Cybersecurity: Under Attack

by Dawn Marie Yankeelov

Experts explain why ransomware is everyone’s problem now and detail the best plan of defense

Hearing about cyberattacks and ransomware threats has become so commonplace that when your business is attacked, it may feel like just another day. But it isn’t, and much is at risk, including the viability of your company getting back on track, according to Kentucky’s attorneys and cyber professionals who deal with all levels of ransomware, from small business situations to large-scale global compromises.

Ransomware continues to be a top cybercrime as evidenced by the April 2026 report from the FBI’s Internet Crime Complaint Center (IC3), which identified 63 new ransomware variants in 2025. That is an average of 5.25 new variants per month. The FBI is currently running a cyber-resilience campaign, Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense), which provides industry with a practical roadmap to better secure information technology (IT) and operational technology (OT) environments, hardening the nation’s digital infrastructure and reducing the attack surface.

Call the FBI

If your business is impacted by ransomware, calling the FBI should be one of the first moves, whether you are a small business or a global company. Ransomware attacks can be reported to the FBI immediately via the Internet Crime Complaint Center (IC3) or the Louisville FBI field office (louisville.fbi.gov or 502-263-6000), which covers the entire state of Kentucky. Rapid reporting helps identify perpetrators.

While the FBI does not condone paying ransoms, it can provide assistance to victims. IT professionals can follow CISA’s Cybersecurity Alerts & Advisories and #StopRansomware pages for guidance regarding preventative measures, data back-up, and an internal response plan template.

According to Kentucky experts, cyber readiness and cyber resilience against crimes like ransomware are built in advance and over time. Those plans begin with the basics of network protection, anti-virus protection and teaching employees specific lessons about social engineering.

Preserving data

A key FBI Operation Winter SHIELD recommendation states, “Reliable preserved logs are essential for detection, response and attribution. The rule is to centralize authentication, email, endpoint, network, DNS, remote access and cloud audit logs in a SIEM or centralized platform.”

“So many small businesses don’t have an IT person on staff, so they turn to managed service providers, like us. Some just call us after an attack, even if they are not a customer. We then work quickly to assist them in containing the problem,” said Craig Stein, a founder, partner and solutions architect at Mirazon who knows and understands the importance of preserving data and logs. “Unfortunately, 75% of people who find themselves compromised do not have an incident response plan. And if they know you have good backups, the bad actors will steal data just to sell it or cause embarrassment.”

Companies like Veeam Object First can be useful for immutable backups, he pointed out.

Jesse Chowning has spent six years at the Louisville office of LBMC as a cybersecurity manager on their advisory team. He says that companies involved in a ransomware attack should first contact their attorney and then the FBI as an important but voluntary measure to protect against future attacks and aid in investigations of the cybercrime.

Be prepared to provide details to the FBI on the incident, such as the ransomware variant used, the ransom amount requested, and cryptocurrency wallet addresses.

Educating employees

Chowning said the No. 1 must-have to prevent engagement with ransomware assault is employee education because “people are the weakest link.”

“Chances are someone clicked a link — and then it may not matter what sophisticated technical solutions you have,” he said. “Security training is not a huge financial lift but it is a wise move.”

External third-party risks via your clients and partners can pose issues and these contracts should be vetted beforehand. He said paying attention to gateways and enforcing least-privilege access make a difference. It is also helpful to turn off unused accounts.

But if ransomware does strike, have gates placed to stop it before it gets to the network.  This means having solid software restriction policies and not having numerous local admins, for example.

“If you are using an AI native platform to assist in cybersecurity, block executables,” he continued. “Monitoring and logging are important with (defense) tools like Crowdstrike, Trend Micro, or Palo Alto. Your budget may dictate your choices, but pro-active measures are essential.

Patch known vulnerabilities

Cyber experts and the FBI warn that adversaries often exploit known vulnerabilities that remain unaddressed, often because no IT staff, internally or externally, has been assigned to work a process and resolve them. That’s why a risked-based vulnerability management program tops the list of cyber resilience steps, Chowning said.

