Ransomware Attacks and Small Businesses
Ransomware attacks are big news right now. According to US Secretary of Homeland Security Alejandro Mayorkas, ransomware attacks are up a whopping 300% over the last year. Sadly, major pipelines and meatpacking plants and their million-dollar ransoms are just two mid-2021 examples of how serious these attacks are becoming to our critical infrastructure.
However, an even more disturbing story is the growth of the ransomware industry that puts all organizations at risk. Every organization must take the threat of a ransomware attack seriously—small businesses won’t get overlooked because of their size. In fact, 50% to 70% of ransomware attacks target small and medium-sized enterprises.
The same ransomware group that attacked JBS Foods also recently attacked Sol Oriens, a small consulting firm. The hacker group has since published confidential employee data to its blog on the dark web. It also threatens future disclosures, which it declares it has a right to do because the company “did not take all necessary action to protect personal data of their employees and software developments for partner companies.”
Professional service firms, government contractors, healthcare, high-tech companies, and local governments are popular ransomware targets, but attackers can strike any type of organization. Even the Saint Elizabeth Ann Seton Catholic Church and School in Wichita, Kansas, recently became a ransomware victim.
Breaking Down a Ransomware Attack
The first step of a ransomware attack is for a bad actor to gain access to where they shouldn’t be. After that, they could attack anything from a single laptop to an entire network, even cloud services. Often they pivot from an initial entry point to an internal reconnaissance stage where they might get a foothold on many or most machines across a network.
During the attack, bad actors use ransomware code to encrypt files, data, and whatever else it can access through the compromised device. Depending on the scope of their access, they may also lock down access to a single system or an entire network. The hackers don’t have to infiltrate the entire network or access the most sensitive data to cause damage. In many cases, victims shut down other systems to protect themselves while investigating and planning the scope of their attack.
Once hackers are in control, they send the ransom note. When the ransom is paid, they’ll provide instructions on how the organization can regain access or decrypt its files. Naturally, they like their ransom paid in cryptocurrencies like Bitcoin because, in theory, it allows the recipient to remain anonymous.
The Risks to SMBs is Greater Than You Think
Ransomware is the top malware threat SMBs face, and the costs of a ransomware attack are high. According to a 2020 survey of managed service providers (MSPs), the average ransom hacker demand from SMBs was relatively modest—around $5,600. The higher costs come from the downtime the attack inflicted on the business. For SMBs, the average cost for downtime due to a ransomware attack last year was $274,200, almost 50 times the ransom amount. And for 39% of the small businesses attacked, the downtime was extensive enough to threaten their ongoing viability.
While the average ransom demand may be modest, other surveys found that larger SMBs can get demands exceeding $100,000 and that 50% of all ransomware demands were higher than $50,000.
Ransom payments, downtime, and remediation costs can be quantified, but they aren’t the only costs. There are also costs to the company’s brand, reputation, and relationships. In many cases, client and customer data is at risk in a ransomware attack. In addition, operational disruptions also impact clients.
Understanding the Ransomware Business Model
Most ransomware attacks come from well-organized cyber gangs. Different ransomware organizations have different targets. Some conduct long-term sophisticated attacks against major corporations, like Colonial, with high ransom demands.
Others operate on volume. They attack smaller businesses that are easier to breach and ask for a ransom proportional to the organization’s size. Balanced against the costs of downtime, potential impact on clients, and risk of public exposure, requesting a reasonable sum increases the likelihood the SMB will pay the ransom.
Under another model, hackers infiltrate a network and sell the compromised network’s encryption key to a second group that carries out the ransomware attack. Ransomware attacks have become so commoditized that some hacker groups actually package “ransomware-as-a-service” (RaaS). Then, they sell the RaaS code to bad actors who don’t have the technical expertise to launch an attack on their own. RaaS and selling decryption keys have expanded the pool of bad actors who can conduct ransomware attacks so that every organization is now—or will soon be—a likely target.
And the ransom payments are only one revenue stream for ransomware attackers. It’s become more common for ransomware hackers to exfiltrate data and sell it on the dark web—not to mention using the data to conduct future attacks.
