Ransomware and Small Business

Executive Summary

Ransomware attacks are especially damaging for small businesses due to resource limitations. Businesses risk failure without a resilience plan that is able to address such an event. The best mitigation strategies address prevention through backups, business insurance, maintaining infrastructure updates and using antimalware software. If attacked, businesses should not pay any funds to attackers, immediately report the crime to the FBI, and follow a business continuity plan. 

Background

Each year, Verizon publishes an annual report on business data breach trends for the previous year [7].  According to the Verizon 2024 Data Breach Investigations Report, “Ransomware continued to feature prominently in data breaches impacting U.S. companies,” and “Ransomware was a top threat across 92% of industries.” Many small businesses assume that they’re not of interest to criminals due to their size [4]. However, according to Inc. Magazine, 82% of businesses targeted by ransomware were not large sized. Cyberattacks on small businesses are increasing, and can cost between $120,000 – $1.24 million. Within half a year about 60% of victimized businesses close. Small businesses tend to have limited resources to employ the same approach as large corporations for handling such attacks. Results can be particularly dire. 

In a ransomware attack, an attacker uses a web address, file or external device to infiltrate a victim’s system and encrypt files [2]. During encryption, information is translated into a code that is only able to be returned to its original state with a decoder or encryption key [3]. Complex encryption algorithms can almost ensure that any entity without the key will be unable to decipher the data. When used by authorized entities, this offers great protection. In the wrong hands, this technology can cause significant damage if criminals are able to hold a victim’s critical data hostage in exchange for ransom.

Impact

The impact of a ransomware attack is far-reaching. Small businesses risk not only losing their data, but also assets from data breach related compliance violations and potential profits due to downtime and/or reputation damage. Although it may seem most convenient to just pay the ransom, the reality of doing so is not as simple as it may sound.  According to research from CrowdStrike, 96% of such victims were asked to pay extra fees on top of the original ransom [1]. Attackers may not even provide a working key and still leak victim information on the dark web. Giving attackers what they ask for leaves no guarantee of restoration. 

Paying can further embolden criminal motives. The Federal Bureau of Investigation’s Internet Crime Complaint Center, or IC3, discourages victims from paying ransoms in order to discourage criminals from victimizing other entities [5]. According to the Verizon 2024 Data Breach Investigations Report, “Financially motivated threat actors will typically stick to the attack techniques that give them the most return on investment.” For crimes that fall under the jurisdiction of the Office of Foreign Assets Control, victims who make payments may be subject to a fine. Engaging with attackers can do more harm than good, whether or not a victim gets a working key.

Mitigation

Because it is unknown exactly what may happen once attackers compromise a victim’s data, it is best to focus on prevention and resilience. Attackers pursue targets through system weaknesses and social engineering. Engaging in good general cybersecurity practices can reduce attack surface. Businesses should ensure they are keeping their software and hardware up-to-date and educate users on social engineering. The heart of a ransomware attack lies in the attacker determining which files or system is most important to the target [6]. Businesses should determine this before a threat actor can do so, and protect these systems accordingly. If in budget, some small businesses may want to consider hiring professionals who can provide risk assessment and penetration testing services. Business insurance can also provide monetary relief from financial loss. Antimalware can detect and stop malicious code before it has the chance to encrypt files. Businesses with limited funds can protect themselves by making frequent backups and storing them offline, in a safe location. 

In the event that a small business finds themselves under a ransomware attack, never pay the attacker. The crime should immediately be reported to the IC3 at https://www.ic3.gov/ and any applicable compliance related regulatory bodies. Affected devices should be quarantined and taken offline to isolate the infection. The U.S. Small Business Administration, or SBA, encourages businesses to include cybersecurity measures in disaster recovery plans [7].

It is important that small businesses have an up-to-date disaster recovery plan for business continuity purposes.  If within budget, businesses with high dollar assets to protect may want to consider consulting risk management professionals and penetration testers. For businesses with smaller budgets, the SBA and IC3 have free online resources for guidance on making recovery plans and handling ransomware attacks. Regardless of budget, it is important that businesses have a plan of protection and resilience in place.

Relevance

Although cyber professionals advise against paying ransomware attackers, many small businesses do not have the same types of resources to pursue this route even if they wanted to. Without a mitigation strategy, businesses are often ill equipped to combat this type of attack. Small businesses can defend themselves through risk mitigation practices. The SBA and IC3 provide free online guidance that can empower small businesses to create a plan of action.

References

[1] Baker, K. (2023, January 29). What Is Ransomware Detection? CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/ransomware-detection/

[2] Cleary, Q. (2023, April 4). The Devastating Impact of Ransomware Attacks on Small Businesses. University of Maryland Francis King Carey School of Law News. https://www.law.umaryland.edu/content/articles/name-659577-en.html

[3] CloudFlare. (n.d.). What is Encryption? CloudFlare. https://www.cloudflare.com/learning/ssl/what-is-encryption/

[4] Crumley, B. (2024, April 15). Cybersecurity Tips for Small Businesses Now Considered Big Hacking Targets. Inc. Magazine. https://www.inc.com/bruce-crumley/cybersecurity-tips-for-small-businesses-now-considered-big-hacking-targets.html

[5] Internet Crime Complaint Center. (n.d.). Ransomware: What it is & What to Do About It.  Ransomware Fact Sheet. https://www.ic3.gov/Outreach/Brochures/Ransomware_Fact_Sheet.pdf

[6] Morgan Stanley. (2023, August 22). Defending Your Small Business from Ransomware. Morgan Stanley. https://www.morganstanley.com/articles/ransomware-protection-small-business

[7] U.S. Small Business Administration. (2024, August 1). SBA Launches New Business Resilience Guide. Press Release 24-59. https://www.sba.gov/article/2024/08/01/sba-launches-new-business-resilience-guide

[8] Verizon. (2024, May 1).  “Verizon 2024 Data Breach Investigations Report.”  Verizon. verizon.com/dbir