Business interruption and lingering damage from ransomware attacks have driven some 22 percent of Australian small and medium businesses to shut their doors after a ransomware attack paralysed their operations, according to new research that also found that 31 percent of organisations never figured out where the infection came from.
The figures confirmed that the potential damage from ransomware extends far beyond the initial ransom, which was reported as being $1000 or less by 4 out of 5 respondents to the recent Osterman Research-Malwarebytes State of Ransomware Report.
Only 4 percent of ransom demands were for more than $10,000 – something being experienced by larger companies are ransomware perpetrators tailor their demands to their victims’ financial resources.
Earlier this year, Symantec reported that the average payment for ransomware victims had increased from $US294 ($A376) in 2015 to $US1077 ($A1378) in 2016 and that 34 percent of victims end up paying the ransom – even though just 47 reported actually getting their files back.
This disparity has driven new analyses of ransomware behaviour, particularly around the recent Petya worm – which repurposed the distribution mechanism utilised in this year’s WannaCry attack – and its apparent lack of a mechanism for decrypting files. This led many to reclassify it as a ‘wiper’ whose purpose is mainly to cause malicious damage.
And cause damage it has. Petya savaged companies including Maersk, DLA Piper, and a host of Ukranian companies and, a month later, has still hamstrung worldwide production operations at pharmaceutical giant Merck. Global shipping interest FedEx was also a high-profile victim, reporting that its TNT Express subsidiary had been impacted indefinitely in what could have a material impact on its earnings.
“The stakes of a single attack for a small business are far different than the stakes of a single attack for a large enterprise,” Malwarebytes CEO Marcin Kleczynski said in a statement. “SMBs are suffering in the wake of attacks to the point where they must shut down operations. To make matters worse, most of them lack the confidence in their ability to stop an attack, despite significant investments in defensive technologies.”
The very real business damage being caused by ransomware – even as a tool to decrypt systems affected by Petya was publicly released – affirms the warnings in Malwarebytes’ research that business downtime from such an attack can be significant: 24 percent of respondents said they had experienced 25 or more hours of downtime from an attack, with some reporting more than 100 hours.
The 24 percent figure was well ahead of the global average of 17 percent, and Australian companies were more likely than the global average to see ransomware infections spread out well beyond the initial endpoint that was infected. This implies both that Australian companies have a high degree of interconnectedness and that they aren’t necessarily registering that fact by building and enforcing better security policies.
Those strategies will necessarily need to focus on email, which remains a primary conduit for ransomware infections: some 22 percent of companies said they had been infected by clicking on a malicious email link and 18 percent said their employees had opened a malware-laden email attachment.
This is in line with figures in Mimecast’s recently updated Email Security Risk Assessment, which analysed 45 million emails and found 10.8m pieces of spam containing 8682 dangerous file types; 1778 known and 503 unknown malware attachments; and 9677 business email compromise emails.
Nearly a quarter of email classified as ‘unsafe’ by that company’s analysis engines were being delivered straight to users’ email inboxes, that assessment concluded – reinforcing the risk that companies face as ever more-virulent ransomware attacks try new attack methods with increasing levels of success.