Cyber extortion occurs when a hacker gains access to your data and holds it hostage in an attempt to extort payment from you, the business owner. Hackers can use various methods, including ransomware and distributed denial-of-service (DDoS) attacks. While cyber extortion can affect anyone, it’s particularly damaging for small business owners who are less likely to have defense systems. Learning to protect yourself from cyber extortion is key to keeping your company secure. 

How does cyber extortion work?

The two most common forms of cyber extortion are ransomware and DDoS attacks. Here’s a breakdown of each:


Cybercriminals use ransomware to trick targets into clicking on infected links. The victim clicks on an email attachment, website, or ad, which then downloads malicious software. Once the software is on the victim’s computer, it can encrypt files to make both the network and the computer unusable until the victim pays a ransom.

For example, in 2021, chemical distribution company Brenntag paid $4.4 million in Bitcoin to release its data — one of the most expensive payments ever recorded.1 If that can happen to a billion-dollar multinational company with significant resources, it’s easy to see how small businesses are also at risk.

DDoS attacks

A DDoS attack functions differently than ransomware attacks, but its mission is the same: to disrupt a company’s operations and hijack its data. In a DDoS attack, hackers overwhelm a victim’s infrastructure with a flood of internet traffic through multiple compromised computer systems. This action stops legitimate traffic from getting through to the site.

DDoS attacks are becoming more common, with 20% of companies with 50 employees or more reporting to have been victims of at least one DDoS attack. While these attacks can target companies in any industry, the three most at-risk sectors include telecom, financial services, and information technology.2

Why should small businesses worry about cyber extortion?

E-commerce spending in the U.S. is more than $900 billion.3 As a small business owner, you likely want a piece of that pie. And while cyber extortion is a headache for any company, small companies are particularly susceptible. According to the U.S. Small Business Administration (SBA), 88% of small business owners feel vulnerable to a cyberattack.4

If your business suffers a ransomware attack, your options are usually to pay the hackers or risk losing your data. That can mean the difference between staying in business or having to shut your doors. The better prepared you are for cyber extortion and other cybercrimes, the better the chances that you’ll keep your data secure and successfully weather a cyberattack.

How to safeguard against cyber extortion

Want to protect your company from cyber extortion and other cybercrimes? Follow these steps:

  • Invest in high-quality antivirus software that regularly scans all computers and connected Internet of Things (IoT) devices.
  • Configure a firewall to prevent ransomware.
  • Train employees on cybersecurity best practices, including recognizing and avoiding phishing emails and malicious websites.
  • Back up business data regularly and store a copy in an offline location.
  • Keep your operating system up to date.
  • Filter spam emails aggressively.
  • Limit administrative privileges to designated high-level employees.
  • Use two-factor authentication to prevent compromised passwords from providing access to your data.
  • Invest in a cyber liability insurance policy to protect yourself in the event of an attack.

While it’s impossible to prevent 100% of cyberattacks, you can take these proactive steps to minimize the chances of your small business becoming a target.

How to recover from cyber extortion

So what if you do everything right and still get hit by a cyberattack? When you realize that you’re the victim of cyber extortion, follow these steps:

  • Identify and isolate impacted systems. Take impacted systems offline immediately. If you can’t take the network offline, unplug the Ethernet cable and all affected devices from the network or remove them from your Wi-Fi immediately to help contain the infection.
  • Triage your systems. Next, identify your critical systems so that you can prioritize the restoration of their data. Work with a cybersecurity expert to understand your data recovery options and the extent of the attack’s impact.
  • Know your state laws. All 50 states have laws related to computer crimes. Federal and state laws can protect small businesses from certain types of liability as a result of a cyberattack and may offer options for recourse against hackers. Visit the National Conference of State Legislatures (NCSL) database for a state-by-state breakdown of these laws.
  • Consult federal law enforcement. Sometimes, decryption services are available to people targeted by cyber extortionists. Security researchers have broken some encryption algorithms for ransomware variants, so be sure to reach out to federal law enforcement as quickly as possible and before you agree to pay hackers.

Cyber insurance and extortion

Cyber liability insurance is essential protection for small businesses. The coverage protects businesses from expenses related to data loss, income loss, notification fees, and legal fees. And if the attack includes cyber extortion, cyber liability insurance can even help cover extortion payments.

That’s good news as ransomware payments are on the rise. In 2020, victim payments increased by 311 percent to more than $406 million in cryptocurrency, which tends to be cybercriminals’ preferred mode of payment.5

Cyber liability insurance for your fast-moving business

The rate of cybercrime is rising, but your anxiety doesn’t have to grow with it. Cyber liability insurance adds a layer of protection for your business, your customers and the partners you rely on. Cyber insurance provides comprehensive first- and third-party coverage, meaning your policy could help with the recovery of compromised data, repair of damaged computer systems, injured party compensation and more.

Thimble provides quick-thinking small business insurance for fast-moving businesses. Click “Get a quote” or download the app, share a few details about your business, and get a quote in minutes. If you like what you see, click to purchase, and a Certificate of Insurance (COI) will appear in your email inbox immediately. It’s that simple. 


  1. Business Insurance. Brenntag pays over $4 million ransom to retrieve stolen data. 
  2. Kaspersky Lab. Denial of Service: How Businesses Evaluate the Threat of DDOS Attacks. IT Security Risks Special Report Series 
  3. eMarketer. U.S. Ecommerce Forecast 2021.  
  4. U.S. Small Business Administration. Protect Your Small Business from Cybersecurity Attacks.
  5. Chainalysis. Ransomware 2021: Critical Mid-year Update.