The Colonial Pipeline ransomware attack provides another painful reminder of the problem of cybercrime. But it also offers a learning opportunity for business owners because ransomware attacks are not limited to large companies or major infrastructures.
The number of organizations impacted by ransomware globally has more than doubled in 2021. “They do not care if you are small, medium or large, it is about monetization at scale,” says Adam Evans, Vice President of Cyber Operations and Chief Information Security Officer (CISO) for RBC.
Ransomware attacks increased by 435% in 2020. “If you’re going to operate a business in this business landscape, you have to educate yourself on how to protect your services,” Evans says.
Protecting your business from cybercriminals begins with understanding what ransomware attacks are, what you can do to prepare, and how you could recover if you are targeted.
Ransomware attacks targeting businesses
Ransomware is malicious software that locks all the files on your computer, preventing you from accessing them unless you pay a fee to have them released back to you. Or, put another way, it is like someone moves into your house, changes the locks so that you cannot get in, and then tries to sell your own home back to you so that they can pocket the profit.
Reported cases of ransomware have risen exponentially in recent years as criminals have grown bolder with each successful attack. Every time criminals get paid, they see more opportunities to make money. “They’ve almost been incentivized to focus on disruption because of the likelihood of payment,” Evans says.
In the case of Colonial Pipeline, cybercriminals likely perceived an opportunity to cause mass disruption, which is another common motivator for attacks. From a criminal’s perspective, the more disruptive the attack, the larger the ransom will be, and the more likely it will be paid.
Typically, a criminal organization will pay a ransomware provider to use their “ransomware-as-a-service” (RAAS) technology to lock down a target company’s systems. In return, the RAAS vendor gets a percentage of the ransom that is paid for every successful attack in addition to the licensing fee that the criminal organization paid to use the ransomware technology. The criminals that demand the ransom from the targeted business seek an amount that is high enough to make a large profit but still reasonable to the victim so that they will pay.
Typically, a criminal organization will pay a ransomware provider to use their “ransomware-as-a-service” (RAAS) technology to lock down a target company’s systems. In return, the RAAS vendor gets a percentage of the ransom that is paid for every successful attack in addition to the licensing fee that the criminal organization paid to use the ransomware technology. The criminals that demand the ransom from the targeted business seek an amount that is high enough to make a large profit but still reasonable to the victim so that they will pay.
After realizing that criminals may have been able to seize its operations, the company may have prevented them from doing so by taking its industrial control systems offline as a precaution. But having the systems down for several days caused massive disruption in the distribution of gasoline in the United States.
Colonial Pipeline eventually paid a $4.4 million USD ransom to restore service and according to Reuters, U.S. government officials have said that the attack was orchestrated by DarkSide, an international group of cyber criminals.
Groups with varying expertise in cybercrime often work together to launch ransomware attacks and then share the rewards. “They’ve created ‘crime as a service,'” Evans says. “It’s an important evolution in criminal behaviour.”
The velocity and frequency of ransomware attacks will likely increase as groups in undeveloped countries with limited employment opportunities recruit members into the cybercrime economy, Evans says.
Protecting your small business from ransomware attacks
Though the number of threats may increase, small businesses can take steps to help prevent attacks or to minimize their damage.
“You have to prioritize based on the risks that you see and figure out, ‘What are my critical information assets that I need to protect,'” Evans explains. Whether it is your intellectual property, your clients, or something else, you should understand what criminals may target and protect those most important assets first, he said.
You should then develop a plan for recovery if your systems are compromised. “Once you’ve got your plan, then it’s about practicing how you’re going to respond because when it happens to you, deciding in a time of crisis is not the time to do it,” Evans says.
Businesses should also identify and close any security gaps, like by engaging companies that could help you restore operations in the event of an attack. “You want to get your services back up and running but you still have to go through the whole investigative process and make sure that your environment is still safe to operate,” Evans says.
On average, it takes 16 days for a business to recover services in a ransomware attack, Evans says. Retaining customers in the interim is vital.
“Everybody is getting educated to a point now where they understand that these things happen pretty regularly. It’s about how you deal with it,” Evans says. “You can improve your relationship, or it can have a massive impact on your ability to do business and retain your customers.”
Evans points to a shipping company that lost its IT environment overnight as an example of how a business can retain customers despite an attack. “The very first thing that was communicated outwards was to do what’s right for the client and we will figure everything else out. And that gave them a very, very simple kind of mandate to follow in the recovery activity that they took on.”
Ransomware attacks may be spreading, and they certainly can be scary as in the case of Colonial Pipeline, but they do not have to be devastating for small businesses. By being aware of the threat and understanding how to prepare to protect small businesses and speed up their recovery when needed.
This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.