The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups.
Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be compromised by ransomware in 2021. These were mainly hit with well-known variants, sometimes unleashed by state-backed hacking groups. But it’s key to understand that no “Top 10” list of ransomware incidents paints an accurate – or at least comprehensive – picture of the impact ransomware played over the last year.
That’s because, small businesses and not-for-profit organizations are often hit the hardest by ransomware. Here are a couple factors to consider that might help reframe how we think about ransomware, who’s targeted and why small businesses can’t escape the gaze of ransomware groups.
In our 2021 Webroot BrightCloud® Threat Report, we found overall infection rates to be rising fastest in the healthcare, non-profit and arts/entertainment/recreation industries. Schools, local governments and hospitals are some of the most commonly targeted types of institutions, accounting for some 2,400 breaches in 2020, according to the Ransomware Task Force’s (RTF) 2021 report.
Often operating with limited IT budgets, hospitals, schools and local governments also typically run some of the most complex and difficult to secure networks. Spread out over multiple locations and responsible for hundreds or even thousands of devices – factors referred to as the “attack surface” in information security – make these institutions attractive targets. To make matters worse, a shortage of cybersecurity professionals and budget constraints mean they handle these challenges short-staffed.
As a result, public school systems, police departments and towns were among major compromises in recent years.
Many security companies justifiably try to quantify the costs of ransomware year over year. While almost all agree both the number of attacks and the demanded ransoms are rising, these stats can obscure the real story.
Leaving aside the fact that they’re almost certainly underreported – businesses tend not to disclose ransomware incidents to avoid negative publicity and fines from regulatory agencies – a few high-profile incidents can drive up averages and distort the perceived cost to small businesses.
“I could never afford a $50 million ransom like the one hackers demanded of Acer,” the thinking goes, “so I must not be worth their time.” While understanding, this conclusion misrepresents the problem.
In fact, the median ransom demand in 2021, according to advanced findings from our upcoming threat report, was $70,000. Still potentially bankruptcy-inducing, this figure is within reach for a far greater number of businesses. Hence, a larger number of businesses are considered acceptable targets by criminals actors.
Maybe it was the case once, but malicious actors no longer have to be savvy behind a keyboard. Ransomware as a service (RaaS) is an increasingly popular business model among malicious actors where interested parties can buy ransomware “products” – malicious code meant to encrypt a target’s files – from a developer online.
According to the RTF, “In 2020, two-thirds of the ransomware attacks…were perpetrated by cyber criminals using a RaaS model.”
While supply chain attacks and major breaches of global corporations still require a good deal of technical sophistication, cracking the dentist’s office down the street no longer does. All that’s needed is a working knowledge of the dark web, a connection to a developer with loose morals and some startup capital to purchase the code.
This means casting a wider net with smaller ransomware demands threatens to ensnare more small and midsized businesses than before this business model emerged.
Securing small businesses in the crosshairs
Business owners and the MSPs that secure them can see how a set of factors are converging to increase the cybersecurity risks to businesses of all sizes. Luckily, there are a few steps, relatively easy to implement, that can help these organizations reduce their risk of falling victim to ransomware – or to limit the scope of any successful attacks.
These include:
Interested in learning more about ransomware and its effects on businesses? Download our eBook on the Hidden Cost of Ransomware.
Kyle Fiehler is a writer and brand journalist for Webroot. For over 5 years he’s written and published custom content for the tech, industrial, and service sectors. He now focuses on articulating the Webroot brand story through collaboration with customers, partners, and internal subject matter experts..