By Matthew Davis
What is a business without data? An ecommerce retailer can’t sell products without catalogs, orders, and customer details. A service business can’t serve anyone if it knows nothing about them. A healthcare provider can’t treat patients if health records and appointment data disappear. Without data, businesses go out of business.
Ransomware aims to deprive small businesses of their data. It does so by creating an encrypted version of the data, deleting the original, and demanding money in return for the encryption keys. Without the encryption keys, there is no way to restore the data.
Ransomware puts small business owners in a dilemma: they can pay the ransom and get the data back, or they can refuse to pay. If they pay, they might get the data back, but it’s not guaranteed. If they refuse to pay, the cost in lost business and damaged reputation can be even higher than the ransom.
There is a third option, which involves avoiding the dilemma altogether, as we discuss later in this article.
What Does Ransomware Cost Small Businesses?
No one knows precisely how much ransomware costs small businesses each year. Businesses that pay the ransom aren’t inclined to publicize the fact that they were hacked and blackmailed. However, security researchers can estimate the impact of ransomware, and it isn’t a pretty picture.
In 2018, the FBI estimated that there were over 4,000 ransomware attacks per day, a number that has risen in recent months. Security service provider Beazley Breach Response Services estimates based on attacks against their clients that 70 percent of ransomware attacks target small businesses with an average ransom demand of $116,000.
The total ransom revenue paid by victims is estimated to be around $1 billion per year, but the losses suffered by victims are significantly higher at around $8 billion. Ransom payments make up a small proportion of the cost of ransomware; the disruption to business operations is where the real damage is done.
Twenty percent of businesses affected by ransomware were forced to immediately cease business operations according to the Annual State of Ransomware Report. The businesses that survived suffered consequences that ranged from minimal disruption to prolonged downtime, substantial loss of revenue, and damage to their brand’s reputation.
The businesses that suffered minimal disruption had invariably prepared to mitigate the ransomware risk before they were attacked.
How Does Ransomware Work?
Ransomware infects business desktop machines and servers in the same way as other malware. It exploits security weaknesses to place malicious code on business infrastructure. When the code is executed, it finds data to encrypt. The most sophisticated ransomware can find data on drives attached to the machine, including network-attached storage and cloud storage.
The encryption techniques used by ransomware vary. Naive ransomware simply encrypts the data using an asymmetric encryption algorithm, leaving the keys on the server before presenting the victim with a message that demands payment. This type of ransomware is outdated and rarely used because it’s easy for security experts to find the key and decrypt the data.
Modern ransomware uses a combination of symmetric encryption and public-key cryptography that is much harder to defeat. The only way to decrypt the data is with a private key that only the attacker has access to. There is no way to get the private key without the attacker’s cooperation, and no way to decrypt the data without the private key.
It’s worth emphasizing that, for most victims, there is no hope of decrypting the data without the private key. The attackers use encryption technology that even the military and government agencies such as the NSA cannot break. The only way to get the key without the attacker’s cooperation would be to hack their servers, but that’s beyond the resources of small business owners and most security professionals.
Early ransomware was often flawed, and researchers found ways to circumvent the encryption. Today’s ransomware is better designed: once the data is encrypted, there is no practical way to decrypt it without the key.
Small business owners should be wary of service providers who claim to be able to decrypt data lost in a ransomware attack. Most simply negotiate with the attacker and pay the ransom.
How to Beat Ransomware Attacks
As we have said, once the data is encrypted, it is lost for good unless the ransom is paid. The most effective mitigation is to prevent ransomware infection, and to do that small business owners need to understand how ransomware finds its way onto their infrastructure.
- Phishing attacks. Phishing is the most common ransomware vector. The attacker sends an email containing a link that, when clicked, redirects the victim to a site that exploits software vulnerabilities to infect the machine with ransomware. Employees should be educated about phishing and trained not to click links in emails.
- Software vulnerabilities. Software vulnerabilities in internet-facing software can be exploited to give attackers the access they need to infect a machine with ransomware. The best way to mitigate the risk of software vulnerabilities is to limit the amount of internet-facing software, and, most importantly, keep software up-to-date. Updates fix vulnerabilities.
- Brute force and dictionary attacks. These are “guessing” attacks against user authentication systems. Automated bots attempt to guess username and password combinations. This is easy when users choose short and simple passwords. It’s impossible when passwords are sufficiently long and random, or when the business uses two-factor authentication.
This is basic security advice that every small business owner should follow, but security lapses are common and criminals are ready to exploit any vulnerability. It’s wise to assume that your business will be infected with ransomware at some point. We have already said that decrypting the data is impossible, but there is a way to defeat ransomware that has already encrypted data.
If a business takes regular and comprehensive backups and moves the backed-up data offsite, they don’t need to beat the attacker’s encryption. They can wipe the affected machines, reinstall the software, and restore the data from a backup. There may be downtime, but no ransom will be paid and no data will be lost.
One in 5 small businesses shut down after a ransomware attack. They are the businesses that didn’t prepare: they didn’t educate employees about phishing attacks; they didn’t update and patch software; and, most importantly, they didn’t have up-to-date offsite backups.
If that sounds like your small business, it’s time to start taking ransomware seriously.