Last week saw a widespread attack with more than 10,000 organisations across 150 countries – including 48 NHS trusts in the UK – almost simultaneously hit by the ransomware strain WannaCry. With data encrypted, the impacted businesses and other institutions experienced significant downtime as they were unable to continue with normal operations. The hospitals, for example, were forced to postpone non-urgent procedures and people were asked not to visit Accident & Emergency.
Ransomware has become more popular in the last few years. It’s mostly flown under the radar with the odd story here and there, but the sheer scope of this attack has made everyone sit-up and take notice. With the ever-increasing number of ransomware strains, these attacks are only going to become more common.
Smaller businesses are at greater risk
WannaCry made the headlines not just because of its scale, but because of the high-profile nature of its victims. Yet, more often than not, it is small- and medium-sized businesses (SMBs) which are often targeted with ransomware. According to Datto’s own research, which involved surveying 148 European IT service providers, 87 percent reported that their SMB clients had been targeted by ransomware in the 12 months up to September 2016. More shockingly, 27 percent had been targeted with multiple attacks in the same day.
Cybercriminals target SMBs because it’s not a fair fight. Ransomware strains are ever-evolving and becoming more sophisticated, with development driven by cash-rich criminal gangs; while SMBs rarely have the resources or manpower to stay ahead of the threat.
Moreover, the downtime experienced after an attack can be crippling. Established firms will have the resources to stomach the cost of not being operational for a few hours or longer, small businesses don’t have the same buffer. As such, paying a ransom can seem like the least bad option.
Ransomware perpetrators act like ‘legitimate’ businesses
While attackers have sometimes taken a ‘throw it and see what sticks’ approach to their criminals activities, over recent times they have become more strategic in how they target SMBs. Many have adopted sophisticated business practices in an attempt to tip the balance even further in their favour.
To begin with, ransomware programmes charge varying amounts. Ransoms can depend on the type of data, the amount of it, or the size of the company, and cybercriminals adjust amounts depending on success rates. The average ransom is priced between £500 and £2000, an amount that some SMBs will simply accept as a cost of doing business in the digital age. As these amounts are often less than their insurance excess contributions, many do not report attacks. This lack of reporting has been one of the key reasons for the low levels of awareness around ransomware; at least until WannaCry hit last week.
Attackers also take time to research targets. Ransomware is mostly spread via links within phishing emails, so getting unsuspecting victims to believe that messages are legitimate is paramount. The cybercriminals will trawl through an employee’s digital presence, in order to create emails that appear to come from business partners, colleagues, family and friends.
When ransomware does take hold, SMBs are usually unsure what to do next. If they decide that paying is the best option, they may not know how to meet the demands, particularly if a cryptocurrency such as Blockchain is required. To help make the payment process more seamless, some ransomware programmes come included with ‘helpful’ pop-ups and support to walk SMBs through it. They use soft and friendly language, as you would expect from a real business when calling for support – they seem as if they are there to help.
Some programmes take the opposite approach and scare SMBs into taking action more quickly. For example, by threatening to delete data at regular intervals until demands are met.
A multi-layered defence is the only way to mitigate ransomware
Most businesses understand the importance of anti-virus and firewalls, but not that they don’t always provide watertight defences. The WannaCry attack exploited a vulnerability in the Window OS, which has since been patched, but there are always new strains of ransomware that will find another gap. It’s almost impossible for defences to stay ahead of the curve, but SMBs must patch regularly to ensure older strains can be detected.
SMBs should also educate staff about the red flags of phishing emails and how to avoid questionable downloads. Everyone is guilty of accepting terms and conditions without reading them, but clicking ‘yes’ to certain items will bypass a firm’s entire security setup, no matter how comprehensive it is.
The only way of truly mitigating the impacts of ransomware is through backup. If SMBs take system snapshots at regular intervals, they can simply rollback to the most recent ‘healthy’ point before a ransomware attack took hold. Being able to spin up systems almost instantaneously drastically decreases the amount of downtime from hours to minutes, and means that no ransom has to be paid.
Ultimately, ransomware can deliver a lot of bang for its buck so it’s perhaps unsurprising that it’s becoming a popular weapon for cybercriminals. The WannaCry attacks highlighted just how easy it is for ransomware to cause havoc on a global scale, but SMBs must understand that this threat is not above their heads. It’s vital that they adopt a multi-layered approach which encompasses antivirus and firewalls, as well as backup.