Reality of ransomware attacks

Despite many companies maintaining a "do not pay" policy for ransomware attacks, most find themselves with little choice due to the significant disruption these attacks cause to their operations.

A study commissioned by the cybersecurity firm Cohesity revealed that the majority of companies targeted by ransomware last year ended up paying the cybercriminals. In Malaysia, 76% of the affected companies made payments, compared to 64% in Singapore.

The Data Security Survey Research, which surveyed 504 IT decision-makers across various companies, found that 77% of Malaysian companies and 65% of Singaporean companies had experienced some form of ransomware attack in the past six months.

The ransoms paid are substantial, with 54% of Malaysian companies (and 47% of those in Singapore) paying between US$100,000 and US$499,999 (RM468,500 and RM2.34 million) to recover their data. Additionally, 27% of Malaysian firms (and 36% of those in Singapore) paid over US$500,000 (RM2.34 million).

Furthermore, 74% of Malaysian respondents indicated their companies would be willing to pay over US$1 million (RM4.68 million) to restore business operations after an attack, with 22% willing to pay more than US$5 million (RM23.42 million). In Singapore, 59% of respondents would pay over US$1 million, while 16% are willing to pay over US$5 million.

A significant majority (97% in Malaysia and 91% in Singapore) of these companies reported an increase in cyber threats this year and expect the situation to worsen throughout 2024.

Gaps in goals

Cohesity global cyber resilience strategist James Blake said this is an unfortunate reality for those suffering destructive cyberattacks that threaten business continuity.

“However, organisations can face this reality head-on by enhancing their cyber resilience – the ability to rapidly respond and recover from cyberattacks or traditional business continuity scenarios – by adopting modern data security, response, and recovery capabilities.

“It’s not earth-shattering that organisations are being hit with cyberattacks,” Blake said in a statement, emphasising that the big concern is that firms are breaking their “do not pay” policies because they either can’t recover their data and restore business processes, or overestimate their cyber resilience capabilities.

However, maintaining cyber resilience is a major challenge, as organisations have to contend with the rapid evolution of the threat landscape.

In the event of a cybersecurity incident, only 1% of Malaysian firms (5% of Singaporean companies) say they would be able to recover data and restore business processes within 24 hours.

This is despite 97% of respondents stating that their targeted optimum recovery time objectives (RTO) to minimise business impact are within a day.

Setting a high standard

In a separate study, cybersecurity firm Kaspersky claimed to have blocked 2.5 million “local threats” – cybersecurity risks that originate from within or directly affect a specific computer or network, including those introduced through infected files or removable media.

It also blocked 26.8 million online threats targeted at businesses throughout last year, highlighting the need for continued investment in cybersecurity to shore up defences.

Businesses in Malaysia are in dire need of beefing up their cybersecurity posture against the escalating threats online and offline.

“The lack of focus and care for strong security protection renders companies very susceptible to cyber threats, more so for those with hybrid and remote work arrangements. This can lead to costly financial and reputational damages in the event of a major attack.”

Meanwhile, Cohesity’s Blake stressed that companies meeting the minimum isn’t enough when it comes to formulating cybersecurity strategies.

“Cyber resilience is non-negotiable because the motivation of attackers is so high and attack surfaces are so wide, a complete belief in protective controls is unrealistic.

“Successful cyberattacks and data breaches severely impact business continuity, including revenue, companies’ reputations, and customer trust. This reality should keep business leaders, not just IT and security leaders, awake at night.

“Regulation and legislation should not be the ‘ceiling’, but instead a high ‘floor’, in developing cyber resilience and adopting data security best practices or capabilities,” Blake said.

For more information, visit our website vulsanx.com or email us [email protected]