SMB ransomware report: Attacks frequent, backups key piece
Ransomware attacks on SMBs have increased, according to a recent survey, but backup and disaster recovery platforms can calm data protection fears.
An estimated 5% of SMBs worldwide fell victim to a ransomware attack from the second quarter of 2016 to the second quarter of 2017, according to the “State of the Channel Ransomware Report” released by backup and recovery vendor Datto. About 1,700 managed service providers (MSPs) serving more than 100,000 SMBs provided data for the ransomware report.
Ninety-seven percent of the MSPs report ransomware is becoming more frequent and 99% predict the frequency of attacks will continue to increase over the next two years.
Anxiety is rising. Among MSPs, 90% say they are “highly concerned” about ransomware, up from 88% in 2016, while 38% of SMBs say the same, up from 34% in 2016.
“There’s more of an awareness of ransomware and it being an epidemic,” Datto CTO Robert Gibbons said. However, the gap between SMBs’ perception and MSPs’ awareness is too far on the side of SMBs being under aware, he said.
While CryptoLocker remains one of the top ransomware strains, the Bad Rabbit virus caused problems globally in the last month.
SMBs need to understand that the downtime is often the worst element of an attack on a business. Seventy-five percent of MSPs report their clients experienced “business-threatening downtime” after an attack.
On another positive note, though, reporting is increasing. SMB victims reported about one in three ransomware attacks to authorities, up from one in four incidents reported in 2016.
And less SMBs are paying the ransom, according to the report. In 2017, 35% of MSPs report SMBs paid the ransom, down from 41% in 2016. Of those that paid the ransom, 15% never recovered their data, according to the ransomware report.
“The word is getting out that if you pay the ransom, sometimes you get your data, sometimes you don’t,” Gibbons said.
A ‘multilayered portfolio’ of protection includes backup
Ransomware is getting smarter. About 30% of MSPs report a virus remained on an SMB’s system after the initial attack and hit again later. And one in three MSPs report ransomware encrypted an SMB’s backup.
So what are SMBs to do?
First of all, backup systems vary in complexity and strength. Copying files to a USB drive is one method, but not a great one. Having a comprehensive backup and recovery platform, following a “3-2-1” system of three copies of data, on two different media, with one copy off-line, is much more secure.
Backup and disaster recovery is the most effective protection, according to MSPs in the ransomware report, followed by employee cybersecurity training, anti-virus software, email/spam filters, patching applications and ad/pop-up blockers.
If backup and recovery is in place, 96% of MSPs report SMBs fully recover from ransomware, according to the report. And 95% of MSPs said they feel more prepared to respond to an SMB infection.
But ransomware protection goes beyond having just one safety element in place. For example, 94% of MSPs report ransomware successfully bypassed anti-virus software.
“As no single solution is guaranteed to prevent ransomware attacks, a multilayered portfolio is highly recommended,” the report said.
MSPs blamed a lack of cybersecurity training as the leading reason for a successful ransomware attack, followed by phishing emails and malicious websites/ads.
“Employees today are largely unprepared to defend themselves against these attacks,” the ransomware report said.
Gibbons said in one type of education, a company will send out a fake phishing scam and anyone who clicks in the email will get diverted to ransomware training. Just one employee who clicks on a bad link — in a company of hundreds — can cause a business possibly irreparable harm from a ransomware attack.
“There are more tools available to up your minimum game,” Gibbons said.
SMBs need to stay on top of the issue, because attacks are constantly evolving. For example, in 2017, 26% of MSPs reported ransomware infections in cloud applications. Gibbons said he thinks cracking Salesforce is at the top of the attackers’ radar in their continuing quest to best wreak havoc among SMBs.