It was 5:22 a.m. when my phone rang in Los Angeles. The East Coast team was already in panic mode. I had just joined the company as an IT manager a few months earlier, and our Director of IT had exited the Friday before. I was flying solo, and we were hit by ransomware.
The kicker? Most users still had local admin rights, and that one oversight let the ransomware spread like wildfire. By 6 a.m., I was at HQ and wouldn’t let a single employee power on their machine. It was too late. Over the next few weeks, we replaced 60% of our computers and 90% of the hard drives in the ones we kept. Our AS400 and a couple of isolated servers were all that survived untouched. Five weeks of chaos, and 1,200 users offline.
The Real Cost of Being Hit by Ransomware
Ransomware is not rare—in fact, it’s everywhere. In the first half of 2024 alone, there were over 2,570 publicly disclosed ransomware attacks, averaging 14 per day. And that’s just what’s reported. In reality, many more go unreported. A staggering 66% of organizations said they were hit by ransomware in 2024, with the average ransom payment ballooning to nearly $4 million.
The financial toll isn’t just in payouts: U.S. victims lost over $16.6 billion to ransomware in 2024, and industries like healthcare are hit hardest, with over 230 reported incidents that year alone. These aren’t just stats—they’re red flags for any IT leader who thinks it can’t happen to them.
Let’s talk money first. The cost was staggering even with CyberSecurity Insurance (thankfully, we had it). New hardware, incident response consultants, and countless man-hours to return to square one. And then there’s the less visible toll:
- Lost productivity across the organization
- Damaged trust with stakeholders
- IT burnout from nonstop remediation work
- Post-incident audits and compliance reviews.
The budget wasn’t just blown—it was scorched. Even with insurance footing the hardware bill, we faced unexpected labor costs, emergency overtime, and delayed projects that triggered penalties. The financial impact extended well beyond the IT department.
And while we did have backups, we were in the early stages of transitioning to Microsoft 365. User drives had already moved to OneDrive, but we hadn’t implemented any backups beyond Microsoft’s default settings. Many users lost files we couldn’t recover in time. That experience made one clear: SaaS backups are a must for any organization.
Why CyberSecurity Insurance Is Not Optional
This incident could’ve bankrupted us without CyberSecurity Insurance. It covered the cost of the machines and the external recovery teams. If you’re a CIO and your organization still treats cyber insurance like a nice-to-have, immediately fix that.
Look for coverage that includes:
- Hardware replacement
- Ransom payment (if applicable)
- Incident response services
- Legal and compliance support
- Business interruption compensation
Also, test your claims process. You don’t want to learn about hidden exclusions during an emergency.
And here’s a critical point: we did not pay the ransom. Based on the pattern and tactics, it appeared to be a SamSam campaign—ransom demands typically ranged from $30,000 to $60,000, often tailored to the organization’s size and scope. Some victims paid up to $64,000 for decryption keys. Instead, we opted to rebuild from our solid on-premise backups. It was painful, but we recovered enough that we avoided feeding the attackers and came out the other side intact. That decision not only saved money but also preserved our credibility.
For context, the DOJ has estimated SamSam caused over $30 million in damages and netted more than $6 million in ransom payments from various victims. Their model often included charging per system or segment, sometimes $6,000 per encrypted server. Refusing to pay was difficult, but ultimately, it was the right call. That decision not only saved money butalso preserved our credibility.
Working with the FBI: Partnering with Law Enforcement
As soon as we realized this wasn’t just a small breach, we contacted the FBI. And that was one of the smartest decisions we made. The FBI’s cybercrime division doesn’t just investigate; they offer real support during incidents. They helped validate our response plan, provided advisories on how to communicate with potential attackers, and offered guidance on preserving forensic evidence.
If you’re ever hit:
- Report immediately via IC3.gov
- Preserve logs and evidence for analysis
- Avoid paying the ransom unless advised otherwise
- Engage with your legal team before sharing sensitive details
Having federal agents involved can help demonstrate to stakeholders that you’re following due process and doing everything possible to recover securely.
Inheriting Risk: When You’re the New IT Leader
When I took the job, I knew the systems needed work. But culture and politics slowed me down. Users resisted giving up local admin rights, and I hadn’t earned enough capital yet to force the change.
CIOs and new IT leaders, hear me:
- Assess and act fast. Prioritize high-risk weaknesses even if it ruffles feathers.
- Document everything. If your team resists best practices, keep records.
- Build support with evidence. Use vulnerability scans and industry stats to make your case.
- Secure your wins early. Quick improvements build trust and credibility.
Contain the Fire Before It Starts
If you’ve never been hit by ransomware, count yourself lucky. But luck isn’t strategy. Here are my top prevention tips from the trenches:
1. Remove Local Admin Rights
This one change would’ve dramatically slowed the ransomware. Yes, it’s painful, and yes, users will complain. Do it anyway.
2. Segment Your Network
Our isolated AS400 server was untouched, which saved us. Flat networks are a hacker’s dream. And while you’re at it, don’t use default VLANs—they’re often poorly segmented and misconfigured. I’m consistently shocked by how many client environments I’ve audited where VLANs are exposed to public IP addresses and don’t follow best practices. Basic housekeeping, like proper VLAN tagging, subnet isolation, and access control policies, goes a long way in containment.
3. Run Frequent Backups Offsite
Test your backups regularly. If they’re connected to the network, they’re vulnerable too. And if you rely on SaaS platforms like Microsoft 365, invest in third-party backup solutions. Default settings won’t cut it.
4. Incident Response Plan
Have one. Print it. Practice it. When disaster hits, you’ll need muscle memory, not guesswork. Schedule regular tabletop exercises that walk through your ransomware playbook with IT, security, leadership, and HR. Simulate different attack vectors and decision trees. Ensure roles and responsibilities are crystal clear. Your team’s ability to respond under pressure depends on what they’ve rehearsed beforehand.
5. Multi-Factor Authentication Everywhere
Everywhere. Especially for remote access, backups, and admin accounts. Microsoft’s native MFA is a solid foundation, but go further. Implement conditional access policies, geofencing, and restrict privileged accounts to specific IP ranges. Establish travel policies that monitor or restrict international login attempts and unusual access times. And layer in strong monitoring tools that alert on anomalous behavior in real-time. Defense in depth is critical; MFA is just one part of the puzzle.
Final Thoughts: You Can’t Fix What You Don’t Own
Getting hit by ransomware changed my leadership style forever. It taught me that being liked takes a backseat to being prepared. CIOs must prioritize security, even if it means being unpopular. Your future self (and your company) will thank you.
You may not get a warning before ransomware strikes. But you can be ready.
For more guidance on preparing, responding, and recovering from ransomware, visit the CISA Ransomware Guide—an excellent resource from the U.S. Cybersecurity and Infrastructure Security Agency that every IT leader should bookmark.