SMB ransomware: 1 in 5 small businesses forced to halt operations
Over the past year, we’ve witnessed some of the biggest global companies get hobbled by ransomware: FedEx, Boeing, Merck, Maersk and Mondelez International, just to name a few.
With figures like those, it’s easy to assume that ransomware is mostly a “big business” problem. But in fact, the opposite is true.
A recent report by Malwarebytes reveals that small to medium sized businesses are hit hardest, with 1 in 5 being forced to freeze their operations completely.
SMB ransomware statistics: a grim reality
In 2016, U.S. small businesses lost more than $75 billion in downtime from ransomware infections. And that was before the massive outbreaks of WannaCry and NotPetya in 2017.
The most recent data available shows a grim reality for SMBs:
- 1 in 3 small to medium sized businesses worldwide have been hit by ransomware within the last year.
- 22% of those SMBs were forced to shut down operations completely until the infection was removed.
- Every 40 seconds, on average, a small business is attacked by ransomware.
- In 2017, Symantec saw an average of 1,242 ransomware detections per day at businesses around the globe, not including the WannaCry and NotPetya attacks.
For SMBs that are hit with ransomware, the consequences can be catastrophic.
What’s the big deal?
For small businesses, a ransomware attack can be just as devastating as a natural disaster, if not more so. The unique nature of the malware—with its ability to lock up all your data—makes it one of the most dangerous threats to small businesses today.
All it takes is one bad click to set the destruction in motion.
Within minutes, you can lose access to your most critical files: financial data, customer records, inventory data, order information. We’re not just talking about spreadsheets and Word documents. Ransomware can infects your OS files and app data. It can break your business-critical applications. It can render your PCs inoperable.
One click and your operations grind to a halt.
How it works
Let’s back up a minute.
To defend against ransomware, SMBs need to have a better understanding of the threat they’re dealing with.
Here’s how ransomware works in a nutshell:
- The most common cause of SMB ransomware is when somebody clicks a bad link or opens an infected attachment in a spam/phishing email (see more causes below).
- When a machine is infected, its files are rapidly encrypted, rendering them inaccessible. The files can’t be decrypted without a decryption key held by the hackers.
- Users are often greeted with a message on their screen that reads: “Your files have been encrypted” or “Your computer has been locked.” This screen will also provide instructions for how to submit a payment to the attackers (usually in the form of cryptocurrency) in exchange for the decryption key.
- Meanwhile, in the background, the ransomware will typically attempt to spread outward as far as it can. If successful, it will move swiftly across your entire network.
- The average ransom demand is $500 to $1,000, but more targeted attacks can demand tens of thousands of dollars.
If a $500 ransom seems like a fair price to pay to save your business from annihilation, well you’re right. That’s what makes ransomware so successful. Businesses often pay up – but the hackers don’t always hold up their end of the bargain.
We’ll return to the issue of paying the ransom in a minute. But first, let’s take a closer look at the causes of SMB ransomware.
Where an infection begins
By far, the most common cause of ransomware is human error. But that doesn’t mean the blame should fall entirely on your employees.
Hackers use very deceptive tactics to fool workers into opening their malware-laced emails. Untrained eyes won’t know how to spot the signs of a malicious attachment or a bad link.
Here’s how the infections typically enter your network:
- Spam: Go into your spam folder right now and you’ll likely find hundreds of suspicious emails containing generic-titled attachments and links to who-knows-what websites. Chances are the majority of this spam leads to ransomware. One report found that more than 90% of spam now contains ransomware. It’s the single most popular delivery method, in part because it’s so cheap. Hackers can blast out millions of emails to SMBs across the globe. Even if only a small fraction of users take the bait, the attack is profitable for hackers.
- Phishing: Phishing emails are a bit more sophisticated and often targeted to specific types of businesses. These emails are disguised to look like communications that the user would ordinarily interact with, thus increasing the chances of being clicked. Examples can include emails that look like invoices, receipts or even deceptive reminders to “Change your password.”
