Ransomware: A dangerous and costly problem for SMBs


In our last blog about email scams we mentioned the dangers of ransomware and how it can be transmitted via email. Ransomware is becoming more frequent and the power of these attacks continues to increase. A study from the Australian Cyber Security Centre noted that the number of reported ransomware attacks increased by nearly 60 percent between 2013 and 2015.  It also noted that it is now the most prevalent type of attack facing businesses in Australia at the moment.

For those who are unaware of how ransomware works, let’s take a quick look at the process. The first thing to know about ransomware is that its most common point of entry is from a download, either as an email attachment or from the Internet. This means you, or more likely one of your employees, has to be tricked into initiating the download.

What happens once it is downloaded depends on the type of ransomware it is. There are two major forms of it but the goal of each is to get your business to pay the ransom.

1. Locker ransomware

Locker ransomware, simply locks your computer screen and demands you to make a payment. It relies more on scams and an authentic appearance from a trusted entity, such as the police, to cajole people into paying the ransom. In many cases, a simple system restore to a time when your computer wasn’t infected, is enough to circumvent this type of attack.

2. Crypto ransomware

Crypto ransomware is by far the more powerful of the two types and encrypts all data on a computer.  and even a network blocking access to them until the ransom is paid. This can be particularly crippling for a small business since many of these files and applications are needed to operate on a day-to-day basis.

Where did Ransomware come from?

Ransomware is actually over 25-years old, and traces its roots back to the days of floppy disks and continuous stationery printer paper. It began way back in 1989 as the AIDS Trojan. This was loaded onto a floppy disk and could encrypt files on a PC preventing users from accessing Goldfields or anything on their computer. This attack wasn’t very practical and ransomware didn’t start gaining traction, until the rise of high speed internet and international payment methods in the mid-nineties.

Crypto and locker ransomware as it appears to today; first arrived on the scene in 2011 and spread quickly. It would take the shape of “antivirus” software or even Microsoft’s Security Centre. It would then warn users that they need to reactivate their software license or buy fake security software to continue using their computer. Access to all other programs was blocked until the money was paid.

As encryption software improved, crypto ransomware became more prevalent around 2013. The software held sensitive files’ hostage until the demands of cyber criminals were met. Individuals were targeted at first, but hackers ended up focusing on SMBs.  This is because they realised they are vulnerable and more likely to pay, since they needed access to files to stay in business.

Ransomware in Australia today

In Australia today, ransomware is more sophisticated than ever before.  Some programs are even specifically targeted for the Australian market. In particular a scam that involved Australia Post and carried attachments containing malware. That is not the only time the government has been used to trick people. One of the first major malware scams here involved the locking of computers.  Users received a notice that their computers had been involved in illegal cyber activity and a fine needed to be paid.  The notice appeared to come from the Australian Communications and Media Authority (ACMA), Australian Crime Commission (ACC), the Royal Australian Corps of Military Police or Interpol.

That was only the beginning. The technology website ARN reported that recent spoofed emails from DHL, FedEx, the Australian Federal Police (AFP) and the Australian Taxation Office (ATO) all contained the malware. Businesses are targeted via emails that contain attachments such as invoices, receipts, statements, order forms and even resumes which contain ransomware. It can be found all over the Internet as well. Websites promising something alluring like celebrity gossip or free vouchers often contain ransomware.

Take steps to protect your business

Apart from emails, there are other ways for ransomware to enter your systems and networks. Symantec reported that server encryption ransomware is becoming more popular among some cyber criminals.  They  often target healthcare organisations, as they tend to forget to implement necessary security patches. This occurred in several hospitals in the USA, who were forced to pay thousands of dollars to get back access to their data.

A failure to patch software like Java and Adobe, can provide hackers with another way to infect your systems with ransomware. That’s why it’s important to keep antivirus up-to-date and keep all applications and operating systems current with patching. Once this is done, check to make sure your backups are updated and operational. A lot of businesses forget to do this and the results can be costly, since it means you can’t simply go back and restore your files.

The costs add up

It doesn’t matter whether you’re infected with crypto or locker ransomware, it will cause problems and cost money. That’s because you are going to have to pay, either directly (by paying the ransom) or through downtime while you wait for your systems to be restored.

The ransom price itself can range anywhere from $300 to $700 and this payment is usually made via Bitcoin. Many businesses have difficulty coming to terms with paying cyber criminals but sometimes it is the only option. Research from Norton showed that, cybercrime costs Australian businesses $1.2 billion and ransomware accounted for a significant portion of that total. While we don’t recommend doing it, sometimes paying the ransom is the only way you’ll be able to gain access your files.

Even if you have fully functioning backups, ransomware will still cost you in terms of downtime. The same Norton study concluded that the average ransomware attack causes an average of 14 hours of downtime.  This is due to switching out corrupted or encrypted files and applications with backups. That’s why having a disaster recovery plan in place is crucial. A good disaster recovery plan can help reduce the downtime.  This is because it allows staff to keep operating on a limited basis, by providing access to the most important files and applications.

Ransomware is just one of a number of cyber threats that target SMBs. If you need to know what you can do to protect your business, develop a disaster recovery plan and save costs; contact Empower IT Solutions.