It’s tempting to think the average cyber extortionist has bigger fish to fry than your small business. Last month alone, hackers targeted the largest petroleum pipeline in the United States, Ireland’s national health service, the city of Gary, Indiana, and numerous other big targets.
But while they may receive less attention, 50 to 70 percent of ransomware attacks are aimed at small and medium-sized companies, Secretary of Homeland Security Alejandro Mayorkas said during a U.S. Chamber of Commerce event in May. And changes in business practices, accelerated by the pandemic, have left small businesses even more vulnerable.
In ransomware attacks, cyber criminals use malware to take over and encrypt a victim’s files and data, effectively holding the data hostage until they’re paid to release it. The recent surge in remote work was a golden opportunity for hackers, who took advantage of out-of-date VPNs and unsecured home networks.
The consequences of a ransomware attack on a small company aren’t as wide-ranging as those on a hospital or a public utility, but the result for the victim can be more crippling. An estimated 60 percent of small businesses fail within six months of an attack, according to the National Cyber Security Alliance. For the companies that do recover, repeat ransomware attacks are increasingly common: Roughly 80 percent of victims are hit a second time, according to a report from Boston-based cybersecurity firm Cybereason.
Small businesses are attractive targets because they typically lack the budget and resources to prevent, identify, respond to, and recover from threats. There are, however, some simple methods that can help, says Charles Horton, chief operating officer of cybersecurity firm NetSPI. Here are a few things he and other experts say you should know about ransomware.
1. Every industry is vulnerable.
No target has proved too small for hackers, who are constantly on the hunt for new opportunities. “No matter if it is education, government, health care, manufacturing or electricity, each sector has had many successful cyber-attacks in the past,” says Candid Wuest, vice president of cyber protection research at cybersecurity firm Acronis. Some criminals enjoy variety, focusing on specific groups for a while before they move on to the next group.
2. Always remember to back up.
“If you have really good backups in place, from a business continuity perspective, especially if you’re a small business, you are not as impacted,” Horton notes. But don’t count on being able to return to normal right away–even companies with backup systems aren’t safe. Increasingly, thieves have been targeting backup systems, as well as entire devices.
A cloud-based backup may be a good option, since it keeps your data off-site and immediately accessible. But there are ways this option can backfire, such as if your malware-infected files sync to your cloud server. Cloud service providers also can fall victim to ransomware attacks.
3. Don’t forget to secure your remote workers.
Remote workers are sitting ducks for cyber criminals. Hackers can slip in through remote access entry points, including remote desktops and VPN access portals. You should make sure your remote workers are trained to spot phishing attempts, use two-factor authentication, and download the most recent updates of security software.
4. Have a plan of action for a ransomware attack.
Who will your company contact once it suspects a ransomware attack? How will you get the word out to employees and clients? Where are all the backups located? What happens if the hacker already found the backups?
Ideally, to address these questions you should perform tabletop exercises, or a real-time simulation of a ransomware attack, so you’re not flying blind if your data is intercepted. (You can hire a cybersecurity firm to perform the exercises or do them yourself, but it will cost you either way.) Employees can then identify what went wrong, and fix any vulnerabilities in their system. “These different scenarios in your incident response plan will help you develop that muscle memory around what to do in the event that one of them actually takes place,” says Horton.
5. You’re almost guaranteed to lose some of your data.
A staggering 92 percent of ransomware victims who comply with ransom demands don’t get all of their data back, according to a report from security firm Sophos. Victims commonly pay the ransom in order to get access to a decryption key, which they can use to unlock and decrypt their data. But there’s always a chance that the key won’t work–and if it does, at least some of the data may be corrupted, in many cases irretrievably. Even more worrisome, there’s a chance that the hacker may have installed spyware or other malicious software in your system.
So although every situation is different, experts typically urge businesses not to give in to hackers’ demands. “The general advice is not to pay any ransom, as it will boost further attacks and might even be illegal in your country to do so,” Wuest says. “The best advice is to prepare for such attacks in advance and prevent them from happening.”
6. Don’t count on law enforcement to recover ransomware payments.
Nearly 98 percent of ransomware payments are made in Bitcoin, because traditionally it’s been hard for authorities to track. That appears to be changing: After Colonial Pipeline paid approximately $4.4 million to hacker group DarkSide in order to regain access to its systems, the FBI was able to recover roughly $2 million of that sum.
Still, experts caution against placing too much faith in the feds to track stolen funds. “Bitcoin transactions are publicly visible by design, but this does not mean that the money is easily recoverable,” says Wuest. Usually the attacker will try to mix the Bitcoins and exchange them for even more private cryptocurrencies such as Monero. “The recent cases of Bitcoin recovery was only possible because of… mistakes made by the cyber criminals,” Wuest says, and there’s no guarantee that others will make the same mistakes in the future. “Without an arrest of the cyber criminals, such money recovery operations will remain the exception.”