Ransomware has gone from a niche attack to a booming criminal market since its introduction in 2013. Dozens of organizations have faced Ransomware attacks this year, and some of them have turned to Stroz Friedberg for help. In an interview with Salted Hash, the company says they were dealing with three to four Ransomware cases per week in the first quarter of 2016.Incident response is just one of the many areas of focus at Stroz Friedberg; the caseload for the company varies, but Ransomware is certainly one of the more prevalent types of attack seen by its investigators.Erin Nealy Cox, Executive Managing Director at Stroz Friedberg, said that the company has been seeing more economic espionage cases lately, but not necessarily state-sponsored cases. What they\u2019re seeing can be classified as pure economic espionage, in industries that one wouldn\u2019t normally think of.\u201cIt\u2019s not going to be defense, it\u2019s not going to be energy. It\u2019s going to be distribution, or any kind of manufacturing company,\u201d she said during an interview. \u201cWe\u2019re seeing an uptick in sophisticated economic espionage cases, [and] we\u2019re also seeing companies plagued by Ransomware.\u201dThe Ransomware cases they\u2019re seeing are mostly Locky and TeslaCrypt. There have been several reported Ransomware cases in the media, but when it comes to volume - how many cases has Stroz Friedberg seen in the first quarter?\u201cThree to four a week, at a minimum,\u201d said Morgan Bjerke, VP of the firm\u2019s global Incident Response practice.The attacks are being reported in a number of organizations both large and small, who exist in a number of markets that span several verticals. Phishing is usually the root cause of infection, but there have been cases dealing with drive-by-downloads and other vectors. While Locky and TeslaCrypt are the Ransomware families that represent a majority of their work, the company also sees cases with CryptoWall and older Ransomware families.The latest variants of TeslaCrypt have made it difficult to determine how widespread the infection is when that family hits a customer\u2019s network, because the victim doesn\u2019t know anything is wrong until they\u2019ve opened a targeted file.And while Stroz Friedberg doesn\u2019t always see the full extent of an infection, generally their latest cases involve extensive infiltration, more than they\u2019ve seen previously \u2013 particularly in Q1 2016.When the victim is a larger, more mature organization, a majority of them can recover from an attack by recovering files and leveraging backups. But the smaller organizations are often faced with little choice but to pay the ransom because they lack proper backup solutions or policies. Sometimes, the organization will pay the ransom because it\u2019s more affordable than the total cost of recovery.When it comes to paying ransoms, the cost has gone up considerably. In some cases, the cost of recovery is extreme, but that doesn\u2019t prevent the victim from at least considering payment as a valid option.\u201cA couple weeks ago, there was only one encrypted laptop that we knew of, and they [the criminals] were asking for a $10,000 ransom \u2013 and the company wanted to pay,\u201d said Bjerke.Over the last quarter, the firm has seen ransom demands of $5,000, $10,000, or if it\u2019s a server - $50,000.Recently, Salted Hash published a Blue Team reference manual for dealing with and preventing Ransomware, and many of the points in that story are the same basic bits of advice Bjerke would give to clients.However, she had some additional thoughts on prevention that are worth noting.\u201cWe\u2019ve been trying to help them identify the initial infection vector. There\u2019s a lot of intelligence coming around on what the Phishing emails are labeled and what they look like,\u201d said Bjerke.\u201cSecondarily, if [the Ransomware] does get into the environment, looking at tuning their anti-virus or endpoint detection tools. So if they have a HIDS or HIPS solution, putting in-place some the blocking controls on a HIPS especially or anti-virus, including additional signatures; so that for some of the known processes they can at least block them so that it may execute, but it may not fully function in the way that it\u2019s supposed to.\u201dResearch from Trend Micro shows that there were more Ransomware infections in February 2016, than there were in the first six months of 2015. Yet, only a fraction of Ransomware attacks are actually reported.The business model behind Ransomware operations has enabled a long-lasting, turn-key operation that doesn\u2019t require any real skill in order to ensure success \u2013 a fact that will see Ransomware remain as a major concern for businesses of all types in the months to come.