A Single Click That Cost a Hospital $22 Million
In February 2024, Change Healthcare — the payment processing backbone for thousands of U.S. hospitals and pharmacies — was hit by the ALPHV/BlackCat ransomware group. UnitedHealth Group, its parent company, confirmed paying approximately $22 million in ransom. The attack disrupted prescription processing for weeks and affected an estimated one-third of Americans' health data. If you've ever wondered what is ransomware, that's it in one brutal headline.
I've worked incident response cases where the victim had no backups, no plan, and no idea how the threat actor got in. Every single time, the answer was preventable. This post breaks down exactly what ransomware is, how it infiltrates your organization, and the specific steps you can take right now — not next quarter — to avoid becoming the next case study.
What Is Ransomware, Exactly?
Ransomware is malicious software that encrypts your files, locks your systems, or both — then demands payment (usually in cryptocurrency) to restore access. Modern variants don't just encrypt. They exfiltrate your data first and threaten to publish it if you don't pay. This is called double extortion, and it's now the norm, not the exception.
The ransom demand can range from a few thousand dollars for a small business to tens of millions for enterprises and critical infrastructure. According to IBM's 2024 Cost of a Data Breach Report, the average cost of a ransomware-related breach reached $4.88 million globally. That figure includes downtime, remediation, legal fees, regulatory fines, and reputational damage — not just the ransom itself.
How Ransomware Has Evolved Since 2020
Five years ago, ransomware was mostly a smash-and-grab operation. Encrypt files, demand Bitcoin, move on. In 2025, it's a full-blown criminal enterprise. Ransomware-as-a-Service (RaaS) platforms let affiliates — people with minimal technical skill — deploy sophisticated ransomware in exchange for a cut of the proceeds.
Groups like LockBit, Cl0p, and BlackCat have operated with business-like efficiency: customer support portals for victims, negotiation teams, and even bug bounty programs for their own malware. The CISA Stop Ransomware initiative tracks these groups and publishes advisories regularly. If you're not subscribed to their alerts, fix that today.
How Ransomware Gets Into Your Network
Here's what actually happens in most of the cases I've seen. It's not some genius hacker breaking through a firewall with custom zero-day exploits. It's almost always one of these three things.
1. Phishing Emails — Still the #1 Entry Point
The Verizon 2024 Data Breach Investigations Report found that phishing and pretexting accounted for the majority of social engineering attacks leading to breaches. A well-crafted phishing email tricks an employee into clicking a malicious link or opening an infected attachment. That single action can give attackers a foothold in your environment.
Credential theft through phishing is especially dangerous. Once a threat actor has valid credentials, they can move laterally through your network, escalate privileges, and deploy ransomware across multiple systems simultaneously. This is why phishing awareness training for organizations isn't optional — it's a frontline defense.
2. Exploited Vulnerabilities in Public-Facing Systems
Unpatched VPN appliances, remote desktop protocol (RDP) exposed to the internet, outdated web servers — these are candy for ransomware operators. The Cl0p group's mass exploitation of the MOVEit Transfer vulnerability in 2023 compromised over 2,500 organizations. They didn't need to phish anyone. They just scanned for vulnerable systems and walked in.
3. Compromised Remote Access and Weak Credentials
RDP with no multi-factor authentication is an open invitation. I've seen organizations running RDP on default ports with passwords like "Summer2024!" — and then wondering how they got breached. Threat actors buy stolen credentials on dark web marketplaces for a few dollars and try them against every exposed service they can find.
The $4.88M Lesson Most Small Businesses Learn Too Late
There's a persistent myth that ransomware only targets large enterprises. The data says otherwise. The FBI's Internet Crime Complaint Center (IC3) has consistently reported that small and mid-sized businesses are disproportionately affected because they lack dedicated security staff and often have weaker controls.
A 50-person accounting firm doesn't make the news when it gets hit. But that firm may close its doors permanently. I've personally seen two small businesses shut down within six months of a ransomware attack — not because of the ransom payment, but because of the weeks of downtime, lost clients, and shattered trust.
Your organization doesn't need a massive security budget to build resilience. It needs the fundamentals done well. That starts with training your people. A comprehensive cybersecurity awareness training program addresses the human vulnerabilities that technology alone can't fix.
Should You Pay the Ransom?
This is the question everyone asks. Here's the honest answer: it depends, and there's no universally right call. But here's what you need to know before you even consider it.
The Case Against Paying
- No guarantee of recovery. In many cases, decryption tools provided by attackers are slow, buggy, or incomplete. Some organizations paid and still couldn't restore their data.
- You fund the next attack. Every ransom payment feeds the RaaS ecosystem and incentivizes more attacks.
- Legal risk. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has warned that paying ransom to sanctioned entities can result in federal penalties — even if you didn't know the group was sanctioned.
- You may still get extorted. Double extortion means they already have your data. Paying for decryption doesn't guarantee they won't leak it anyway.
