Firms caught in ransomware should resist paying up: CSA

Singapore

HIGH-PROFILE ransomware cases have grabbed headlines in recent months and crippled businesses from all over the world. Singapore isn't spared - the number of ransomware incidents reported to the Cyber Security Agency of Singapore (CSA) rose 154 per cent in 2020 and this year's figures are on track to surpass that.

Should companies trapped by hackers just pay the ransom? CSA advises against it, said the agency's chief executive David Koh.

Hackers typically gain access to a company's devices, encrypt certain files or operating systems, and demand a ransom from the victim for their release.

"The person who locked up your computer is a criminal. In the event that you pay the ransom, there's no guarantee that they will give you what they promise," Mr Koh stressed.

In fact, studies show that businesses that coughed up money were identified as soft targets, increasing the chances of them being hit again.

A NEWSLETTER FOR YOU

Monday, 3.30 pm

Garage

The hottest news on all things startup and tech to kickstart your week.

Sign Up

"When you pay the ransom, you actually encourage these bad guys to continue their criminal activities and target more victims," said Mr Koh.

The ransomware issue has recently become a global systemic threat. Mr Koh, who is also Commissioner of Cybersecurity for Singapore, has had several conversations with his international counterparts over the past two weeks about the matter.

An attack on US-based IT company Kaseya - a tech unicorn - affected up to 1,500 businesses around the world including supermarket chain Coop, which temporarily closed around 800 stores because it could not operate its cash registers. Hackers are demanding US$70 million to decrypt affected devices.

In another incident, a hospital in Germany had to turn away an emergency patient after a ransomware attack disrupted its services. The delay in receiving care possibly contributed to the patient's death.

Cyber researchers reported that global ransomware incidents in the first half of 2020 rose more than eight times year on year, according to CSA's Singapore Cyber Landscape 2020 report released last Thursday.

In Singapore, CSA recorded 89 cases last year, up from 35 in 2019. A total of 68 cases were reported in the first half of 2021, already more than double the 31 cases reported in the first half of 2020.

Last year's incidents mostly affected Singapore's small and medium enterprises (SMEs) and emerged from sectors such as manufacturing, retail and healthcare.

It worries Mr Koh. Many SMEs are not well-equipped to deal with such threats, he said.

A 2019 survey by the Infocomm Media Development Authority found that only 42 per cent of enterprises that used the Internet had cybersecurity measures in place. And with many businesses having gone online during the pandemic, SMEs' "attack surface" have increased drastically.

"SMEs are part of the supply chain, servicing large companies and the government. If people are trying to attack a large company, they may go through an SME because the reality in this domain is that it's the weakest link," said Mr Koh.

Unlike larger organisations, SMEs might not recover as quickly after an attack. IBM Security and the Ponemon Institute's 2020 study found that the average total cost of a data breach was US$3.86 million.

Mr Koh believes that people need to translate their basic instincts in the physical domain to the cyber domain. You wouldn't allow just anyone to walk around your office, he points out.

"The challenge today is that you have the equivalent of companies or people who have lots of money lying around, but they don't secure it. We don't expect you to defend against the special forces, but you need to put in the basic level of security."

For a start, business-critical assets such as customer data should be identified and protected.

SME owners should also review their organisational and reporting structure to ensure cybersecurity issues are escalated promptly. They should also champion cybersecurity practices to instil the right culture, Mr Koh said.

In the case of Kaseya, former staff said they warned executives of critical security flaws for years but their concerns were never truly addressed, Bloomberg reported. This scenario is not unique to Kaseya.

Employees are the "first and last line of defence" for every organisation and should be well-trained in cyber hygiene practices, said Mr Koh. In the event of an attack, a business continuity plan should already be in place to minimise disruptions.

CSA is developing a set of cybersecurity toolkits to be rolled out progressively from October. They include technical tools for incident response simulation.

The agency is also working with solution providers to curate packaged cloud solutions for cybersecurity, and developing a cybersecurity certification for enterprises that will be launched early next year.

Currently, it helps victims of ransomware by either helping with restoring the system from a backup, or finding a decryption key. CSA is a partner of the "No More Ransom" project, where organisations investigate ransomware cases and sometimes hold the keys to decrypt locked systems.

It will take more of such international collaboration to fight the global ransomware outbreak. One reason is due to the rise of cryptocurrency, which facilitates ransom payments and spending that cannot be easily traced.

Mr Koh thinks that cybersecurity bodies can take reference from anti-money laundering measures that have been rooted in international cooperation.

"I think that if we can develop a similar protocol in cryptocurrency, where the cryptocurrency exchange has an obligation to know your customer, then it will disrupt this (ransomware) ecosystem. And this is not something that we can do ourselves."

READ MORE: Cybersecurity lessons from the pandemic