Ransomware Attacks Are on the Rise: Is Your Business Protected?

What are ransomware attacks?

Ransomware is a specific type of malware that encrypts files on the impacted device or network. These files are then unusable until the target pays the attacker a set ransom. The attackers almost always leave a ransom note on the target computer during the attack, with instructions for how to pay the ransom in cryptocurrency. [Related article: What Small Businesses Should Know About Cryptocurrency]

Specific criminal gangs often use different types of ransomware, and some may rent out their ransomware to other criminals in a product known as “ransomware as a service,” or “RaaS.”

The growing complexity of ransomware attacks

Given the large payouts criminals can earn through ransomware attacks, as well as competition among ransomware gangs, ransomware and its operatives continually change tactics and evolve. 

Some ransomware gangs now employ a technique in which the ransomware operator steals sensitive information from a company before encrypting the files. The ransomware gang then threatens to leak the files online if the ransom demand is not paid. This is an increasingly common tactic: Verizon’s Data Breach Investigations Report found ransomware appeared in 10% of breaches in 2021, doubling 2020’s rate.

Other ransomware operators take threats even further with a third level of extortion, which includes making threatening calls to employees or launching denial-of-service (DoS) attacks on business websites. As with double extortion, the gangs may use these tactics to incentivize payments or to demand a second or third ransom payment. 

How can ransomware affect SMBs?

Successful ransomware attacks encrypt data on a targeted device. This causes system downtime and potential long-term disruption, whether or not a business pays the ransom. Depending on the type of ransomware and the gang responsible for an attack, the impact on a small or midsize business can even go beyond these consequences.

In a whitepaper on ransomware attacks in Canada, Palo Alto Networks reported long-lasting impacts on businesses. The company found that 58% of businesses take longer than a month to recover from the attack, and 29% take more than three months to fully recover. During these months, businesses incur substantial costs in lost revenue, contract IT recovery services, new equipment and more – in addition to any ransom they paid. 

If a ransomware group also breaches data, businesses may have to pay regulatory fines or shoulder the cost of identity theft prevention services for impacted customers. The business is likely to suffer reputational damage from a data breach as well. [Related article: What Is Reputation Insurance?]

How can I prevent ransomware attacks? 

You can block most ransomware attack attempts by following best cybersecurity practices in your business. The FBI’s IC3 found the majority of ransomware attacks took advantage of three attack vectors in particular: software vulnerabilities, phishing emails and remote desktop exploitation. All three of these vectors coincided with the rise of remote work and potentially lax cybersecurity arrangements. [Teach your team these cybersecurity tips for working from home.]

You can prevent ransomware attacks on your business with a mix of technological controls and security practices:

• Raise awareness. The first line of defense is understanding the threat. Hold regular security training events for all employees, explaining what ransomware is and how to look out for it. Your employees should know about phishing emails in particular, and you might want to test their security awareness with periodic phishing tests. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has useful resources for teaching your staff about ransomware.
• Keep software up to date. Always update your software, hardware and operating systems with the latest patches. If it gets hard to keep on top of patch management, consider using a managed services provider to help secure your business. You could also develop dedicated IT personnel from within by helping some of your employees earn the best IT certifications.
• Reconsider remote access. Unless your business needs remote access software, like Remote Desktop Protocol, disable it. If you do need it for remote work situations, secure it with multifactor authentication and create a unique, strong password. 
• Use security software and hardware. You can increase your security with a variety of software and hardware, including firewalls, email-scanning applications, and antivirus software. Also consider using workspace virtualization to secure devices and make recovery from a potential attack easier.
• Perform regular backups. Regularly back up all data and store it in a separate network environment. Separating the backups from the normal network can prevent the ransomware from finding and encrypting it.

What should I do after a ransomware attack? 

CISA has a step-by-step guide for what to do after a ransomware attack on your business. However, these instructions assume your business has an incident response team and a fully trained and staffed IT team available. At a basic level, you should isolate the affected systems and networks as soon as possible after infection and take all backups offline to secure them from potential infection. 

You should contact the FBI about the attack as soon as possible and also file a report with the IC3. Your local FBI field office can provide assistance following an attack.

The FBI discourages paying the ransom, as this incentivizes further attacks, and there are no guarantees that the ransomware gang will actually decrypt the data if you pay. In some instances, data is corrupted during the encryption and decryption process, rendering payment useless. 

After working with law enforcement and IT personnel, you should clearly communicate with your internal and external stakeholders about the attack. Tell your customers whether or not any sensitive information was stolen and about potential next steps, such as changing their passwords. 

One you’re certain the ransomware has been removed from the affected devices and systems, use the oldest available backup to restore all data and system configurations. This decreases the chances of hidden malware in the backup. 

What is the future of ransomware?

Data from Verizon, Palo Alto Networks and the FBI paint a clear picture of increasing ransomware attacks. Ransomware gangs continue to adapt and change their tactics, finding new ways to secure payment from impacted businesses. As long as ransomware groups are able to extort businesses into paying, attacks are likely to continue increasing and evolving.

Still, businesses are not defenseless. The right preparations can prevent a ransomware attack entirely, or at least mitigate the impacts so your business can recover quickly. For more guidance on mitigating and responding to cyberattacks, read our small business guide to cybersecurity.