According to a comprehensive new report from Datto, ransomware continues to be the leading form of cyber attack experienced by small- and medium-sized businesses (SMBs). The report looked at the problem of ransomware attacks from the perspective of over 2,400 Managed Service Providers (MSPs) and their more than 500,000 SMB clients. These companies are dealing with the problem of ransomware attacks on a daily basis, and are best able to provide an accurate assessment of just how entrenched the ransomware problem really is.
Key findings from the Datto report on ransomware attacks
Based on the findings within the Datto report, it’s clear that ransomware remains a significant threat to SMBs. For example, during the period from Q2 2016 to Q2 2018, more than three-quarters (79%) of MSPs had clients that were hit by ransomware. That easily makes ransomware the No. 1 threat to the SMB community. In contrast, only 38 percent of MSPs had clients that were hit by Trojan horse attacks, and only 28 percent of MSPs had clients that were hit by crypto-jacking attacks. Traditional forms of cyber attacks, such as spyware and viruses remain persistent problems as well.
If anything, says Datto, the problem of ransomware attacks has only been getting worse since June 2017. Fully 92 percent of MSPs contacted by Datto said they expect the attacks to continue at current or worse rates in the future. To highlight that fact, the report also noted that, in the first half of 2018, 35 percent of MSPs had experienced multiple attacks in a single day. The average MSP reports 5 attacks within their client base each year. And the number of known ransomware families is only continuing to grow.
The need to build awareness about ransomware attacks
So if the problem of ransomware attacks continues to worsen, why aren’t more companies doing more? One problem, cited within the Datto report, is that many small and mid-sized businesses simply don’t think that the problem could happen to them. In short, they feel that they are immune to ransomware attacks and security threats simply because they don’t have anything that the hackers would want. Based on the high-profile ransomware attacks that garner all the headlines, it’s perhaps easy to conclude that the hackers are only going after the biggest and most valuable targets (i.e. Fortune 500 companies).
But that’s hardly the case, unfortunately, as the Datto report makes clear. In fact, no industry appears to be safe. While it is true that the financial services and insurance industries appear to be two of the biggest targets, it’s actually the case that the construction and manufacturing sector (involved in 38% of all ransomware attacks) is the biggest target. The professional services sector (representing 35% of all ransomware attacks) also appears to be highly vulnerable to malicious software and infected computers. The healthcare industry (including national health service providers) is also very much at risk of ransomware attacks.
One big problem, suggests Datto, is that SMBs do not report ransomware attacks as they occur. According to the “2018 Ransomware Report,” less than one-quarter of all ransomware attacks are actually reported. After command and control servers are taken offline, some companies may opt to pay the ransom and move on, rather than deal with a potential PR disaster.
That might help to explain why many SMBs consider themselves to be “immune” from the problem – they incorrectly assume that nobody else in their peer group is being hit by these attacks. And that’s a point reinforced by Datto, which points out the disconnect between MSPs and their clients. While 89 percent of MSPs believe their clients should be “highly concerned” about ransomware attacks, only 36 percent of SMBs view the problem in the same way.
The dollar cost of ransomware attacks
As businesses continue to adopt a head-in-the-sand mentality about ransomware infections, one thing is clear: these attacks have the potential to cripple any organization that has not put the proper backup and recovery plan into place. Revenue lost to downtime can cripple a small business, and lost productivity or time that is spent offline can have serious financial implications.
Datto illustrates this with a case study within the report of the infamous SamSam ransomware attack that hit the city of Atlanta in 2018. The ransomware attackers only demanded $51,000 in ransom money, but the attack took on dimensions that city IT workers never could have imagined. For example, the SamSam attack knocked the city of Atlanta offline for five days, resulting in the loss of important citywide services for one of the largest cities in the United States. All told, the total recovery cost for the city of Atlanta was $17 million.
That example helps to illustrate an important point made by the Datto report: on average, ransomware attacks are 10 times more costly to the business than the ransom itself. Based on the numbers that Datto collected from MSPs, the average ransom amount was just $4,300 but the average total cost of an attack (once you add in all the downtime and loss of productivity) was $46,800. Thus, even after a hacker has demanded payment, the cost of getting everything back up and running (especially the main operating system) could be much higher than ever anticipated.
Finding a solution to the ransomware problem
So what can be done to prevent ransomware attacks in the future? As Datto makes clear, there is no “silver bullet” that will stop the problem once and for all. And traditional cyber security defenses that companies have relied on in the past to keep themselves safe – such as antivirus software and email or spam filters – are surprisingly ineffective at staving off ransomware attacks. For example, according to the Datto report, 86 percent of ransomware victims had antivirus software installed, 65 percent had email or spam filters installed, and 29 percent had pop-up blockers (to avoid malicious pop-up messages) installed.
As Ryan Weeks, Chief Information Security Officer for Datto, points out, “Antivirus is still table-stakes as it does prevent from known malicious threats. That said, effective controls to more fully prevent infection of morphing threats like ransomware have surpassed the capability of traditional antivirus software and therefore requires a level down approach that looks at effective server hygiene, configuration processes and new technology that does not rely on prior observation.”
As a result of the growing sophistication of ransomware attacks, Datto suggests a multi-step approach to building general awareness within businesses about the scope of the problem, and then erecting the proper defenses to keep the ransomware attacks from ever infiltrating the organization. Simply training employees how to identify phishing attacks, for example, can play a big role. They should be made aware of how even simple user interactions (such as opening unknown attachments) can lead to big problems. Training should also focus on the need to encrypt files, protect private keys and install security software.
Moreover, suggests Datto, SMBs should think about having a business continuity & disaster recovery (BCDR) solution in place. This would help a business recover from an attack within a short period of time, even in as little as 24 hours, without the risk of significant business downtime that could cripple an organization.
The future of ransomware
Going forward, one thing is certain: ransomware attacks are only going to increase in frequency and intensity as long as small and mid-sized businesses fail to take adequate measures to protect themselves. And, perhaps most disturbingly, Datto also suggests within the report that ransomware will start to “get personal” by going after social media accounts, wearable devices, and IoT devices.
Imagine waking up one day to find your Facebook account “locked” unless you make a ransom payment to an anonymous hacker located halfway around the world. If the WannaCry ransomware attack did not make businesses sit up and take notice, hackers going after the social media accounts of employees might finally be the wakeup call that top business leaders need in order to be convinced that, yes, ransomware attacks might actually happen to them.