The overwhelming majority of small and medium-sized IT service providers in Europe have been hit by a ransomware attack in the past 12 months, according to a new survey by data protection firm Datto.
Of the service providers surveyed, 87% said their customers had been hit by a ransomware attack within the past year, and 40% of respondents reported multiple attacks during that time.
The average ransom demanded was between £500 (approximately €580) and £2,000 (€2.300), but in 15% of reported cases, the demand was in excess of that. Nearly half (47%) said that, although they paid the ransom, they still lost the data that had been encrypted by the attackers.
It’s a crime – contact the law
Ransomware attacks are a crime just like burglary or extortion, but only 40% of ransomware victims reported the incident to the authorities.
Although it is understandable that organisations don’t want to be viewed as weak or vulnerable, or to mark themselves as targets for future attacks, people need to be made aware of how ransomware repeatedly manages to infiltrate systems.
Current defences against ransomware aren’t working. Last year, security software firm Barkly reported that every single respondent that was hit by a ransomware attack was running antivirus software at the time. Victims also reported that:
- 95% of attacks bypassed firewall(s)
- 77% of attacks bypassed email filtering
- 52% of attacks bypassed anti-malware
Without enough evidence of how ransomware exploits security gaps, preventative software and technologies can only go so far.
Meanwhile, law enforcement agencies that tackle cyber crime – such as Europol’s cyber crime arm, the European Cybercrime Centre (EC3) – are only receiving a partial picture of the cyber crime industry.
This means other potential victims are not being made aware of new ways in which criminals are infiltrating systems, and, additionally, the criminals whose actions go unreported are free to strike again.
As a result, the ransomware industry is growing rapidly – and it’s small and medium-sized enterprises (SMEs) that are the most vulnerable.
Raise awareness of attacks
Ransomware attacks pose the most imminent threat to many organisations, not least because of their use in phishing scams. According to a recent study, 97% of phishing emails delivered ransomware.
With organisations potentially receiving hundreds of emails every day, it only takes one malicious email to slip through the system for the whole company to be vulnerable. As Datto’s survey showed, technological safeguards are far from perfect, so employees will be exposed to fraudulent emails frequently. It is up to them to be able to recognise and respond to the threats correctly.
Training your staff about cyber security threats is just as important as any other security measure. In fact, according to Datto, only 33% of attacks were successful when a company’s staff had received cyber security training.
Looking for cyber security training for your staff? Consider IT Governance’s Phishing Staff Awareness Course. Using real-life examples and practical tips, the course helps employees become an active part of their company’s cyber security strategy.