Ransomware Attacks On Small Organizations in 2023

You can protect your small business from ransomware attacks by:

  1. Providing security awareness training
  2. Implementing 3 factor authentication
  3. Microsegmentating devices and users
  4. Developing a ransomware response plan
  5. Keeping systems up to date
  6. Regularly backing up data
  7. Having a disaster recovery plan
  8. Performing red teaming or table top exercises
  9. Working with a Virtual CISO
  10. Using strong password policies and management tools

In this article, we’ll discuss the rise of ransomware and it’s impact on small business, and the latest trends and research driving these attacks.

By the end, you’ll be armed with practical and actionable steps you can take to protect yourself from becoming the next headline.

The Rise Of Ransomware On Small Business

Small businesses are often perceived as easy targets by threat actors due to their typically limited cybersecurity resources and internal expertise.

According to the State of Ransomware Report by Malwarebytes, ransomware attacks are at an all-time high. 

In just four countries—the US, Germany, France, and the UK—1,900 ransomware attacks were recorded in one year.

In the US alone, there was a 75% increase in the average number of monthly attacks.

NCC Group also released its Threat Pulse for September 2023 citing a 153% (514 victims) year-on-year increase in ransomware attacks.

North America topped the list at 258 victims with healthcare seeing the greatest increase from the previous month.

Ransomware As A Service Is Growing

Ransomware as a Service (RaaS) is a business model where cybercriminals sell access to ransomware.

The developers of the malware create and maintain the ransomware software and then lease it out to other criminals, typically through a subscription or profit-sharing model.

According to a Trend Micro report, there was a 47% increase in new RaaS victims in the first half of 2023 with small businesses being the primary target.

On December 7, 2023 the FBI in coordination with the Department of Justice and other international agencies, issued a search warrant to seized control of BlackCat’s Tor-based leak website.

As of December 20, 2023 the threat actors unseized the website leveraging a signing key that enables them to assign the .onion address to a new server.

The attackers have now vowed to retaliate saying that no one is off limits. Previously, it was stated that they would not attack critical infrastructure (e.g. nuclear power plants) and hospitals.

Other notable ransomware groups in 2023 include:

How Does Ransomware Impact Small Businesses?

The average cost of a data breach to small businesses ranges from $120,000 to $1.24M.

However, the total average cost worldwide has been reported to be at an all time high of $4.45M in 2023, up 15% in the previous 3 years.

Beyond the ransom demands the cost of a data breach may include:

  • Higher insurance premiums.
  • Damage to reputation and loss of IP.
  • Employee hours spent resolving the breach.
  • Burnout and churn from IT and cybersecurity staff.
  • Hiring firms specializing in incident response or crisis management.

These costs may exceed $100,000s in addition to the costs due to loss of revenue and future potential investments.

Recovery from a ransomware attack is not just costly but also time-consuming. 

On average, it takes 24 days for an organization to regain a foothold on its production data following an attack.

Recent Ransomware Attacks On Small Organizations

St. Margaret's Health

St. Margaret’s Health suffered a cyber attack that led to the first known link of ransomware leading to a shutdown of operations in 2023.

This cyber attack, along with the challenges posed by the COVID-19 pandemic, severe staff shortages, and the rising costs of goods and services, created considerable hardships for the hospital.

Initially, these factors led to the temporary suspension of all acute hospital services including:

  • ICU
  • Emergency Department services
  • Obstetrics
  • Med-Surg/Peds
  • Surgeries
  • Lab
  • X-Ray
  • Other outpatient hospital services.

The hospital had initially envisioned a merger with Illinois Valley Community Hospital to enhance service delivery and financial stability. 

However, the unforeseen fiscal hardships, compounded by the cyber attack’s disruption to billing processes, necessitated exploring the conversion to a Rural Emergency Hospital (REH).

Unfortunately, additional unforeseen circumstances, including the termination of their emergency room physician provider’s contract and challenges in staffing, led to the suspension of operations at the Peru hospital.

Swansea Public Schools

Swansea Public Schools in Massachusetts experienced significant disruption due to a ransomware attack on January 3, 2023.

Superintendent John J. Robidoux announced the attack, leading to the closure of the district’s network and the subsequent cancellation of classes on January 4, 2023.

All the schools within the district were impacted, including:

  • Joseph Case High School
  • Joseph Case Junior High School
  • E.S. Brown School
  • Gardner Elementary School
  • Mark G. Hoyle Elementary School
  • Joseph G. Luther Elementary School​​​​

The swift response from the schools’ cybersecurity company and IT department was crucial, ensuring no personal student or staff information was compromised, and no cloud-based files or information were affected.

They isolated the attack within minutes and shut down the system, effectively containing the breach and removing all malicious software on their network.

