In this article, we will discuss the impact of ransomware on businesses and explain the specific methods of propagation for these attacks.

We will also provide actionable concrete steps to protect yourself and your business from these escalating threats.

Ransomware attacks on small businesses are increasing

Ransomware remains the top threat to businesses of all sizes worldwide.

The average cost of a data breach for small businesses ranges from $ to $ million, with the global average total cost reaching a record high of $ million in , and the average ransomware demand being $ million.

These costs may be direct or indirect, in addition to the recovery costs in the tens of thousands of dollars:

▪︎ Pay the ransom.

▪︎Direct economic loss.

▪︎Time spent by employees resolving violations.

▪︎Hire a company specializing in incident response.

▪︎Customer revenue loss.

▪︎Higher insurance premiums.

▪︎Penalties for non-compliance.

Small and medium-sized enterprises are common targets for ransomware groups, with the number of ransomware attacks increasing by % in the first half of the year.

What are the most common methods of ransomware propagation?

Social Engineering

According to the data breach report, % of breaches are caused by social engineering attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) defines social engineering as:

In social engineering attacks, the attacker exploits human-computer interaction (social skills) to obtain or steal information about an organization or its computer systems.

Common online techniques include email phishing and voice phishing.

The success rate of these strategies individually ranges between %-% . However, when used together in coordinated action, the success rate increases to around %.

As for Caesars Entertainment ( ), they experienced a social engineering attack targeting their outsourced support supplier.

The ransomware gang claiming responsibility for the attack allegedly downloaded the personal identity information () of over million members of the Caesar loyalty program.

Additionally, data of over , Maine residents was compromised.

Unfortunately, Caesar chose to pay the ransom of $100,000.

Suggestion: You should never pay the ransom, as only % of victims are able to recover all their data after payment.

Despite this, a survey of [number] [group] found that more than four-fifths of them reported that their organizations paid the ransom.

Unpatched systems

Threat actors are seeking the easiest targets to maximize their revenue. Systems with known exploitable vulnerabilities are exactly what they are looking for.

Recent research indicates that % of violations involve vulnerabilities for which patches already exist but have not been applied.

The average time to discover a new vulnerability is approximately months, while fixing critical or high-risk vulnerabilities may take days to weeks.

Traditional patching cadences (such as monthly or weekly) are insufficient to address the countless new vulnerabilities disclosed daily.

With the proliferation of automation and artificial intelligence, the entire process of encrypting an organization can be completed in less than minutes, with a median time of less than minutes.

Conversely, businesses should adopt a continuous vulnerability management program, scanning and patching system vulnerabilities on a daily basis.

By reducing the time known exploitable vulnerabilities exist on the network, this significantly lowers the risk faced by organizations.

Bypassing multi-factor authentication

% of the violations exploited user credentials, with half of the incidents directly attributed to stolen credentials.

Multi-factor authentication (MFA), particularly two-factor authentication (2FA), is widely regarded as a robust security measure.

However, text and voice-based authentication methods can be easily bypassed, often by exploiting basic phishing emails to obtain account credentials.

The study also indicates that adversarial AI can manipulate audio authentication, a technique frequently used in voice-based two-factor authentication.

In one case, a journalist successfully hacked into a bank account using an AI-generated voice provided by a free voice creation service.

Although Microsoft claims that app-based authentication can prevent .% of account takeovers, app-based authentication also has vulnerabilities.

Large identity management company experiences data breach, affecting all customer support users.

Initially, it was reported that only about % of customers (i.e., organizations) were affected.

Later confirmed, the leak affected all customers, approximately , customers, including the following well-known companies:

1Password

Cloudflare

OpenAI

T-Mobile

MGM Grand

Supply Chain Compromise

Supply chain intrusion involves infiltrating trusted software providers or suppliers to distribute ransomware.

In the year, the number of supply chain attacks exceeded the number of malware-based attacks for the first time, by %.

