Ransomware is malware (malicious software) that locks a user’s computer or files and demands a ransom to lift the restriction. Typically the ransom demand is in bitcoin, a virtually untraceable digital currency. Ransomware often gains access to a computer system when users click on links or attachments usually disguised as authentic communications. Once clicked or accessed, the ransomware encrypts files and blocks access until the ransom is paid.

While ransomware attacks initially targeted individuals for relatively small sums of money, hackers are increasingly targeting businesses (particularly small and medium-sized businesses because they do not have the sophisticated cybersecurity that large businesses usually have). An anonymous survey of 125 Canadian organizations reported that 72% had been subject to a cyberattack and 35% of the attacks were identified as ransomware attacks. How is a ransomware attack a legal risk for business? Which of the four risk management strategies are appropriate for dealing with the risk of a ransomware attack? Should a business pay the ransom demand? Why or why not?