While attention has traditionally focused on blocking threats such as viruses and worms, it’s now shifting to the rapidly evolving area of ransomware. These attacks involve the infection of a firm’s key IT systems by malicious code that encrypts data files, making them unusable. The criminals responsible then demand payment in exchange for the key needed to decrypt the data.
Ransomware can be delivered in a variety of ways. The code might arrive in an email attachment or be inadvertently downloaded when a staff member visits an infected website. Some users fall victim to a phishing attack where an email message looks to have come from a legitimate source but has in fact come from a criminal. Opening an attachment or clicking on a web link within the email is all it takes to launch the attack.
It’s a very real and growing problem. According to a survey by US-based Osterman Research of companies in Australia, the United States, Canada, Germany and the United Kingdom, 73 per cent of those surveyed admitted they had fallen victim to a cyberattack during the previous 12 months. Alarmingly, 39 per cent of respondents confirmed they had been the victim of a ransomware attack in the same period.
The impact of ransomware
For businesses of all sizes, a ransomware attack can have a significant impact on operations. Client files and financial accounts needed for day-to-day activities may suddenly become unavailable. Compliance records required to demonstrate adherence to government or specific regulations could be lost.
As a result, the disruption caused can be much more of an issue than any demands made by the criminals for payment. The Osterman survey found 81 per cent of companies that had experienced a ransomware attack faced payment demands of $1000 or less. Just 4 per cent faced demands for more than $10,000 and none had demands for payments of more than $50,000.
Compare these amounts with the cost to your organisation if regular operations had to be halted for 24 hours. What if that time pushed out to a week? The survey found 22 per cent of Australian businesses that suffered a ransomware attack had to cease their operations immediately. Of those, 71 per cent confirmed the infection caused nine or more hours of downtime, with 20 per cent admitting their systems had been down for up to 100 hours.
The decision to pay
When a company is hit with a ransomware attack, a decision must quickly be made as to whether the ransom demand should be paid or ignored. Among Australian respondents to the survey who had experienced an attack, 55 per cent confirmed they did not make any payment. Of those opting not to pay, 40 per cent confirmed they lost data as a result of the decision.
Asked broadly whether any organisations should pay the criminal’s demands, 58 per cent of Australian respondents said this should never be done. A further 40 per cent felt the decision to make payment should be based on what had been encrypted and its value to the business. Just 2 per cent thought payments should always be made.
In the end, the decision will have to be made by every business that suffers a ransomware attack. The amount demanded has to be weighed against the financial impact the organisation will suffer from losing access to core data.
However, it should also be recognised that making payment to the criminals does not guarantee access to data will be restored. There have been cases where the provided decryption keys have not worked, or no response has been forthcoming after the demanded amount has been provided.
Pre-emptive action is key
Clearly, it’s far better for a business to avoid a ransomware attack than have to deal with the resulting fallout. This is certainly the case in the waste management sector where disruptions and downtime quickly have a flow-on impact for staff and customers.
The Osterman research found Australian businesses are using a range of strategies, both to minimise their chances of falling victim and to ensure they can quickly respond if an attack does occur.
Strategies include ensuring regular backups are made of critical data and those backups are stored separately from production systems. There’s little point having a backup if it too can be accessed by the malware and encrypted.
Firms are also putting in place traditional email security solutions and implementing network segmentation to stop the spread of malicious code should it enter the firm’s infrastructure.
Another important step is to educate all staff about the risks associated with ransomware attacks and the potential ways in which they can occur. By ensuring they are aware of the risks of suspicious email attachments and visiting unusual websites, the chance of an attack taking place can be reduced.
The ransomware threat shows no sign of abating, and so Australian companies must give more attention to their preparation and response capabilities. Through deploying appropriate tools, undertaking regular backups, and educating staff, they can ensure they are best placed to withstand an attack if it occurs.
About the author
Jim Cook is the ANZ Regional Director of Malwarebytes, an anti-malware software company.