By: Quinn Cleary
Ransomware attacks are becoming increasingly common in our modern tech-centric society. The malware-based cyber-attack has roots stemming from the early days of modern computing technology and has been thrust into the public’s eye due to the increasing number of highly impactful attacks from the mid-2010’s to the present day. Two recent and high notable examples being: the attack on the Colonial Pipeline that briefly skyrocketed U.S. gas prices and the record setting $40 Million ransom payout by CNA Financial. While eye catching ransom payments and the far-reaching impact of ransomware attacks have garnered media attention, the true danger comes at the expense of small businesses that lack the adequate infrastructure or funds to adequately fight a ransomware attack.
To fully appreciate the impact of ransomware, first it is important to understand how the attacks operate. A ransomware attack is one type of cyber-attack that involves the unauthorized access to a targeted system. Once inside the system, attackers encrypt the files preventing their access by the rightful owner. The attackers then demand a payment of ransom (generally in the form of cryptocurrency) in exchange for releasing the files.
While the public may largely be aware of the substantial number of ransomware attacks, what often gets overlooked is the impact on small and medium size businesses who suffer a dispropritionate amount of the damage. Statistics demonstrate that 82% of ransomware attacks are upon small to midsize businesses. Once hit with a cyber-attack 1 in 5 businesses completely cease operation until it is resolved. Unable to operate, businesses are practically forced to pay into demands or risk losing significant amounts of money from inactivity. A cyber-attack on average costs businesses of all sizes $200,000. This high cost leads to roughly 60% of small businesses folding within 6 months of a cyberattack.
Despite its devastating effects, small and medium sized businesses have proven themselves to be highly unprepared to face a ransomware attack. A study of 1,200 randomly selected small and medium sized businesses from the U.S. and Canada demonstrated that 30% of the businesses had no incident response plan in place, and of those that did 35% had not tested the plan in over six months. Additionally, 34% of businesses did not provide any preventative training to teach employees how to identify commonly used phishing attacks. The lack of concrete preventative measures greatly increases the likelihood of suffering an attack, and ensures a less comprehensive response when actually facing an attack.
In order to fight the threat of ransomware attacks, companies and individuals should strive to take proactive rather than reactive measures. Unfortunately, the onus remains mostly on the businesses or entities themselves to ensure there are adequate protections in place. Despite many small businesses not having the resources to put in place extensive measures, there are still many highly effective practices that can be implemented at a low cost. Most importantly, continued employee education surrounding the threats of ransomware attacks remain a key preventative measure. Despite common misconceptions, ransomware attacks have not actually increased in sophistication. The same basic phishing and remote desktop protocol techniques are being used that have been for years, for the simple reason that they continue to work. In 2020, 54% of ransomware attacks came from spam/phishing emails, and 27% came from poor user practices/gullibility. Phishing attacks hinge on human error, and frequently are done by impersonating trusted associates using publicly found information. There are many common factors that can help individuals easily identify a phishing scam or email. It is pivotal to educate employees on these factors to ensure they can adequately identify potentially malicious links, emails, SMS and more. Efforts to eliminate human error can substantially reduce the risk of being subject to a ransomware attack.
There are also companywide steps that can be taken to both detect and adequately respond to an attack. Firstly, in terms of detection, companies should strive to take extensive measures to discover an attack before it occurs. There are many different services available that provide comprehensive detection frameworks and strategies that can be tailored to the organizations need. Another strong resource comes from the Cybersecurity and Infrastructure Security Agency (CISA) which also sets forth guidelines for businesses including a “Ransomware Prevention Best Practices.” Other good prevention practices are: partitioning back-up files from the main network (ideally in an offline environment), restricting access to vital parts of the network, and enabling robust email filtering options.
In terms of response, there are a number of key considerations. In preparation of an attack, organizations should strive to have a comprehensive incident response plan that focuses on attack mitigation and remediation. CISA’s “Ransomware Response Checklist” provides significant guidance on steps that should be taken once the system has been subject to an attack. Some of the most important steps include isolating the infected aspects of a system, powering down aspects of the system to prevent the spread, and identifying the source. Additionally, contacting Federal Law Enforcement may aid with available decryptions and will launch an investigation into the attack.
Deciding whether to report the incident is also a strong consideration those facing a ransomware attack must weigh. Reporting to the FBI Crime Complaint Center or CISA is strongly encouraged despite small private entities not involved in critical infrastructure not being legally required to report the incidents. Historically many businesses have shown a hesitancy to report an attack in fear that reporting it to the police makes it a public record. The negative stigma associated with being the subject of a ransomware attack serves to disincentivize reporting. It may be preferable for a company to quietly pay off a ransom instead of risking drawing public attention. Loss of perceived trustworthiness, investor confidence, company reputation, and valuation can all result from being the victim of a ransomware attack. These concerns can be less pressing for smaller businesses, but still serve to suppress reporting. Despite this, businesses should still report every attack to ensure that they receive adequate assistance, and to try and prevent the attackers from targeting others in the future.
In wrapping up this post, readers should know that ransomware and other kinds of cyber-attacks are here to stay. While media attention focuses on the largest attacks, small and medium sized businesses tend to suffer the greatest impact. There are many low cost and easy to implement security measures small businesses can adopt in attempt to ensure they are not subject to a ransomware attack.