Ransomware Misconceptions: Why Ransomware Is a Risk to Every Business, Not Just Big Companies

Thanks to the never-ending stream of headlines about ransomware attacks, it’s very likely that you’ve at least heard of ransomware by now. And yet, if you’re like many people, it’s also likely that you harbor more than a few misconceptions about ransomware.

In particular, you may think of ransomware as someone else’s problem. Unless your business has actually suffered a ransomware attack, you may believe that ransomware is really only a threat to other types of companies that have more complex IT systems or more valuable data to steal.

The reality is more sobering. Although the ransomware attacks you hear about most frequently in the news — like the Colonial Pipeline breach of the CNA Financial hack — tend to involve large, high-profile targets, the fact is that businesses of all sizes, and across all industries, are being targeted by ransomware. Indeed, according to a 2020 survey, 46 percent of small businesses have suffered ransomware attacks — and in 70 percent of cases, they paid the ransom.

All of the above is to say that, if you’re stuck in a mindset in which ransomware doesn’t seem like a serious threat to your business, it’s time to snap out of it. To prove the point — and provide some guidance on how to shift your perspective — this article walks through seven common misconceptions about ransomware and why they’re wrong.

Misconception 1: Ransomware only affects large organizations

Again, it’s easy to fall into the trap of thinking that ransomware usually only impacts large companies. Not only are high-profile ransomware victims the ones you usually hear about, but it may also seem reasonable to assume that ransomware attacks wouldn’t bother targeting smaller companies that have fewer assets.

But as we’ve already noted, the data shows that small companies, too (not to mention medium-sized businesses) are very frequently targeted by ransomware. That’s particularly true given that innovations like Ransomware-as-a-Service have made it very easy for threat actors to launch attacks. As a result, attackers no longer have to focus on carefully planned attacks against big targets. They can just as easily barrage small and medium-sized organizations with malware designed to elicit ransoms.

Put another way, ransomware has become sort of like spam email: It’s so easy to create that it is now being directed at everyone and everything.

Misconception 2: My systems are too simple to be targeted

Another common misconception is that ransomware only impacts complex IT systems. If you run just basic servers and desktops, you may believe that your IT estate is too simple to fall victim to sophisticated ransomware exploits.

The reality, however, is that most ransomware attacks aren’t very technically sophisticated. The most common ransomware attack vectors include techniques like malicious email attachments and the targeting of unpatched software applications — vulnerabilities that exist in even the simplest of IT environments.

Thus, there is no such thing as an IT estate that is too basic to be breached by ransomware. Even if you don’t use complex technologies like the cloud or virtualization, it’s very likely that the bad guys can find plenty of open doors into your systems.

Misconception 3: Ransomware doesn’t affect personal computers

Along similar lines, it may be tempting to assume that ransomware only targets “backend” systems and infrastructure, like the servers you find in a data center. Personal computers may seem immune, either because they aren’t important enough to target or because their antivirus software keeps them secure.

It may be true that breaching a PC alone isn’t a particularly alluring target for ransomware attackers. After all, most companies wouldn’t pay a ransom just to recover an individual PC.

But PCs can serve as excellent beachheads that allow attackers to gain control of the rest of a company’s IT infrastructure. And indeed, ransomware designed specifically to target PCs is out there.

Misconception 4: Ransomware is only a threat on Windows

You may know that Microsoft Windows operating systems power the vast majority of PCs, as well as many servers. You may also know that, historically, attackers usually designed malware to target Windows, due to its overwhelming market share.

Those days are over. Although it’s true that the majority of malware is designed to exploit Windows systems, a decent minority — about 12 percent — targets other types of systems, including Macs and mobile operating systems.

Indeed, even Linux PCs — once seen as being virtually immune to breaches simply because the number of PCs running Linux has never been more than one or two percent, making Linux an uncompelling target — are now being hit by ransomware.

Misconception 5: Few people actually pay the ransom

A business that prepares for ransomware risks by backing up its data regularly and implementing plans for rapid recovery should never have to pay a ransom. In theory, this type of preparation is easy enough to execute, and so you might assume that few companies actually pay ransoms when they are attacked.

In fact, the vast majority of businesses — about 83 percent — end up paying ransoms to restore their operations. That’s a clear indicator that most businesses fail to prepare fully for ransomware threats.

Misconception 6: Data backups alone protect against ransomware

Part of the reason why some businesses end up paying ransoms is that they mistakenly believe that simply backing up their data is sufficient to protect against ransomware risks.

In reality, data backups are just one step toward ransomware readiness. Equally important is having a plan in place for restoring data and recovering or replacing breached systems quickly. Having data backups on hand is not very useful if it takes you weeks or months to put your infrastructure back together because you lack a plan for rapid recovery following a breach.

It’s important, too, to be sure to back up all of your data. Some businesses make the mistake of only backing up business data (like sales records and customer directories) without also backing up the technical data (like configuration files and file systems or images) that is necessary for quick recovery of failed systems.

Misconception 7: Ransomware can only strike once

Unlike lightning, ransomware can — and, for many businesses, does — strike multiple times. Just because you’ve been breached once doesn’t mean attackers won’t come back for more.

In fact, the opposite may be true. If attackers know your systems were successfully exploited once, they have good reason to assume that you lack a strong security posture and can be breached again. Even if you have closed the door through which they got in the first time, they can launch new types of attacks that exploit vulnerabilities you haven’t addressed.

Conclusion

Ransomware is never someone else’s problem. No matter which type of technologies you use, how large your business is, what your business does or whether you’ve already been hacked, ransomware is a clear and present danger to you. Protecting against it means building a comprehensive plan that identifies and mitigates your vulnerabilities, while also implementing a data backup and recovery strategy to minimize the risk of having to pay a ransom in the event that a successful breach occurs.