* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* When Should You Protect A...

# When Should You Protect Against Ransomware? Now, Before it Hits You.

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fprotect-against-ransomware%2F)  
[](https://twitter.com/share?text=When+Should+You+Protect+Against+Ransomware%3F+Now%2C+Before+it+Hits+You.&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fprotect-against-ransomware%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2021%2F07%2Fprotect-against-ransomware%2F&title=When+Should+You+Protect+Against+Ransomware%3F+Now%2C+Before+it+Hits+You.&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2021/07/protect-against-ransomware/&ts=markdown)  
\[\](mailto:?subject=When Should You Protect Against Ransomware? Now, Before it Hits You.)  
Link copied  
By [Wendi Whitmore](https://www.paloaltonetworks.com/blog/author/wendi-whitmore/?ts=markdown "Posts by Wendi Whitmore")  
Jul 13, 2021  
4 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)  
[Kaseya](https://www.paloaltonetworks.com/blog/tag/kaseya/?ts=markdown)  
[ransomware](https://www.paloaltonetworks.com/blog/tag/ransomware/?ts=markdown)  
[Ransomware Defense](https://www.paloaltonetworks.com/blog/tag/ransomware-defense/?ts=markdown)  
[ransomware threat report](https://www.paloaltonetworks.com/blog/tag/ransomware-threat-report/?ts=markdown)  
[REvil](https://www.paloaltonetworks.com/blog/tag/revil/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2021/08/protect-against-ransomware/?lang=ja "Switch to Japanese(日本語)")

When the [REvil ransomware gang attacked Kaseya VSA](https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/) and many of its customers recently, Kaseya urgently advised clients to unplug from its platform. Organizations responded. Our Cortex Xpanse global Attack Surface Management platform detected a 96 percent drop in the number of vulnerable Kaseya servers visible to attackers over the internet -- going from about 1,500 on July 2 to just 60 on July 8.

While that response to the attack likely prevented even more infections, it also pointed to an unfortunate reality. Sounding the alarm and shutting down access to critical software in a panic is not the best way to fight the growing ransomware epidemic. When organizations wait to react to ransomware until after it hits, disruptions are inevitable. The goal should be to prevent attacks and disruptions from happening in the first place, which means that the best time to prepare for ransomware is now, *before* you are attacked.

## The Ransomware Threat Grows

The [REvil attack](https://unit42.paloaltonetworks.com/revil-threat-actors/) is just the latest indication that the global ransomware gangs are still growing vigorously in numbers and strength, becoming ever more audacious, and innovating themselves into increasingly spectacular and lucrative attacks. And why not? The returns on investment are spectacular and the risk of getting caught is almost nonexistent.

In this most recent incident, REvil showed us something new, a wholesale approach that infected some of Kaseya's direct customers and then many of those customers' own clients through a single attack on Kaseya itself. (In an [update regarding the attack](https://www.kaseya.com/potential-attack-on-kaseya-vsa/), Kaseya wrote that "fewer than 60" direct customers were affected and "fewer than 1,500 downstream businesses" were impacted.) Then REvil demanded a single, eye-popping ransom of $70 million (since reduced to $50 million) for a universal decryption key that will work for any and all of the victims.

Compare that to just six years ago, when the average ransom demand in our clients' cases was about $10,000. Or to just last year, when the average ransom demand had climbed to about $850,000, according to the [2021 Unit 42 Ransomware Threat Report](https://start.paloaltonetworks.com/unit-42-ransomware-threat-report), and the largest payout for the year was [under $5 million](https://www.itgovernance.co.uk/blog/the-5-biggest-ransomware-pay-outs-of-all-time).

(If you think you may have been impacted by this or any other attack, please reach out to the [Unit 42 Incident Response Team](https://start.paloaltonetworks.com/contact-unit42.html).)

## Ransomware Protection Starts With Preparedness

You probably have a disaster recovery plan for fire, earthquake and other natural disasters. A ransomware attack can have similar impacts on a company's operations and should carry the same level of preparedness. You can start by asking yourself these questions:

* Think as if you were the attacker. Knowing your organization as you do, what would hurt you the most? Which data do you need to consider and protect?
* Do you have a written [incident response plan](https://start.paloaltonetworks.com/incident-response-plan-webinar.html) and playbook for a ransomware event? Have there been changes to the people in your organization, new technology, etc.? When was the last time you tested and revised it?
* Have you run simulations and pen tests and validated your detection and response capabilities processes? Did you find any gaps between the plan and standard operating procedures?
* Do you have [backups](https://start.paloaltonetworks.com/best-practices-backing-up-data.html)? Are backups of your most critical data offline and offsite? Have you tested restoration and confirmed your backups work as expected?
* And finally, do you have cyber insurance and an [incident response retainer](https://www.paloaltonetworks.com/resources/datasheets/cybersecurity-expertise-retainer) in place in the event of the worst case scenario?

The key is to think about the changes you would make after a ransomware attack and figure out how to make those changes before an attack actually takes place. You have the power to fight back, but it starts with being prepared.

Consider engaging a team of cybersecurity professionals to conduct a [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/ransomware-readiness-assessment) that will help you determine how prepared you are for an attack, run tabletop exercises and identify any security gaps that need to be filled.

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Average Ransom Payment Up 71% This Year, Approaches $1 Million](https://www2.paloaltonetworks.com/blog/2022/06/average-ransomware-payment-update/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Ransomware Trends: Higher Ransom Demands, More Extortion Tactics](https://www2.paloaltonetworks.com/blog/2022/03/ransomware-trends-demands-dark-web-leak-sites/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Building the Zero Trust Enterprise: The Role of the SOC](https://www2.paloaltonetworks.com/blog/2022/02/the-role-of-the-soc/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### The Palo Alto Networks Full-Court Defense for Apache Log4j](https://www2.paloaltonetworks.com/blog/2021/12/defense-for-apache-log4j/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Healthcare Organizations Are the Top Target for Ransomware Attackers](https://www2.paloaltonetworks.com/blog/2021/08/healthcare-organizations-are-the-top-target/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Extortion Payments Hit New Records as Ransomware Crisis Intensifies](https://www2.paloaltonetworks.com/blog/2021/08/ransomware-crisis/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language