Ransomware: What Small & Mid-Sized Business Owners May be Missing

Ransomware Small Mid Sized Business Owners
Matthew Polatsek
July 14, 2022

Ransomware is not new, nor is electronic crime. However, inhibiting system access for users has evolved into hijacking an entire enterprise’s file systems and backup files, held for ransom via encryption until a payout has been negotiated. Forty years ago, cybercriminals were already at work during the beginning stage of this model, whereby computers and files were held hostage for cash sent via the postal service. Many successful ransomware attacks have commanded headlines within the past few years, including those of Colonial Pipeline, JBS, and Kronos. However, the effects on small and medium-sized businesses (SMBs) go largely unreported.

Payment demands from ransomware range from $50,000 to $10 million USD. In this respect, all organizations have become potential targets that carry with them a costly business impact. The thinking that SMBs are less prone to ransomware attacks has not only become outdated but proven patently false.

SMBs have grown exponentially popular as targets for ransomware, sadly because the model has been so profitable. Monetary gains have been quickly realized through successful exploitation with a relatively efficient and effective return on investment. When this model becomes imperiled, however, the model must evolve. Enter the SMB. Ransomware operators realize that instead of winning the lottery with the exploitation of a large enterprise, repeated wins with scratch-offs can prove just as, if not more, lucrative. Their model continues to persist as an SMB’s resources are stretched thin with respect to protecting, defending, and responding to threats with little to no media attention given. Don’t take my word for it; take it from a ransomware operator who states, “You can hit the jackpot once, but provoke such a geopolitical conflict that you will be quickly found. It is better to quietly receive stable small sums from mid-sized companies.”

Why not just pay up and be done with it?

Is your organization prepared to handle a ransomware attack? Would you, and/or should you pay to have your stolen data reclaimed or to restore corrupted systems? This question is not easily answered, nor should it be answered by security personnel. Instead, this question needs to be scrutinized by senior management for all of the potential downstream ramifications. Organizations should consider the following before issuing any payments:

    • Generally speaking, only 65% of data is recovered after payment, and only 8% of organizations manage to recover all of their data.
    • The full recovery of an organization’s data can be a slow process, e.g., taking weeks, especially if large amounts of data are to be decrypted.
    • Malicious files may still be resident within the network. Payment does not get at the root cause of a successful attack. There is a high likelihood of subsequent attack and exploitation if preventive measures are not adequately employed.
    • If sensitive data has been stolen, there is no guarantee that an adversary will delete the stolen data within their possession.
    • SMBs could also incur financial penalties from the U.S. government. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) makes its position clear within its advisory published in October 2020.

What are SMBs to do?

SMBs can certainly take steps to better prepare, defend, and respond to ransomware attacks.

Some of these precautions include the following:

  1. Invest in security awareness training:
    • Employees are most often the target of email phishing campaigns. Enroll employees in continual training, not just a one-time effort resulting from the onboarding process.
  2. Know your assets: Too few organizations have a proper handle on their hardware and software assets.
    • Maintain repositories of all devices, users, software, and systems.
  3. Configuration management:
    • Patch all operating systems and applications. Test updates on ‘test’ systems. This may mean the creation of a small subnet of systems that are logically and physically isolated from production systems.
  4. Utilize multi-factor authentication – whenever and wherever possible:
    • Simple username and password authentication are not enough. Virtual private network (VPN) access secured with only usernames and passwords ranks within the top 4 methods of exploitation by ransomware operators.
    • This includes for critical servers, i.e., domain controllers, cloud console or portal access, application authentication, and critically, any remote access.
  5. Utilize the least privilege model:
    • Employees must only have access to the data or systems they need to do their jobs and nothing more.
  6. Employ a layered defense:
    • This aims at reducing an organization’s attack surface area through the employment of security controls, all acting in a coordinated fashion.
    • An example may include employing network-level firewalls, an email gateway, anti-malware solutions on endpoints, and a web proxy. This allows for faster detection and response.
  7. Maintain Proper Backups:
    • Follow the 3-2-1 method, which promotes the creation of three copies of backups on two different sources of media, i.e., cloud & hard disk storage, with at least one location offsite. Test backups to ensure recoverability.
    • Cloud object storage provides the advantage of “immutability.” An immutable backup is simply a storage solution that protects data against deletion or modification.
  8. Obtain cyber liability insurance:
    • Cyber insurance has evolved to offer more than simply funds for ransom payouts. They can also reimburse production downtime, data recovery, and forensic investigations.
    • Cyber insurance does have its caveats. Organizations will find it nearly impossible to negotiate a contract without proper technical controls.
  9. Employ principles of zero trust:
    • Limit the attack surface with sufficient network segmentation, automate more aspects of cybersecurity, provide contextual awareness behind alerts, and continuously verify access.
  10. Lean on a trusted advisor:
    • When guidance is needed, leverage a trusted advisor to offer insight into your security posture or organizational governance, offer guidance, spot gaps, and make recommendations to augment your cyber security infrastructure.

Ransomware has now become ubiquitous, and everyone has become a target. More needs to be done to teach and train SMBs about the value of implementing security fundamentals at their core and employing the appropriate strategies and tools to help prevent, detect, and limit the effects of ransomware.

Next Steps

Join me for our on-demand webinar, Ransomware: Security Solutions for Your Firm, where I’ll discuss what happens behind the curtain of a ransomware attack, how to improve detection, and tips for developing a response plan.

Matthew Polatsek