It is believed that the attack occurred due to an encrypted download run within the district, though it is not thought to be a malicious act from an insider threat.

Law Foundation Of Silicon Valley

In February 2023, the Law Foundation of Silicon Valley, a California-based pro bono law firm, fell victim to a ransomware attack perpetrated by ALPHV/BlackCat ransomware group. 

The attackers gained unauthorized access to one of the Law Foundation’s servers exfiltrating sensitive data belonging to clients, including minors, as well as staff members. 

As a result, the foundation was unable to provide legal services to low-income individuals and families seeking access to social services during the breach.

In addition, the personal data of 42,525 individuals was compromised, including: 

  • Social Security numbers
  • financial account/payment card details
  • Immigration numbers
  • Medical records
  • Birthdates
  • Passport/government identification
  • Tax identification numbers
  • Driver’s license numbers
  • Credit card information

This breach of personal data significantly heightened the risk of identity theft and financial fraud for the affected individuals.

What Are The Most Common Ways Ransomware Infects Systems?

Social Engineering

According to Verizon’s 2023 Data Breach report, 74% of all breaches begin with a social engineering attack.

The Cybersecurity & Security Infrastructure Agency (CISA) defines social engineering as:

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.

Common online techniques include email phishing and vishing. When used independently these tactics have a success rate between 30%-37%. However, when used together in a coordinated campaign, the success rate increases to around 75%

In the case of Caesars Entertainment, they suffered a social engineering attack targeting their outsourced IT support vendor. 

Scattered Spider, the ransomware gang claiming responsibility for the attack, allegedly downloaded the personally identifiable information (PII) of more than 65M members of Caesars’ loyalty program. 

In addition, over 41,000 Maine residents’ data was exfiltrated.

Unfortunately, Caesars chose to pay the ransom for the sum of $15M

The FBI recommends that you NEVER pay the ransom as only 8% of victims manage to get back all of their data after paying a ransom.

Despite this, a survey of 350 CISOs found that more than 4 in 5 CISOs said their organization paid the ransom.

Unpatched Systems

Recent studies show 60% of breaches involve vulnerabilities for which a patch was available but not applied.

The time to identify a new vulnerability averages around 6 months, and remediation of critical or high vulnerabilities can take between 60 to 150 days.

This leaves traditional patching cadences, such as monthly or weekly, inadequate at addressing the countless new vulnerabilities disclosed every day.

The MOVEit Transfer software had a zero-day vulnerability and was exploited by the CL0P ransomware group, leading to significant data theft from MOVEit Transfer servers.

Notably, about a third of the affected servers belonged to financial service organizations. More than 2,100 organizations have been impacted by this vulnerability with an estimated total cost of $65B. 

Bypassing Multi Factor Authentication

61% of all breaches have exploited user credentials, with half of these incidents directly attributed to stolen credentials.

Multi factor authentication (MFA), particularly 2 factor authentication (2FA), is widely regarded as a robust security measure. 

However, text, voice, and even application-based methods can be easily bypassed, often by leveraging basic phishing emails to gain account credentials.

While Microsoft claims an application based authenticator can prevent 99.9% of account take overs, this method can also be bypassed.

Okta, a major identity management company, experienced a data breach impacting all customer support users.

Initially, Okta had reported that only around 1% of its customers, or 134 organizations, were affected.

It was later confirmed that the breach impacted all Okta customers, which numbered around 18,000, including prominent companies like:

  • 1Password
  • Cloudflare
  • OpenAI
  • T-Mobile
  • MGM Grande

Similarly, research has revealed how adversarial AI can manipulate audio authentication, a technique often used in voice-based 2FA.

In one case, a reporter was able to break into a bank account using AI generated voice offered by a free voice creation service from ElevenLabs.

Best Practices For Protecting Your Small Business From Ransomware Attacks

1. Provide Security Awareness Training

Employees are not only the first line of defense but also potential unintentional insider threats.

Despite the critical role of security awareness training in mitigating these risks, 1/3rd of companies do not provide training to their employees.

Unfortunately, even when security awareness training is provided, it often fails to effectively equip employees to thwart attacks. 

This inadequacy stems from various factors : 

  • The training is usually minimal.
  • Driven by compliance.
  • Only conducted annually.

The content tends to be mundane and unengaging, leading employees to rush through it without absorbing the crucial information needed to detect and respond to threats. 

This approach is problematic because 90% of the taught content is forgotten within 1 week if not practiced. 

Moreover, the challenge of delivering engaging in-person or virtual training exacerbates the situation, with many programs reduced to mere compliance checkboxes.

To counteract these shortcomings, a more robust approach is required. This involves continuous awareness training supported by the top levels of the organization. Regular training has been shown to reduce risk from 60% to 10% in the first 12 months.

