- According to the FBI Internet Crime Complaint Center, ransomware attacks have increased in frequency by 82% and cost by 449% since 2019.
- Ransomware is a type of malware that encrypts data to prevent a business from functioning until it pays a ransom. Other ransomware attackers attempt to steal data to sell later or to further pressure a business into paying the ransom.
- Businesses can take proactive steps to prevent successful ransomware attacks or to mitigate the worst of the attack.
- This article is for business owners who want to learn about ransomware attacks and how to protect against them.
Businesses hoping for a break from cybersecurity worries are facing some major headwinds. As overall cybercrime counts continue to rise, the threat from ransomware in particular has exploded. In March 2022, the FBI’s Internet Crime Complaint Center (also known as IC3) released its 2021 Internet Crime Report, which found ransomware attacks have increased by 82% from 2019 to 2021. In the same time frame, the total cost of attacks increased by 449%.
The FBI found ransomware caused $49 million in adjusted losses in 2021. However, those losses are almost certainly an undercount, as they don’t include costs that weren’t reported to the FBI. Nor does that number include the cost of lost files, time, wages, equipment or associated third-party remediation.
With these potential costs in mind, we’ve put together this primer on ransomware to help you avoid a successful attack on your business – and take the right actions should the worst occur.
What are ransomware attacks?
Ransomware is a specific type of malware that encrypts files on the impacted device or network. These files are then unusable until the target pays the attacker a set ransom. The attackers almost always leave a ransom note on the target computer during the attack, with instructions for how to pay the ransom in cryptocurrency. [Related article: What Small Businesses Should Know About Cryptocurrency]
Specific criminal gangs often use different types of ransomware, and some may rent out their ransomware to other criminals in a product known as “ransomware as a service,” or “RaaS.”
The growing complexity of ransomware attacks
Given the large payouts criminals can earn through ransomware attacks, as well as competition among ransomware gangs, ransomware and its operatives continually change tactics and evolve. For example, cybersecurity company Palo Alto Networks noted in its March 2022 Ransomware Threat Report how RaaS operators are doubling down on additional methods of extortion since 2020.
Some ransomware gangs now employ a technique in which the ransomware operator steals sensitive information from a company before encrypting the files. The ransomware gang then threatens to leak the files online if the ransom demand is not paid. This is an increasingly common tactic: Verizon’s Data Breach Investigations Report found ransomware appeared in 10% of breaches in 2021, doubling 2020’s rate.
Other ransomware operators take threats even further with a third level of extortion, which includes making threatening calls to employees or launching denial-of-service (DoS) attacks on business websites. As with double extortion, the gangs may use these tactics to incentivize payments or to demand a second or third ransom payment.
Key takeaway: All ransomware attacks encrypt data to extort a business into paying a ransom. Some ransomware groups even steal a business’s data or take other threatening actions to extort payment. Learn how to mitigate the damage of a data breach against your small business.
How can ransomware affect SMBs?
Successful ransomware attacks encrypt data on a targeted device. This causes system downtime and potential long-term disruption, whether or not a business pays the ransom. Depending on the type of ransomware and the gang responsible for an attack, the impact on a small or midsize business can even go beyond these consequences.
In a whitepaper on ransomware attacks in Canada, Palo Alto Networks reported long-lasting impacts on businesses. The company found that 58% of businesses take longer than a month to recover from the attack, and 29% take more than three months to fully recover. During these months, businesses incur substantial costs in lost revenue, contract IT recovery services, new equipment and more – in addition to any ransom they paid.
If a ransomware group also breaches data, businesses may have to pay regulatory fines or shoulder the cost of identity theft prevention services for impacted customers. The business is likely to suffer reputational damage from a data breach as well. [Related article: What Is Reputation Insurance?]
Did you know?: Verizon’s 2021 Data Breach Investigations Report found that 95% of ransomware attacks incurred costs between $70 and $1.2 million, with a median loss of $11,150. Learn how to tell if your computer is infected and fix it before costly problems arise.
How can I prevent ransomware attacks?
You can block most ransomware attack attempts by following best cybersecurity practices in your business. The FBI’s IC3 found the majority of ransomware attacks took advantage of three attack vectors in particular: software vulnerabilities, phishing emails and remote desktop exploitation. All three of these vectors coincided with the rise of remote work and potentially lax cybersecurity arrangements. [Teach your team these cybersecurity tips for working from home.]
You can prevent ransomware attacks on your business with a mix of technological controls and security practices:
- Raise awareness. The first line of defense is understanding the threat. Hold regular security training events for all employees, explaining what ransomware is and how to look out for it. Your employees should know about phishing emails in particular, and you might want to test their security awareness with periodic phishing tests. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has useful resources for teaching your staff about ransomware.
- Keep software up to date. Always update your software, hardware and operating systems with the latest patches. If it gets hard to keep on top of patch management, consider using a managed services provider to help secure your business. You could also develop dedicated IT personnel from within by helping some of your employees earn the best IT certifications.
- Reconsider remote access. Unless your business needs remote access software, like Remote Desktop Protocol, disable it. If you do need it for remote work situations, secure it with multifactor authentication and create a unique, strong password.
- Use security software and hardware. You can increase your security with a variety of software and hardware, including firewalls, email-scanning applications, and antivirus software. Also consider using workspace virtualization to secure devices and make recovery from a potential attack easier.
- Perform regular backups. Regularly back up all data and store it in a separate network environment. Separating the backups from the normal network can prevent the ransomware from finding and encrypting it. [Consider our picks for the best cloud data backup services.]
Tip: Back up your computer to Google’s cloud to not only increase your team’s collaboration abilities, but also ensure your access to your business data in case of an emergency.
What should I do after a ransomware attack?
CISA has a step-by-step guide for what to do after a ransomware attack on your business. However, these instructions assume your business has an incident response team and a fully trained and staffed IT team available. At a basic level, you should isolate the affected systems and networks as soon as possible after infection and take all backups offline to secure them from potential infection.
You should contact the FBI about the attack as soon as possible and also file a report with the IC3. Your local FBI field office can provide assistance following an attack.
The FBI discourages paying the ransom, as this incentivizes further attacks, and there are no guarantees that the ransomware gang will actually decrypt the data if you pay. In some instances, data is corrupted during the encryption and decryption process, rendering payment useless.
After working with law enforcement and IT personnel, you should clearly communicate with your internal and external stakeholders about the attack. Tell your customers whether or not any sensitive information was stolen and about potential next steps, such as changing their passwords.
One you’re certain the ransomware has been removed from the affected devices and systems, use the oldest available backup to restore all data and system configurations. This decreases the chances of hidden malware in the backup.
What is the future of ransomware?
Data from Verizon, Palo Alto Networks and the FBI paint a clear picture of increasing ransomware attacks. Ransomware gangs continue to adapt and change their tactics, finding new ways to secure payment from impacted businesses. As long as ransomware groups are able to extort businesses into paying, attacks are likely to continue increasing and evolving.
Still, businesses are not defenseless. The right preparations can prevent a ransomware attack entirely, or at least mitigate the impacts so your business can recover quickly. For more guidance on mitigating and responding to cyberattacks, read our small business guide to cybersecurity.