. Recently, the Federal Bureau of Investigation (FBI), U.S. Department of Health and Human Services (HHS) and the Federal Cybersecurity and Infrastructure Security Agency (CISA) released a report calling attention to the rampant ransomware activity targeting the healthcare sector.

Lessons learned from impact in healthcare

Ransomware affects companies of all shapes and sizes across all industry segments, but there have been several high-profile cases where healthcare companies were infected by ransomware and held hostage for millions of dollars in ransom. These companies were temporarily forced to shut down operations, turn away patients, and attempt to work on paper-based records. Ransomware is uniquely problematic in healthcare settings where disruption of IT systems can directly harm patient safety.

The human factor

Human error is still one of the primary reasons ransomware infects systems.

Ransomware attacks typically begin by phishing or spoofing, fooling users into downloading malware by opening infected emails, clicking on attachments, or visiting illegitimate webpages. Hackers similarly entice users to click on catchy banner ads that may appear legitimate, but actually trigger a download of ransomware. One predominant example of ransomware is called “Ryuk” and you can read about how it works here.

Requested ransom has been known to vary greatly, and can increase dramatically depending on the target and sensitivity of the systems or files that have been encrypted.

What can you do to protect against ransomware?

In the past, ransomware focused on localized attacks like locking down a target’s keyboard or computer, but more recently hackers have expanded to encrypting enterprise-wide networks and file shares, rather than individual endpoint devices.

Key mitigation activities may include:

  1. Employ reputable antivirus software and strong firewall. A company should maintain a strong firewall, and keep its security software patched and updated at all times. This prevents ransomware from entering the system. Companies should also use strong next generation antivirus software, which regularly scans the networks for signature-based malware as well as uses behavioral analysis to ferret out ransomware.
  2. Back up often. A company should regularly back up files to minimize risk of data loss. This reduces the impact of ransomware, as impacted systems can be disconnected, shut down, wiped and restored using backups.
  3. Enable website popup blockers. Popups are a prime tactic used to conduct ransomware attacks. Company web browsers are configured to prevent popups by default. Company personnel should also be trained on phishing and malware prevention.
  4. Enable proxy blocking. A company should set website filtering rules to block website software and access to certain domains. Proxy blocking also has the ability to block downloadable content from websites. This approach prevents users from inadvertently visiting malicious website or downloading malicious files.
  5. Limiting file sharing. A company’s sensitive data should be segregated from its organizational and operational data. Sharing of sensitive data has been restricted to the highly secure production environment.
  6. Patching and installing the latest versions of critical software: Companies should apply security patches on an ongoing basis, which can significantly reduce vulnerability and blunt the impact of ransomware.
  7. Employ secure Internet and email practices. Organizations should block certain file extensions sent by email, especially executable files like .exe, .js, and .wsf. They should also scan contents of certain compressed files like .zip files. Users can be trained not to click on links inside suspicious emails and to avoid visiting suspicious websites.
  8. Conduct ongoing security training. A business should routinely train its personnel on malware, hacking threats, and best cybersecurity practices. Employees should be trained to be cautious with emails and requests for personal data (especially login information). Personnel should also be careful when opening email attachments or clicking on links in emails, no matter the sender, and should check that the website they are visiting is secure (look for a URL that starts with https://"—"s" for security—rather than just http://).

What do you do if you suspect a system is infected with ransomware?

  • First, report the suspicious activity to the Legal Department and IT security.
  • Follow incident response policies and procedures.
  • If possible, disconnect from the internet immediately to reduce the risk of the hacker remaining in the system, spread of the ransomware in the network, and exfiltration of sensitive data.
  • Shut down the computers or servers that have been infected.
  • Do NOT negotiate or pay the ransom amount. This should be determined by your organization’s leadership in consultation with legal counsel, law enforcement, and its insurance company.
  • Cooperate fully in any follow up investigations conducted by the company as well as government agencies like the FBI Cybersecurity Task Force.
Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.