Supply chain attacks targeted , entities, affecting over , people. In comparison, malicious software-based cyberattacks impacted people.

By attacking key third-party service providers or embedded software components, threat actors can strategically turn a company's own partners and infrastructure into gateways for initial access or exert pressure on suppliers.

Among organizations that have been hit by ransomware attacks in the past three years, % reported that attackers contacted their customers and/or partners regarding the incident to coerce payment.

We found that % of organizations globally have experienced ransomware attacks on their supply chain organizations, which could potentially expose their own systems to being compromised.

But many organizations have not taken steps to improve their partners' cybersecurity. The first step in mitigating these risks must be to enhance visibility and control over the expanding digital attack surface.

The vulnerability is a critical zero-day vulnerability, numbered --, serving as an example of ransomware exploiting supply chain weaknesses.

The vulnerability affects the file transfer tool, allowing attackers to access and manipulate the database.

The vulnerability is widely exploited by ransomware organizations, allowing attackers to upload and steal sensitive data, effectively compromising the security of organizations that rely on this transmission tool.

The incident was initially reported on [Month] [Day], [Year]. It escalated rapidly after the [Organization] publicly claimed responsibility for the attack, threatening to issue ransom demands to affected companies starting from [Month] [Day].

So far, over , organizations in the financial, healthcare, and education sectors have become victims of this attack. The total estimated loss from this attack has reached billion dollars.

Infected drive

Infected drives and other removable media are a simple yet effective strategy for spreading ransomware.

In the first half of the year, the number of attacks launched using infected drives tripled.

When a malware-infected device is plugged into an insecure network connection, issues arise.

Once they are connected, the malware can execute, and the encryption process can begin.

The impact could be devastating, %-based security threats can cause widespread disruption to critical business operations and undermine operational technology.

The essence of this attack lies in exploiting human curiosity and trust in objects.

These devices are typically shared among colleagues and friends, or discovered and used out of curiosity, acting as Trojan horses that can breach security networks and bypass traditional defense measures.

According to Honeywell's Industrial Cybersecurity Threat Report, in the year, % of malware was designed to exploit or spread through.

Main Threats in Industrial Cybersecurity: Living-Off-the-Land Attacks

Threat actors also intentionally leave infected drives in public places or distribute them to unsuspecting users.

In some cases, they might even send them directly to the organization, hoping that employees will use them.

Protect your business from ransomware attacks

Some practical methods to protect your business from ransomware attacks include:

Provide safety awareness training. —— 对员工进行持续的安全培训，使他们掌握检测和应对威胁的知识， 在前 12 个月内将风险从 60% 降低到 10% 。

Implement three-factor authentication. —— 通过三因素（您知道的东西、您拥有的东西和您自己的东西）增加一层额外的安全保护，以防止 99.9% 的密码泄露。

Micro-segmentation Devices and Users —— 将网络分成具有受限访问权限的隔离段，以限制勒索软件在整个系统中传播的能力。

Develop a ransomware response plan. —— 制定一个计划，概述隔离感染和恢复系统的立即步骤，以最大限度地减少攻击造成的破坏。

Keep the system updated. —— 每天扫描和修补漏洞，以大幅减少漏洞被利用的机会。

Regularly back up data – employ a multi-faceted backup strategy using cross-cloud, physical, on-premises, and off-site formats to ensure malware-free recovery options.

Develop a disaster recovery plan — Define downtime tolerance, recovery procedures, and comprehensive testing strategies to mitigate the impact of ransomware.

Conduct red team or tabletop exercises — test incident response plans and leadership reactions to identify security vulnerabilities and enhance preparedness.

Collaborating with a Virtual Chief Information Security Officer —— 与经验丰富的顾问合作设计响应计划并做出数据驱动的安全决策。

Use strong password policies and management tools. —— 强制使用复杂的密码、频繁轮换和集中控制，以防止未经授权的访问。