Beyond basic phishing simulations, training should include custom campaigns with vishing and/or smishing, using collected data from department leaders to create the most realistic campaign possible.

Educating employees on recent industry-specific attacks and techniques through Breach Reports can also enhance their understanding and preparedness.

2. Implement 3 Factor Authentication

To prevent 99.9% of password compromises it’s recommended that you implement 3 factor authentication.

3 factors of authentication include:

  • Something you know (username/password)
  • Something you have (hardware token)
  • Something you are (biometric such as a fingerprint)

Google’s implementation of 3 factor authentication, involving a hardware token, has been a game-changer, as reported by Krebs on Security

This method adds an extra layer of security, making it nearly impossible for attackers to gain unauthorized access.

In 2023, Google took this one step further by implementing passkeys in an effort to move away from passwords as an authentication method.

3. Microsegment Devices And Users

Microsegmentation prevents ransomware by breaking down networks into smaller, more manageable zones dividing a network into smaller, isolated segments.

In contrast, a traditional flat corporate network is susceptible to ransomware as it finds open paths to spread throughout the system.

In a report of 1,200 IT and security decision makers, 93% of respondents claimed that microsegmentation is critical to help thwart ransomware attacks.

Microsegmentation implements highly specific least-privilege access controls between zones. It limits communication to only approved accounts, applications, services, and devices.

This approach restricts ransomware’s lateral movement, a common technique used to infect and encrypt multiple endpoints and servers.

If ransomware is detected within a segment, administrators can instantly isolate the affected area, preventing the infection from reaching other business areas.

4. Develop A Ransomware Response Plan

Ransomware Response Plan is a blueprint to resolve a ransomware attack. 

This sequence of steps includes the immediate identification of the attack’s extent and moving to isolate the infected systems to prevent further spread.

The plan also outlines strategies for securely communicating within the organization as well as with external stakeholders to maintain trust and manage public relations during a cyber incident.

As a result of this plan, 63% of organizations say they are successful in restoring their data when they experience a ransomware attack.

A business without a plan often finds itself unprepared, leading to prolonged operational paralysis and potential permanent data loss.

In the case of Garmin, their response to the ransomware attack was a textbook example of the plan in action. 

Garmin’s first step was to recognize the breach and swiftly assess what systems were compromised.

Following this, Garmin took affected services offline, including:

  • Website functions
  • Customer support
  • User applications.

Garmin’s response team then evaluated the impact on their data and infrastructure.

For Garmin, having a response plan allowed them to restore services and regain operational functionality with minimal impact to the business.

5. Keep Systems Up To Date

Monthly and weekly patching cadences put your organization at far greater risk to a data breach.

Instead, businesses should adopt a continuous vulnerability management program where systems are scanned and patched daily for discovered vulnerabilities. 

This significantly reduces the risk to an organization by shortening the time a known exploitable vulnerability sits on your network.

As mentioned above, threat actors are searching for the lowest hanging fruit to maximize their revenue. Systems that have known exploitable vulnerabilities are exactly what they’re searching for.

With the proliferation of automation and now AI, the entire process of encrypting an organization takes under 45 minutes, with a median time of just under 6 minutes.

6. Regularly Back Up Data

Regular data backup involves creating copies of data stored in various formats:

  • Cloud backups offer accessibility and convenience, yet they’re not immune to cyber threats that can corrupt data.
  • Physical and local backups, while readily available, can suffer from onsite risks like theft or damage.
  • Offsite backups, both stored in physical and digital formats, provide additional security but may have slower recovery times.

However, relying on a single backup method can be risky. For instance, cloud services, if compromised, can lead to restored data still harboring malware.  

Despite 92% of businesses having backups, 31% fail to restore data during a ransomware attack, often due to not implementing multiple backup methods or regular updates.

Having a multifaceted backup strategy enhances security by ensuring that if one is compromised, others remain intact.

Regular updates and testing of these backups also ensure they are free from malware and are operating as expected. 

7. Have A Disaster Recovery Plan

Having a Disaster Recovery (DR) Plan is essential given that 96% of organizations experienced at least one downtime incident from 2019 to 2022.

Despite only about half of organizations having a DR plan and around 7% never testing theirs, these components can significantly mitigate the impact of a ransomware attack.

