Sophos: Remote ransomware attacks on SMBs increasing

Sophos researchers observed a shift in threat activity against small businesses in 2023, including a surge in remote ransomware attacks, according to new research published Tuesday.

While many vendor threat reports focus primarily on issues such as ransomware or geopolitical conflicts, the "2024 Sophos Threat Report" carries large emphasis on threats facing SMBs. Sophos said of all the customer incident response engagements its X-Ops team made in 2023, more than 75% involved small businesses.

Small businesses, which the researchers defined as companies with fewer than 500 employees, are "generally more vulnerable to cybercriminals and suffer more proportionally from the results of cyberattacks," Sophos said. The primary reasons for this involve resources.

"A lack of experienced security operations staff, underinvestment in cybersecurity, and smaller information technology budgets overall are contributing factors to this level of vulnerability," the report read. "And when they are hit by cyberattacks, the expense of recovery may even force many small businesses to close."

Although the vendor said ransomware continues to be the primary threat to smaller businesses, other major threats include data theft -- such as password stealers, keyloggers, spyware and phishing -- malvertising, unprotected devices being targeted, higher-effort social engineering attacks, attacks on mobile device users and abuse of drivers.

Threat actors have "stepped up" the use of malvertising, SEO poisoning and other web-based malware "to overcome difficulties created by the blocking of malicious macros in documents, in addition to using disk images to overwhelm malware detection tools," Sophos said.

The report also claimed attackers "have turned increasingly to abuse of drivers," be it exploiting vulnerable drivers from legitimate companies or using malicious drivers that have been signed with fraudulent or stolen certificates. This enables an attacker "to evade and disable malware defenses on managed systems."

Christopher Budd, director of Sophos X-Ops, told TechTarget Editorial that threat actors have turned to drivers due in part to the increasing security postures of defenders.

"Attackers increase the sophistication of their attacks to try and counter the sophistication of the security products present (or believed to be present) on the target's system," Budd wrote in an email. "As security products have increased in effectiveness, attackers have worked to increase the sophistication of their attacks to try and counter that."

Sophos said ransomware still represents the biggest threat to SMBs. Another notable data point in the report involved a substantial increase in remotely executed ransomware. Oftentimes, researchers said, attackers accomplished this via unmanaged devices on a victim's network. This attack format saw a substantial increase in the second half of 2023.

"These types of attacks are able to gain footholds by exploitation of unprotected servers, personal devices, and network appliances that connect to organizations' Windows-based networks," Sophos said. "Defense in depth can prevent these attacks from taking entire organizations offline, but they can still leave organizations vulnerable to data loss and theft."

Budd said this rise can be attributed to the attacks' effectiveness against some security products. "In fact," Budd said, "in our own testing, we have found that some older ransomware families will execute successfully against security products that normally would stop it when used remotely."

It is no surprise that SMBs represent the lion's share of Sophos X-Ops engagements. Organizations that lack the resources of enterprises can easily struggle with tasks such as patching regularly. And in industries where security remains an emerging area of focus, these challenges can be twofold.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.