Ransomware is the most prevalent cyber threat to businesses globally, with victims of all sizes falling prey to security breaches. The impacts are both immediate — business continuity risk from suspension of operations, considerable costs and potential exposure of valuable and sensitive data — to ongoing reputational and brand damage. So how can businesses better understand ransomware cyber risk and what to do if a ransomware attack occurs?

While ransomware attacks on large organisations are widely reported and becoming more common, the extent of attacks on small to medium size businesses (SMEs) is also a key concern, with an IT report1 finding that four in 10 SME clients had been victims of a ransomware attack and almost 30% had sustained more than one ransomware cyber incident.

What happens in a ransomware cyber attack?

Ransomware is a common and dangerous type of cyber threat where criminals use software called malware to lock or encrypt your files so you can no longer access parts or all of your business system/s.

After the malware has made the files inaccessible the criminal behind the attack demands a ransom payment for the decryption key to 'unlock' the restriction and restore access to business systems.

With businesses of all sizes reliant on business systems to operate, the inability to access them and the risks of having business data and information compromised by malware is a threat for far too many businesses — and their operations.

What are the main causes of ransomware attacks?

Most ransomware attacks on Australian businesses exploit weaknesses in the target business's computer system, (37% of cases), followed by compromised credentials where human error is more likely to be involved (24% of cases)2.

Also the ransomware malware tools used by cyber criminals are becoming more difficult for computer systems to detect, and more successful at masking their activities in popular cloud and messaging applications.

The main methods used to gain access for ransomware attacks on businesses include:

  • phishing emails
  • email attachments
  • remote desk protocol logins (such as service or support teams being granted permission to access a user's system by the user)
  • software vulnerabilities
  • malicious links on social media
  • malvertising, or clicking a legitimate ad that has malicious code in it
  • installing infected programs or applications
  • visiting an unsafe or fake website or opening/closing a malicious pop-up
  • traffic distribution system (TDS): clicking a link on a legitimate website that redirects to a malicious website
  • an employee inserting an infected USB directly into their computer.

Should your business pay a ransom to cyber criminals?

Government advice is to never pay a ransom. There are sanctions, anti-money laundering and counter-terrorism laws that forbid businesses paying a ransom if it funds criminal activities.

There are also other disadvantages to paying ransom (aside from the cost).

  • 'Double dipping' where cyber criminals may demand a ransom and then also sell your information on the Dark Web.
  • The cost of retrieving stolen data in negotiation/down time may be increased by paying the ransom.
  • Payment may not provide a faster recovery time compared to using back-up recovery.

Business cyber attack case study: SME medical practice repeatedly held to ransom

A specialised practice that employs 30 staff suffered repeated ransomware attacks due to its reliance on technical equipment and the necessity to pay ransom demands to keep its doors open.

The business engaged an IT professional services company which immediately implemented the Australian Cyber Security Commission's (ACSC) 'essential eight' cyber security measures3, including updating software and other actions to minimise exposure (such as restricted administrative access) as well as to block and contain attempted attacks (firewalls, sandboxes and back-ups).

This combined approach succeeded in halting the repeated ransomware attacks.

How cyber insurance protects your business in the event of a ransomware attack

In the event of a cyber attack a robust cyber insurance policy provides access to experts not only in negotiation but also forensic investigation and remediation measures, as well as cover for the legal and reputational costs involved.

Cyber insurance provides expertise and support in a ransomware demand situation, including:

  • access to experts
  • system damage remediation
  • cover for the legal and reputational costs involved
  • may cover eligible ransom payment costs
  • loss of revenue through downtime.

In addition to cyber insurance protection, our cyber specialism offers expertise, advice and resources for building business cyber resilience.

connect with us


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312