The early hours are important

An initial IT investigation in the first hours into what is going on is imperative, according to attorney Ian T. Ramsey, a member at Stites & Harbison, one of Kentucky’s largest law firms,

Attorney Sarah Cronan Spurlock, also at Stites & Harbison, regularly works in the regulated healthcare industry, where there are stronger notification policies and requirements. These policies assist target operations in the event of ransomware because they realize they must discover immediately if this is ongoing and spreading, or just on a few workstations.  Powering down is not always the best option, Spurlock said, because you lose the forensics information.

Ideally, legal counsel is involved for part of the forensics investigation and review of contracts, assessing the impact and legal communications.

“My clients generally know that an incident-response playbook will help them know who to call, both internally and externally. Being prepared is essential,” she said.

A playbook is a prepared incident-response plan (IRP) such as a structured, six-phase approach to detecting, managing and recovering from cybersecurity incidents. Frameworks like those from NIST (National Institute of Standards and Technology) and SANS (the world’s largest cybersecurity research and training organization) assist in cyber readiness.

It is crucial that new employees have training on cyber readiness and understand how to assess requests in email and on the phone.

The criminal part of the equation remains a critical part of a ransomware attack because threats often lean toward releasing sensitive data if the ransomware is not paid.

“Hackers do not only enter through the IT systems; often they are already monitoring for new employees and use the phone to extract information that assists them in the ransomware attack,” Spurlock said.

Access control and
backup, backup, backup

Access control measures should also be a part of avoiding ransomware attacks Spurlock said.

Ramsey noted that the best step a company of any size can take is to have secure backups off-site, in advance, completed regularly.

Both attorneys said the financial resources of the company under attack often dictate what is done and not done.

“Small businesses are the target of most attacks and most do not have an internal IT person to look at what exactly happened six weeks earlier,” he said.

Chowning, at LMBC, said companies beefing up cyber resilience should examine their cloud environments.

“If your cloud environment is AWS (Amazon Web Services), for example, then there are remote access options, and you must look at these and determine what needs to be turned off,” he said.

In addition, software that is rarely used nor updated should also be deemed “end of life” and disabled.

The importance of penetration testing

“A cyber audit or pen (penetration) testing could save the day by examining what holes you have in your environment,” Chowning added.  “XDR (extended detection and response) tools are expensive but important for global companies and large corporations. As a small business or mid-size enterprise, doing pen testing is affordable to do as a cyber-hygiene step.”

These should be conducted at least annually if not quarterly, depending on the type of business and its size. For example, manufacturers would benefit from internal or external penetration testing.

“These efforts are very valuable to building your cyber resilience program,” Chowning added.

Invest in safeguards

Stein said he firmly believes in the tools that look for strange behaviors, as a precautionary measure. He also recommends investing in corporate-strength endpoint and detection and response (EDR) tools, if the budget is available. Email security guards like Proofpoint and Abnormal Security can be effective against many evils.

Insurance is a must

In regulated industries such as healthcare and banking, cybersecurity insurance is generally required, especially for third parties. Cyber insurance may give you coverage for a repair, access to an attorney, or even money for the ransom itself, depending on the circumstances and policy, Spurlock said.

Higher premiums and a tighter underwriting process have occurred in recent years.

“Cyber insurance is still a high-value approach to protection, but it is getting harder to get and may not be offered in the not-too-distant future. We know now that eventually everyone will be a target,” said Stein.

Emphasize multifactor authentication

While some software solutions may be out of reach, small businesses can encourage multi-factor authentication (MFA) use.

“Users don’t want the additional load time, but it can be a gamechanger,” Stein said.

The FBI is now encouraging phish-resistant authentication, FIDO2 compliant security keys, or device-bound passkeys for authentication, remote access and critical systems. Push-only approvals are less useful, as we know that stolen passwords lead to breaches each year.

Both Chowning and Stein say AI-powered solutions can assist in streamlining detection and patterns. However, for businesses struggling with budgetary restrictions, hiring an outside team and relying on immutable storage and backup makes sense in today’s rising ransomware attacks.