- Unpatched machines: Even more sophisticated ransomware can infect your systems without the involvement of an end user at all. That was the case with WannaCry and NotPetya, which infected thousands of machines across the globe via unpatched vulnerabilities in Windows. These vulnerabilities were well known at the time, and patches had been available for months. Businesses simply hadn’t installed them. This is a big problem for smaller businesses that often don’t have the dedicated IT resources for managing patch schedules.
- Compromised websites & ads: In 2016, several prominent websites infected visitors’ computers with ransomware after they displayed compromised ads for nearly 24 hours. The sites included The New York Times, AOL, BBC and NFL, among others, proving that even the biggest brands online can be exploited for the delivery of malware. SMBs can drastically mitigate this threat by using ad-blocking software and setting restrictions on Internet browsing in the workplace.
- Other malware. Like Russian nesting dolls, various malware can be embedded inside other malware—and that includes ransomware. When small businesses fail to deploy dependable anti-malware software, they leave themselves at risk of a wide range of cyberattacks, from data loss to theft.
To pay or not to pay the ransom …
That is the million-dollar question.
And here’s our unequivocal answer: do not pay.
But in the defense of SMBs, we understand that paying the ransom can be tempting. When your operations are at a standstill and you’re racking up $9,000 in losses per minute, the idea of paying hackers a few grand doesn’t seem so bad. But there are a few problems with this…
- Paying the ransom doesn’t guarantee you’ll get your data back. In a 2017 survey, 35% of SMB victims paid the ransom, and 15% of those businesses never got the decryption keys they were promised. Money down the drain.
- Paying the ransom makes your business a target. It says to the attackers your data is valuable, that your defenses are not very strong, and that you are willing to shell out cash for a quick fix. This is why businesses that pay the ransom are often attacked a second time.
- Paying the ransom supports the ransomware industry. Look, we get it. When your business is shut down by malware, you’re not really concerned about the global ransomware industry. You just want your data back ASAP. Just remember that as long as businesses continue to pay attackers, then the problem of ransomware is never going to go away.
If you’ve exhausted all other options for recovering your data, and you’re willing to take the gamble if it means saving the business, then paying the ransom is understandable.
But we’re hoping that you’ll have at least one of the preventative measures below in place, so that there’s not even a debate about paying the ransom.
How to prevent ransomware, SMB-style
Hey, good for FedEx if it can withstand a $300 million hit from ransomware. But your small business probably can’t afford that steep of a loss.
Thankfully, by implementing these measures, you should never have to.
- Data backup for SMBs: A good data backup system will ensure you are always able to recover your data after a ransomware attack. We especially like Datto’s BDR systems, such as the ALTO and SIRIS, which feature built-in ransomware protection. At the first signs of an infection, administrators are alerted. You simply roll back to a clean recovery point, and the threat is gone.
- Employee training: The vast majority of ransomware infections can be prevented by training employees how to spot the signs of a malicious email. In a 2017 survey of 1,700 IT providers (who together serve more than 100,000 small to medium sized businesses), 42% said the leading cause of their clients’ ransomware infections was a lack of cybersecurity training.
- Access controls: You can prevent the spread of ransomware across your network by implementing stronger restrictions on file access with the principle of least privilege in mind. Users should have access only to the folders they need.
- Anti-malware, firewalls, etc.: Stop ransomware in its tracks by implementing premium anti-malware software and firewall settings that block incoming data from known malicious IP addresses.
- Patch your systems: Set your operating systems and applications to update automatically. Discontinue the use of older software that cannot be patched.
Some good news … recent trends show that the development of ransomware has been slowing down a tad. However, this isn’t the time to let your guard down. SMBs must remain proactive about ransomware prevention, or they risk being the next to shut their doors.
For more information on how your SMB can defend against ransomware, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email [email protected] or request a free Datto demo today.