Policyholders are finding there is no simple solution for protecting themselves against ransomware, although there are measures they can take to minimize their chances of becoming a victim.

The risk is growing, as criminal hackers increasingly recognize it is a lucrative way to make money that demands little effort on their part, experts say.

Coverage is generally available under cyber insurance policies, although other policies, such as kidnap and ransom, may provide coverage as well.

Reported ransomware attack notifications against Beazley PLC clients increased 37% in this year’s third quarter, compared with a year ago, and small businesses were particularly vulnerable, the insurer said in a report issued Thursday.

Chubb Ltd. also said in a report on its claims activity earlier this month that ransomware attacks in the first half of this year exceeded the total reported for all of 2018.

“We are seeing an increase in frequency and severity in that the attacks are more targeted and sophisticated,” said Jeremy Gittler, New York-based head of cyber claims, North America and practice leader for Axa XL, a division of Axa SA.

“The ransomware crisis is a real crisis because it is affecting so many organizations across so many industry sectors,” said Katherine Keefe, Beazley’s Philadelphia-based global head of its breach response services unit.

The criminals realize they can hold companies hostage, she said. “It’s a criminal business model that appears to be working.”

Anthony Dagostino, New York-based global cyber and technology practice leader for Lockton Cos. LLC, said ransomware’s prevalence is increasing because “it still preys on some certain, common vulnerabilities,” including failing to install new patches, not having timely backups “and the lack of employee awareness and training.” Those three factors are especially prevalent in the middle market sector, he said.

Ransomware attacks are also growing more lucrative.

A few years ago, a ransom demand might be for $150 or $300, said Alan Brill, senior managing director with Kroll LLC, an affiliate of Duff & Phelps LLC, in Secaucus, New Jersey. “That train left the station long ago,” said Mr. Brill, who said hackers are now demanding multiples of five to 10 times greater.

“We’re finding that ransomware is often delivered after hackers have been in a network, explored the network and figured out how to cause the disruption,” said Mr. Brill. They can get to a company’s email controls, servers and backups “and then detonate the ransomware,” he said.

Richard May, Redmond, Washington-based managing principal at EPIC Insurance Brokers & Consultants, said more sophisticated criminals are selling “ransomware creation” kits to less tech-savvy crooks and will even provide them with tech support.

Mr. Brill said even if a business pays the ransom and is given the decryption key to restore its system, sometimes the key will decrypt only some of the data or work slowly, and the hackers may leave behind malware that permits them to return.

Victims generally pay the ransom, said Mr. May. For most businesses, the amount of damage that can be created by not paying is much more than refusing, he said.

The argument could be made that paying ransomware funds its ongoing development, “but from a practical perspective, there’s very little (victims) could do,” Mr. May said.

The question of whether victims should pay ransomware “really boils down to their organization and how well they feel they’re technologically able to get up and running” if they do not pay, said Kevin Richards, Chicago-based global head of cyber risk consulting for Marsh LLC.

Most firms will say they do not pay ransoms, but when the situation arises, “then everyone gets into scramble mode, and they have to make that business decision,” he said.

The decision whether to pay the ransomware has become “more nuanced,” with companies working with forensics companies and conducting cost analyses, weighing the ransomware demand against how soon they can get up and running with their backups, Mr. Gittler said.

Firms must establish a multilayered defense that includes a detection and response tool and a segmented backup system that is separate from the main system, said Devon Ackerman, Raleigh, North Carolina-based managing director with Kroll’s cyber risk practice.

Ransomware is often effective because companies have failed to deploy already introduced patches to their systems so “keeping them updated is certainly helpful,” said James Shreve, a partner with Thompson Coburn LLP in Chicago who advises clients who face complex cybersecurity and privacy issues.

Training employees about not clicking on phishing emails links is also important. “You may be as strong as your weakest link if you’ve got 100 fantastic, safe employees and just one employee that isn’t practicing good cyber hygiene,” said Joshua Gold , a shareholder and cyber insurance recovery attorney with policyholder law firm Anderson Kill P.C. in New York.

“You should absolutely impress upon your employees that they cannot be clicking on any link or attachment that is even remotely suspicious,” Mr. Gold said.

Companies must also examine their vendor relationships, said Ms. Keefe. Large companies should review their vendor contracts “for specific provisions around data security and notifications regarding data incidents, including ransomware incidents,” she said.

And smaller companies “should also seek professional support to perform the same tasks,” to look at which vendors have access to their data in the performance of daily functions and ensure there are protections in place to guard against security vulnerabilities.

“Having a plan in place that you’ve tested is hugely important,” said Mr. Richards. Firms should be aware of their options, thinking through what would happen should their servers be unavailable and how quickly they could recover, as well as having cyber insurance coverage in place, which may provide for ransomware payments.

Mr. Dagostino said if there is a ransomware loss, it is important that policyholders obtain the services of “good quality, knowledgeable accountants” to determine their business interruption loss so they can quantify the insurable loss “in a better manner and have better evidence of loss for the insurance company.”