An effective DR Plan should include:

  • Defined Tolerance for Downtime and Data Loss: Setting recovery time objectives (RTO) and recovery point objectives (RPO) helps determine your business’s tolerance for downtime and data loss.
  • A Trained DR Team: Assigns specific tasks during a crisis, managing communications and ensuring everyone knows the emergency response policies.
  • Alternative Workspaces: In the event of office inaccessibility, having remote work plans keeps the business operational.
  • Remote Access: Secure technologies like VPN and SSH ensure safe access to company data from outside the company network.
  • Secure Backups: Implementing a 3-2-1 backup strategy, where data is backed up in three different forms, two on different media, and one off-site or in the cloud, is critical for data recovery.
  • Comprehensive Testing Strategy: Regular testing of the DR plan ensures its effectiveness in actual disaster scenarios.

8. Perform Red Team Or Table Top Exercises

An alarming 70% of small and medium businesses feel unprepared for a cyberattack. Conducting Red Team or Table Top exercises may provide a solution.

In a red team engagement, an organization’s preparedness is tested against a variety of threats to identify security gaps aimed at improving its overall security posture.

In a recent report, 55% of respondents identify ransomware readiness as the most impactful benefit of Red Team exercises.

Upper management’s exclusive awareness of these simulations ensures that IT and security teams react genuinely, mirroring their response in a real crisis. 

Table Top exercises focus on how an organization’s leadership reacts to simulated attacks. 

This combination offers a thorough assessment of both the technical and procedural aspects of an organization’s cybersecurity readiness.

9. Work With A Virtual CISO

Working with a virtual CISO (vCISO) is a strategic decision for small businesses to strengthen their security posture. 

vCISOs deliver high trust and deep experience, bringing a broad range of proficiencies and historical knowledge across industries. 

A key responsibility of a vCISO is to design and implement effective response plans, ensuring that they are regularly reviewed and tested for readiness against security incidents, such as ransomware.

By collaborating with internal security teams, a vCISO provides insights into cybersecurity risks and enables management to make informed, data-driven decisions.  

In addition, a vCISO is a cost effective resource, fulfilling security leadership roles without the administrative hurdles and costs of hiring a full-time employee.

10. Use Strong Password Policies And Management Tools

Threat actors frequently exploit weak passwords to gain access to key systems and then deploy malware onto systems to gain full control.

Password dumper malware, a type of malicious software designed to extract and steal passwords stored on a victim’s computer or network, was responsible for 40% of malware-related breaches in 2020.

Once threat actors have escalated their privileges and lock out admin access, they can begin to encrypt your data and demand a ransom payment.

Developing a strong password policy is one layer of security that can help prevent initial access to your account. However, social engineering techniques can easily bypass these methods.

With that said, it’s recommended that your organization enforce strict password policies including:

  • Use of complex passwords with a minimum length.
  • Regularly changing passwords every 60 to 90 days.
  • No use of personal information such as birthdays or names.
  • No use of common words or phrases like password or 123456.
  • Avoiding the reuse of passwords across different accounts.
  • Preventing reuse of the last 5 or 10 passwords.
  • Developing a secure password reset procedure.
  • Maintaining a blacklist of prohibited passwords.

Password managers, like Dashlane Business, can help simplify the administration and enforcement of these policies across systems and use some of the highest encryption standards to prevent access from threat actors.

Rise Of Cyber Attacks On Small Business​

How SecureTrust Protects Small Businesses From Ransomware

SecureTrust addresses ransomware protection and prevention for small businesses through an affordable subscription-based model.

Implementation is easy with a 10 minute setup designed to get you back to work while seamlessly protecting your organization 24/7.

These services are fully managed by DoD trained experts who work with your business to monitor, detect, respond, and proactively hunt for threats on your network.

Extended Threat
Protection (XTP)

$ 50

Monthly subscription
(per device)

Helios Cloud™
Enterprise Security

$ 60

Monthly subscription
(per device)
Best Value

Our Extended Threat Protection (XTP) services provide 3 factor authentication proven to reduce credential threat risk by 99.9% while reducing IT support tickets by 75% by simplifying password policies.

Our microsegementation solution leverages Secure Access Service Edge (SASE) technologies delivered through Helios Cloud™ to provide comprehensive network security.

Finally, SecureTrust takes a continuous approach to vulnerability management ensuring all network connected devices, whether onsite or remote, are up to date with the latest security patches. 

With SecureTrust, small businesses can confidently navigate the complex landscape of cybersecurity, ensuring your data and operations are safeguarded against the growing threat of ransomware.

Related Content

Secure Your Digital Future with Helios by SecureTrust

Protect your business with Helios by SecureTrust, the ultimate solution for comprehensive cybersecurity. Helios offers cutting-edge features to safeguard your network, enhance productivity, and ensure compliance.

Ready to elevate your security?

Discover Helios Today

  • Explore Helios’ advanced features designed to meet your unique business needs.
  • Schedule a personalized meeting and see Helios in action.
  • Consult with our experts to build a tailored security strategy.

Don’t compromise on security. Protect your business with Helios.

Learn More