Ransomware is the most prevalent cyber threat to businesses globally, with victims of all sizes falling prey to security breaches. The impacts are both immediate — business continuity risk from suspension of operations, considerable costs and potential exposure of valuable and sensitive data — to ongoing reputational and brand damage. So how can businesses better understand ransomware cyber risk and what to do if a ransomware attack occurs?
While ransomware attacks on large organisations are widely reported and becoming more common, the extent of attacks on small to medium size businesses (SMEs) is also a key concern, with an IT report1 finding that four in 10 SME clients had been victims of a ransomware attack and almost 30% had sustained more than one ransomware cyber incident.
What happens in a ransomware cyber attack?
Ransomware is a common and dangerous type of cyber threat where criminals use software called malware to lock or encrypt your files so you can no longer access parts or all of your business system/s.
After the malware has made the files inaccessible the criminal behind the attack demands a ransom payment for the decryption key to 'unlock' the restriction and restore access to business systems.
With businesses of all sizes reliant on business systems to operate, the inability to access them and the risks of having business data and information compromised by malware is a threat for far too many businesses — and their operations.
What are the main causes of ransomware attacks?
Most ransomware attacks on Australian businesses exploit weaknesses in the target business's computer system, (37% of cases), followed by compromised credentials where human error is more likely to be involved (24% of cases)2.
Also the ransomware malware tools used by cyber criminals are becoming more difficult for computer systems to detect, and more successful at masking their activities in popular cloud and messaging applications.
The main methods used to gain access for ransomware attacks on businesses include:
- phishing emails
- email attachments
- remote desk protocol logins (such as service or support teams being granted permission to access a user's system by the user)
- software vulnerabilities
- malicious links on social media
- malvertising, or clicking a legitimate ad that has malicious code in it
- installing infected programs or applications
- visiting an unsafe or fake website or opening/closing a malicious pop-up
- traffic distribution system (TDS): clicking a link on a legitimate website that redirects to a malicious website
- an employee inserting an infected USB directly into their computer.
Should your business pay a ransom to cyber criminals?
Government advice is to never pay a ransom. There are sanctions, anti-money laundering and counter-terrorism laws that forbid businesses paying a ransom if it funds criminal activities.
There are also other disadvantages to paying ransom (aside from the cost).
- 'Double dipping' where cyber criminals may demand a ransom and then also sell your information on the Dark Web.
- The cost of retrieving stolen data in negotiation/down time may be increased by paying the ransom.
- Payment may not provide a faster recovery time compared to using back-up recovery.
Business cyber attack case study: SME medical practice repeatedly held to ransom
A specialised practice that employs 30 staff suffered repeated ransomware attacks due to its reliance on technical equipment and the necessity to pay ransom demands to keep its doors open.
The business engaged an IT professional services company which immediately implemented the Australian Cyber Security Commission's (ACSC) 'essential eight' cyber security measures3, including updating software and other actions to minimise exposure (such as restricted administrative access) as well as to block and contain attempted attacks (firewalls, sandboxes and back-ups).
This combined approach succeeded in halting the repeated ransomware attacks.