The Painful Reality
Some organizations pay because they literally cannot operate without the encrypted data and have no viable backups. Hospitals facing life-or-death situations have paid. I don't judge those decisions. I judge the lack of preparation that made payment the only option.
7 Specific Steps to Defend Against Ransomware in 2025
I'm not going to give you vague advice like "be more secure." Here are concrete actions, ranked by impact.
1. Implement Multi-Factor Authentication Everywhere
MFA on email, VPN, RDP, cloud services, admin consoles — everything. If a threat actor steals credentials, MFA is the wall that stops lateral movement. Prioritize phishing-resistant MFA like FIDO2 hardware keys over SMS codes, which can be SIM-swapped.
2. Maintain Offline, Tested Backups
The word "tested" is doing heavy lifting here. I've seen organizations with backup solutions that hadn't been verified in two years. When ransomware hit, they discovered their backups were corrupted or incomplete. Follow the 3-2-1 rule: three copies of data, on two different media types, with one stored offline or air-gapped.
3. Run Phishing Simulations Monthly
Your employees are your largest attack surface. Regular phishing simulations — not annual checkbox exercises — build muscle memory. When someone gets a suspicious email, you want their instinct to be "report it" not "click it." Structured phishing simulation and awareness programs reduce click rates dramatically over time.
4. Patch Aggressively, Especially Edge Devices
VPN concentrators, firewalls, email gateways, and file transfer appliances sit at the perimeter and are targeted first. When CISA adds a vulnerability to its Known Exploited Vulnerabilities catalog, treat that as a fire alarm, not a suggestion. Patch within 48 hours or isolate the asset.
5. Adopt a Zero Trust Architecture
Zero trust means no implicit trust for any user, device, or network segment. Every access request is verified. Network segmentation limits blast radius so that if one workstation is compromised, the attacker can't pivot directly to your file servers or domain controllers. NIST Special Publication 800-207 provides a solid framework for implementing zero trust — it's available at nist.gov.
6. Deploy Endpoint Detection and Response (EDR)
Traditional antivirus misses modern ransomware. EDR solutions monitor endpoint behavior in real time and can detect and isolate ransomware activity — like mass file encryption — within seconds. Make sure your EDR covers servers, not just workstations. Ransomware operators target servers first because that's where the critical data lives.
7. Build and Practice an Incident Response Plan
A plan that lives in a SharePoint folder nobody has read is not a plan. Run tabletop exercises at least twice a year. Include leadership, legal, communications, and IT. Everyone should know: Who makes the call to isolate systems? Who contacts law enforcement? Who handles media inquiries? Rehearsing these decisions under low stress prepares you for the real thing.
What to Do in the First 60 Minutes of a Ransomware Attack
If ransomware detonates in your environment, the first hour determines whether you lose a few systems or your entire network. Here's the playbook.
Contain Immediately
Disconnect affected systems from the network. Don't power them off — that can destroy forensic evidence in memory. Isolate at the network switch level or disable the host's network adapter. If you suspect the domain controller is compromised, isolate it immediately. Every second it's connected, the attacker can push ransomware to more endpoints via Group Policy.
Preserve Evidence
Take memory captures and disk images before remediation. You'll need this for forensics, insurance claims, and law enforcement. If you have cyber insurance, contact your carrier within the first hour — most policies have strict notification windows.
Engage Law Enforcement
Report to the FBI's IC3 and your local FBI field office. They may have decryption keys from prior investigations or intelligence on the specific threat actor targeting you. There's no downside to reporting. They won't shut down your business or take your servers.
Communicate Carefully
Don't blast an all-company email saying "we've been hacked" before you understand the scope. Work with legal to craft accurate, measured communications. Depending on what data was affected, you may have regulatory notification obligations under HIPAA, state breach notification laws, or GDPR.
Security Awareness Is the Foundation, Not the Ceiling
Technology matters. EDR, MFA, network segmentation, zero trust — all essential. But every one of those controls can be undermined by a single employee who falls for a social engineering attack. The Verizon DBIR has shown year after year that the human element is involved in the majority of breaches.
Investing in ongoing security awareness training isn't a soft initiative. It's a hard control that directly reduces your risk of a data breach. It trains your people to recognize credential theft attempts, report suspicious activity, and think before they click. When every employee becomes a sensor, your detection capability multiplies overnight.
Ransomware Isn't Going Away — But You Can Be Ready
Every week in 2025, another organization learns what ransomware is the hard way. Schools, hospitals, manufacturers, law firms, municipalities — no sector is immune. The threat actors are organized, well-funded, and patient. They'll sit in your network for weeks before deploying ransomware, mapping your environment and disabling your backups first.
The organizations that survive these attacks aren't the ones with the biggest budgets. They're the ones that took preparation seriously before the crisis. Tested backups, trained employees, segmented networks, practiced response plans. None of this is glamorous. All of it works.
Start with what you can control today. Train your people. Verify your backups. Enable MFA. Patch your edge devices. And when — not if — a ransomware threat reaches your inbox, make sure your team is ready to recognize it for what it is and shut it down before it starts.