SMEs most vulnerable in ransomware attacks, damage goes beyond costs: Experts

SMEs most vulnerable in ransomware attacks, damage goes beyond costs: Experts

SINGAPORE: For Jasmond Heng, the owner of a shop that sells nuts and edible oil, news of the WannaCry ransomware attack during the weekend brought back painful memories.

“My entire accounting system was locked up, and the heart of my company was lost overnight. We did not know what to do,” he said.

A ransomware hit his company, Nuts n Co, in October last year, just as they were submitting critical financial information to the authorities. Mr Heng said a message appeared on the computer - similar to what was seen by victims of the latest WannaCry attack - requesting for the transfer of money in the form of Bitcoin.

He said he took the hard drive to Sim Lim Square where he hoped IT experts could help retrieve the information. But Mr Heng was told those chances were slim, even if he paid the ransom, which was now amounting to thousands of dollars. He decided against paying ransom.


The WannaCry attacks have thrown ransomware to the forefront of global attention, due to the speed and scale with which it affected companies and essential institutions.

But experts say attacks such as the one Mr Heng experienced have been happening for a while. According to EY’s global advisory cybersecurity leader Paul van Kessel, 4,000 such attacks occur globally every day, whether they are successful or not. Mr van Kessel said this number has grown 170 times compared to what was seen just three years ago.

“When you look at this WannaCry (attack), it is difficult to estimate the real fallout,” he said. “The estimates we are seeing now is about US$50,000 in paid ransom money. It’s not a lot but the total damage is estimated at hundreds of millions of dollars. If you take the business outage into consideration, you get to US$4 billion. One attack takes out a lot of economic value.”

EY said while there are no hard figures, anecdotal evidence suggests that local small- and medium-sized enterprises (SMEs) have been hit, although the impact has been limited compared to that experienced in other countries. With more awareness about WannaCry, it anticipates that the rate of those affected would drop significantly.

But unless they take action, EY said SMEs will be especially vulnerable to variants of the ransomware because they do not have the resources that big companies do when it comes to protecting themselves against cyber security breaches.

Nick Savvides, Symantec's security advocate for Asia Pacific and Japan, gave the example of an air conditioning cleaning business in Australia that had its customer records wiped out. “They didn’t know who was paying them, which bill they had outstanding. It was a terrible situation for them,” he said. In the end, Mr Savvides said the business paid the ransom to get its files back.

Mr Savvides said the impact of a ransomware attack could reverberate beyond just profit.

“A big company can afford to take a hit - they would typically have cyber security insurance,” he said. “SMEs don’t have that. If a business in Singapore is selling stuff to citizens in the European Union - from next year, if they lose those citizens’ data if they get hacked, they are liable for penalties under European law. That’s a big thing.”


Experts say much of the preventive action SMEs can take is already available. “Ninety-nine per cent of the vulnerabilities used in cyberattacks are already known for a year … but organisations are often slow to react,” said Mr van Kessel.

He reminded companies to patch their systems immediately. Microsoft, for instance, has released security updates for older versions of its Windows platforms that have not been supported since 2014.

EY’s advisory partner Steve Lam said a ransomware attack can also install a "backdoor" to the system even after one has paid a ransom and successfully decrypted files. “The hacker can use this to come back at any point in time,” he said. “Decrypting files does not get rid of the backdoor. You still need to go thru a full systems recovery after you get your files back, so it’s important to have a backup.”

In the case of Mr Heng, his backup was attached to the computer when the ransomware attack happened, resulting in another loss. Fortunately, he had sent a file to his accountant days before the attack, so he was able to retrieve some information.

The attack, though painful, was a good learning experience for his small company supported by five staff. Mr Heng said it took six months to migrate to a cloud-based system. He also installed an antivirus software and firewall that offered better protection. 

“The new (cloud-based) system, plus firewall cost as much as US$15,000 but there is no choice. We learned the hard way. It’s an amount you need to spend otherwise you could lose an even bigger amount through the losses,” Mr Heng said.

But with ransomware expected to increase in frequency and complexity, security experts say SMEs may need the help of more advanced predictive technologies as the first front against attacks.

In the wake of the WannaCry attack, Darktrace, a company that offers protection through its artificial intelligence technology said it has seen “a massive” demand for its services. In fact, its technology is said to have detected and contained the attack “within seconds” of it emerging on some of its clients networks.

Symantec’s Mr Savvides also said its technology was able to prevent most infections from getting into customers’ emails and preventing it from spreading. He said the company has received a lot of questions from both affected and non-affected customers.


Mr Heng said he was at a loss as to what actions to take when the ransomware attack hit, but the latest WannaCry breach has brought more awareness to the security threat. Indeed, SMEs Channel NewsAsia spoke with said they have renewed efforts to engage staff on what to do when faced with unfamiliar content.

Director of Triangle Auto, Michael Wong, said his head of department spoke to staff, informing them to be careful about opening emails. The company was also a victim of a ransomware attack early last year.

But experts said user education needs to be comprehensive. “It needs to cover how to spot a phishing email, how to spot bad files, what is considered safe practice online - what to look for at a phishing site and how to make sure their computer is kept up to date,” Mr Savvides explained. 

He said staff also need to be encouraged to report if they are victims of a phishing attack, instead of them feeling ashamed and keeping quiet about it.


Experts said as technology permeates every aspect of one's life, the risk of such attacks on devices beyond desktops and laptops becomes more of a concern. This especially with countries like Singapore pursuing smart nation initiatives. 

"With the Internet of Things and Smart Nation (initiatives), a lot more devices are going to have IP addresses," Mr Lam said. "Very soon, your fridge could be on the Internet as well as your set-top boxes. We have baby (monitoring) cameras - no one thinks that we need to update the software in case of vulnerabilities.

"But as it has been proven, all of these webcams do contain vulnerabilities that can be exploited and can give attackers remote access control. So from a smart nation perspective, if these devices are not properly secured, they can be used as as jumping points for an attack." 

Mr Savvides said while it is important to pursue the opportunities afforded in pushing for a smart nation, it is important to ensure there is adequate security.

"A lot of these devices don’t have the security hygiene out of the box to be safe without the user doing something," he said, adding that this is where consumers can pressure their vendors and manufacturers to come up with improved devices that can be protected against vulnerabilities. 

Source: CNA/mo