Bottom line: Ransom attacks are good business for hackers, and we can only expect the rate of attacks to grow.
How Ransomware Hackers Get to Small Businesses
Phishing is the most common vulnerability used by bad actors to access and lock down a company’s digital assets. They send emails with attachments or links that deliver malware when clicked. Other phishing schemes use sophisticated communication (email or text) and look-alike websites to induce employees to provide login credentials or personal information on what appears to be a legitimate website.
After phishing, the most common attack vectors are:
- Gaining login credentials through other means, such as brute force password cracking programs or stealing them from employees working on a public WiFi
- Exploiting a known vulnerability that the company hasn’t patched
- Poor network configuration that leaves backdoors to the network open and unmonitored
Once attackers gain entry to the network, they start searching for the most sensitive data. They often operate undetected for extended periods when they’re able to use real credentials. Then, when they feel they have access to enough sensitive data to cause pain, they’ll initiate the ransomware attack.
How Small Businesses Can Protect Themselves
Protecting usernames and passwords is critical, as the most common attack vectors rely on human error to steal network credentials and gain access. Security policies and other steps you can take to protect credentials include:
- Using multi-factor authentication so bad actors can’t access any part of the network even with legitimate credentials
- Using password managers and enforcing password security policies
- Regularly conducting employee training on cybersecurity and credential security that covers topics such as
- What phishing schemes are and how to identify them
- How hackers use social engineering to trick employees into giving up their credentials or sharing personal information that makes it easier for hackers to guess passwords
- Why employees should never share their credentials, even with another employee
- Bad (and good) practices in username and password creation and management
- How to work safely from home and on public WiFi
Other security policies and software solutions to protect against ransomware attacks should address:
- Daily patching of known vulnerabilities
- Tiering data so it can be stored, encrypted, and access-controlled based on its sensitivity
- Network protection software like VPNs and endpoint security that detect and prevent malware and ransomware from entering your network, as well as firewalls, antivirus, anti-malware, and anti-ransomware programs
- Creating multiple copies of daily network back-ups that get stored offsite
- Limiting the scope of access and rights to different systems— especially admin rights: No one should have greater access to any program or system than is necessary to meet their daily responsibilities
- Running latest versions of operating systems and software
Of course, this is a shortlist of actions. Protecting your company against ransomware attacks requires a formal security program. The ongoing process of developing IT security policies and implementing specific security controls will continue to harden your company against a ransomware attack.
Response Options After a Ransomware Attack
Your security program should include a ransomware incident response plan. In addition, your ongoing security training should include roleplaying a ransomware incident to ensure everyone knows what to do should an attack occur.
So, what are your options once you’ve been attacked?
Pay the ransom. Many companies take this approach to minimize the downtime and impact of the current attack. However, paying the ransom comes with risks. In some cases, companies don’t receive full access to their systems and data despite paying the ransom. In addition, there may be some legal risk to paying or facilitating the payment of a ransom. There’s also the concern that paying the ransom can lead to more attacks, both generally and of the paying company. A recent survey of organizations that paid the ransom found that 80% were victimized in a second attack.
Decrypt your files. With assistance from cybersecurity and decryption experts, you may be able to decrypt your files. However, most ransomware attacks use highly sophisticated encryption algorithms. The time and computing power needed to break them would likely be too high to undo the damage caused by the attack.
Restore files and systems from backups and/or images. A company with a comprehensive backup and disaster recovery plan should be able to restore its data and systems. This doesn’t mean an attack won’t still come with a cost— the mitigation, investigation, and recovery processes all take time. However, it does limit operational downtime and avoids the need to pay the ransom.
Getting Ahead of the Ransomware Attack Trend
Too many small businesses underestimate their chances of being ransomware targets, but this is short-sighted. A small business can be an attractive target as “easy prey” or because of its relationship with a larger, more lucrative, or strategic company or government department.
Now is an excellent time to review your existing security program and IT security policies to see how well your company is defending itself against a potential ransomware attack, as well as reviewing your business continuity plans in case ransomware attackers choose you as a target.