Ransomware attacks can be a big problem for small businesses. Learn about prevention tips and recovery strategies.
While 2020 was a difficult year for many, it was an opportune time for cybercriminals. Ransomware attacks spiked by 700% compared to 2019,1 and the total cost of damages incurred by victims during this period almost doubled to an estimated $20 billion.2
Cybercriminals often target small businesses because they view them as easy targets. But there are steps your organization can take to better protect itself against ransomware attacks. Here are some best practices for you to consider which may make it harder for hackers to carry out a breach and could limit the damage if they do.
Ransomware is a form of malware. During a ransomware attack, a cybercriminal finds a way to break into your network or computer, determines which data, asset or application holds the most value to you and seizes this possession by either locking or irrevocably encrypting it, making it unusable to your organization.
The cybercriminal then demands a ransom in exchange for providing a key to decrypt or unlock your possession.
Some attacks go a step forward, using what’s called “double extortion.” In this scenario, the hacker will not only hold the victim’s data for ransom, but also threaten to publish the stolen data on the dark web.
Every organization is susceptible to ransomware attacks, including small businesses and family offices. Even individuals can be targeted. Essentially, anyone with a computer connected to the internet or anyone with important data stored on their computer or network could be at risk.
Ransomware attacks can devastate organizations and leave them stranded without the data needed to operate. While ransomware demands continue to escalate, with the recovery price sometimes exceeding $1 million, the cost of the damage to an organization’s reputation can be even greater, and the recovery process after an attack is often lengthy and challenging.
Cybercriminals often target small businesses, believing they are more likely to skimp on security and other protective measures used by larger firms. Plus, since smaller businesses often don’t have the financial resources to survive lengthy downtimes, these companies are often more likely to pay the ransomware demand—and quickly, too.
Cybercriminals are clever and relentless. They use a variety of techniques to infect systems and continually evolve those methods to make their attacks harder to detect. The primary infection gateways include:
Email phishing: With this technique, a cybercriminal sends an email that seems authentic and looks like it’s from a trusted contact. The email typically asks the recipient to click on a link or download an attachment that contains malware. Fraudsters also sometimes hijack control of an email account with malware, which allows them to send emails from the account to spread the infection.
Remote Desktop Protocol (RDP) vulnerabilities: RDP is a network communications protocol that enables you to remotely connect to another computer. Cybercriminals can gain access to a computer with RDP enabled by obtaining user credentials through trial-and-error methods or purchasing them on the dark web. Once fraudsters obtain access, they can easily inflict malware on your system.
Software vulnerabilities: Cybercriminals are experts at detecting security vulnerabilities in popular software programs and exploiting them to gain control of your system and initiate an attack.
Online surfing: Simply clicking a digital ad or visiting a web site that’s embedded with malware can infect your system.
Implementing a comprehensive ransomware prevention and recovery strategy that includes these steps makes it harder for fraudsters to hijack control of your business—and easier to get back on track if a breach occurs.
Regularly back up your data: Backups may be the best way to restore your data. But avoid connecting your backups to the computers or networks they’re backing up. Instead, physically store them offline. Also, periodically test your backups to ensure they’re working.
Consider employing a “3, 2, 1” strategy. Have three different copies of your data, use two different mediums for your backups (like a hard drive and a USB drive), and store at least one copy of your data offsite (such as on a Cloud backup provider).
Conduct training sessions: Your employees may be the weakest link in your security system. Educate them throughout the year about ransomware and develop ongoing awareness exercises, such as email phishing simulations.
Promptly apply security patches: These include security updates for your operating system, software and hardware. Establish a centralized, automated system for applying these patches as soon as they are available.
Utilize a reputable anti-virus product: An anti-virus product can conduct frequent security scans to check for malware and clean up an infection you may already have.
Follow RDP best practices: This includes auditing your network for systems using RDP, closing unused RDP ports, applying multi-factor authentication (MFA) when possible and tracking RDP login attempts. It’s important to take these measures considering the amount of attacks launched through RDP.
Develop a disaster response plan: A ransomware attack can create chaos within an organization. That’s why it’s essential to be proactive and have an incident response plan in place that includes your response and notification procedures. Consider including the name of a reputable IT support service or data recovery specialist as part of your plan.
For additional security best practices, see the FBI’s ransomware overview or the Cybersecurity & Infrastructure Security Agency (CISA) Ransomware Guide. The No More Ransom project can also help identify strains of malware and indicate if there are known decryption tools for that strain.
Organizations victimized by a ransomware attack face difficult choices. If your organization is a victim, the FBI recommends contacting your local FBI office. You can also report the crime to the Internet Crime Complaint Center (IC3), CISA or a Secret Service Field Office. Individuals who experience an attack should also alert their Morgan Stanley Financial Advisor.
Reporting attacks helps provide investigators with the information needed to track and punish ransomware attackers and deter future attacks.
Along with consulting security experts in law enforcement, other steps to consider taking after an attack include:
- Identify and remove any infected computers immediately from your network
- Turn off any affected computers that haven’t been completely corrupted to contain the damage
- Change all account and network passwords
The best way to handle a ransomware attack is to never have one. Taking the appropriate prevention steps greatly reduces the risk of ever having to endure the financial distress and organizational turmoil created by these attacks.