If a victim hands over the money anyway, insurers may cancel a business’s coverage and leave clients paying out of pocket — including covering the cost of disruptions to their businesses, remediation expenses and customer notifications. “In general, the advice is not to pay,” said Kevin Kalinich, a global cyber-risk expert at Aon, the insurance broker. “The perpetrators may not release your data, or you’ll be considered a target for future attacks.” Jorge Reza, a sales manager for a construction business in Laredo, Tex., was forced to take that gamble when the company he works for was hit with a ransomware attack last year. Hours after one of his colleagues was locked out of the business’s main computer, which held company invoices, payroll data and other sensitive information, Mr. Reza, 34, found himself online, researching how to open a bitcoin account and other tips for paying the digital ransom. Despite fears the assailants would not unlock the computer, Mr. Reza uploaded money through Western Union, found someone who would sell him $1,200 worth of bitcoin and waited for notification that the machine had been returned to his control. The process, Mr. Reza said, was both stressful and uncertain, as he could not be sure the attackers would follow through on their promises. Luckily, less than 12 hours after the initial attack, he was able to decrypt his files. “They were digital terrorists, but at least they were honest,” Mr.

