The list of ransomware victims has grown to include financial institutions, hospitals, government departments, school districts, businesses and even law enforcement agencies. 

Ransomware attacks are especially destructive – in a typical attack, cybercriminals encrypt precious data files and refuse to release them until payment is received. Mainly delivered through spam or phishing emails, the malware renders computer systems, devices or files inaccessible, and holds the victim hostage until they make the payment, usually in the form of bitcoins.

In March 2016, 93% of phishing scams distributed ransomware, according to research from the Leesburg, Va.-based PhishMe. The Sunnyvale, Calif.-based security firm Proofpoint's analysis of first quarter 2016 threats and trends revealed ransomware vaulted into the top ranks of the most preferred malware by cybercriminals. Nearly one-quarter of document attachment-based email attacks in the first quarter featured the new Locky ransomware.

“Victims are faced with the choice of paying up or losing all their valuable data forever. Unfortunately, this approach works for cybercriminals, because consumers and businesses are unprepared for their data, whether it's a business' intellectual property or family photos, to be taken from them with no hope of retrieval unless they pay,” Usman Choudhary, chief product officer at the Reston, Va.-based ThreatTrack Security, said. “Understandably, nearly one in three security professionals at companies say they'd be willing to pay for the safe recovery of stolen or encrypted data, and that number jumps to 55% at organizations that have already been targeted. Meanwhile, your average home user feels as if they have no choice but to pay.”

No one is immune, not even law enforcement officials. Last year, a Massachusetts police department paid $500 to cyberextortionists to decrypt its files. The FFIEC and FBI both issued recent alerts about ransomware.

In addition, in newly-identified ransomware incidents, some cybercriminals did not use emails.

FBI Cyber Division Assistant Director James Trainor said, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

What can organizations do to protect themselves? ThreatTrack's VIPRE antivirus team provided five tips to help prevent cybercriminals from getting a hold of data:

1. Back up data. External hard drives, which keep dropping in price and growing in capacity, offer an affordable way to back up information. There are also numerous cloud-based options for automatically backing up data to offsite servers such as Carbonite, CrashPlan and Mozy. They store data in the cloud, so in addition to helping to recover data after a ransomware attack, the cloud backup protects information in the event of a physical disaster such as a fire, flood, tornado or earthquake.

2. Get on a schedule. Backing up data is important, but so is knowing when the last backup occurred. ThreatTrack recommended backing up data at least once a week and, ideally, once a day.

3. Be aware of phishing emails. Stay educated and keep employees informed on the latest social engineering tactics used to lure people into clicking on malicious links and attachments. Simply sending out regular communications about the various tactics and terms — spam, malware, spear-phishing, whaling — helps staff become more vigilant about identifying phishing attempts. Online tutorials and security awareness training services can also help.

4. Practice safe computing and update software. Ransomware authors often exploit vulnerabilities in popular software applications. Keeping those applications up to date minimizes the exposure to potential attacks. Commonly targeted applications include Adobe Reader, Adobe Flash, Java, Google Chrome, iTunes, Skype and Firefox.

5. Separate work data and files from personal data and files. A January ThreatTrack Security survey showed nearly one-third of IT security staff were asked to remove malware from an executive's computer/device because they had let a family member use it. With so many people working from home, it can be hard to separate work from personal life, but keeping the two worlds separate can go a long way in protecting data and minimizing cyberrisks.