Ransomware. The word alone strikes fear into the hearts of business owners, and for good reason. These insidious cyberattacks can cripple operations, encrypt critical data, and demand hefty payments, often leaving businesses in ruin. While large enterprises make headlines, Small to Medium Businesses (SMBs) are, in fact, prime targets. Let’s peel back the layers of how ransomware operates and why your SMB is so vulnerable.
The Entry Point: Where Ransomware Begins
So, how does ransomware typically find its way onto your computer or network? The most common methods include:
- Phishing Emails: This is by far the leading culprit. A staggering over 90% of successful cyber attacks start with a phishing email. These emails are cleverly crafted to trick recipients into clicking malicious links, opening infected attachments, or revealing sensitive information. They often mimic legitimate sources, making them incredibly difficult to detect without proper training and tools.
- Malicious Websites/Drive-by Downloads: Visiting a compromised website can silently download malware onto your system without your knowledge.
- Exploiting Software Vulnerabilities: Cybercriminals constantly scan for unpatched software vulnerabilities in operating systems, applications, and network devices. Once a weakness is found, they can exploit it to gain unauthorised access and deploy ransomware.
- Remote Desktop Protocol (RDP) Attacks: Weak or exposed RDP connections are a common vector. Attackers can brute-force their way in or use stolen credentials to gain remote access to your systems.
- Compromised Credentials: If an attacker gets hold of your login details (e.g., from a data breach on another service), they can use these to access your network.
The Patient Predator: Why Bad Actors Take Their Time
Once a bad actor gains initial access, they rarely immediately launch their ransomware attack. Instead, they often demonstrate remarkable patience, meticulously planning their next moves. They’ll lay low, aiming to avoid detection, especially from security logs, which they’ll often delete to cover their tracks. This reconnaissance phase can be extensive.
There have been documented cases where the initial breach occurred six months prior to the actual ransomware attack. During this time, the attackers research your network, identify valuable data, understand your business operations, and locate potential backups, all to maximise the potential damage and ensure the highest possible ransom payment.
The Lateral Movement: Expanding Their Foothold
Having gained a foothold, bad actors will typically try to move laterally within your network. Their objective is to discover the main areas where your crucial data is stored. This could be:
- Local servers or storage devices: Traditional on-premise infrastructure remains a prime target.
- Cloud storage: Increasingly, businesses rely on cloud services like Google Drive, SharePoint, and Dropbox. Attackers know this and will actively seek to compromise these accounts to encrypt your cloud-stored data.
A recent example of a significant ransomware attack is the Ingram Micro disclosure, as reported by CyberDaily.au, with SafePay claiming responsibility. This highlights that even large, well-resourced organisations are not immune.
The Ransom: A Lucrative (and Unreliable) Business
Ransomware is incredibly effective from the cybercriminal’s perspective, largely because cybercrime is big business. At a recent Fortinet SecOps Summit, it was shared that if cybercrime were a country, its GDP would be around $10 trillion today, projected to hit $13 trillion by 2031. That would make it the 3rd largest economy in the world, behind only the US and China.
So, how often are bad actors paid the ransom? Recent data suggests a concerning trend.
- 71% of ransomware victims end up paying the ransom (IBM X-Force Threat Intelligence)
- But only 63% of those who paid successfully recover all of their data (Sophos 2024 Ransomware Report)
Even more concerning, cyber criminals will often specifically look for your cyber insurance policy. They will find out how much you are insured for and set this amount as the ransom payment. They understand that the insurer will likely pay for it, allowing them to maximise their earnings.
The Australian SMB Landscape: A Dire Situation
The impact on Australian SMBs is particularly severe. Australian businesses reported 67,500 cyber attacks in the last financial year, equating to one attack every eight minutes. Alarmingly, 60% of SMEs who experience a data breach will close their doors within a year. This underscores the urgent need for robust cybersecurity.
For more on the ransomware reporting landscape in Australia, be sure to read our recent blog: https://sentry.cy/2025/06/23/australia-ransomware-reporting/
Your Ransomware Protection Checklist: Prevention, Detection, and Response
There is no “silver bullet” that can provide adequate protection against ransomware. It will always be a layered security approach covering your cloud apps, local devices, and staff awareness. Here’s a comprehensive checklist:
Prevention:
- Strong Secure Email Gateway: As phishing is the primary entry point, a powerful secure email gateway is crucial. We highly recommend Ironscales, which boasts an impressive claim of stopping 99.7% of threats from reaching your mailbox. Standard email services like Gmail, while excellent for productivity, do not have adequate built-in filters to combat sophisticated phishing attempts, so a stronger solution is essential.
- Cyber Awareness Training & Phishing Simulation: Even with the best technology, human error remains a significant vulnerability. Regular cyber awareness training combined with phishing simulations (https://sentry.cy/cyber_security_training/) helps your staff recognise and report suspicious emails, turning them into your first line of defense.
- Least Privilege Principle: Ensure staff do not have administrator privileges on their devices unless absolutely necessary. This significantly hinders the installation and spread of malware, as it requires elevated permissions to execute.
- Application Control: Restrict staff from installing applications themselves. Implementing application whitelisting or control ensures that only approved and trusted software can run on your systems. This dramatically reduces the risk of malicious applications, including ransomware, being introduced. Even within Google Workspace, you can manage the Chrome browser environment to allow only whitelisted applications and Chrome extensions, providing an additional layer of control.
- Robust Endpoint Security: Implement a managed security endpoint solution that includes:
- AV (Antivirus): For comprehensive threat detection.
- Patch Management: Keep all operating systems and applications up-to-date to close known vulnerabilities.
- Endpoint Detection and Response (EDR): Provides advanced threat detection, investigation, and response capabilities on endpoints.
- Adherence to Cybersecurity Frameworks: Implement a recognised cybersecurity framework such as SMB1001 or the Essential Eight. These frameworks provide a structured approach to improving your cybersecurity posture.
Detection:
- Ransomware Detection Software: Deploy specialised software designed to detect the unique behaviours and indicators of ransomware attacks in real-time.
- Managed Detection and Response (MDR) SOC: A 24/7 Managed Detection and Response (MDR) Security Operations Centre (SOC) is vital. These teams constantly monitor your network for suspicious activity, providing rapid detection and analysis that many SMBs lack in-house.
- Security Information and Event Management (SIEM): A SIEM solution is incredibly helpful. It aggregates and analyses log data from various sources across your network, providing a secure and centralised location for logs. This rich data is invaluable during an incident response, allowing us to understand what happened, which computers and services were accessed, and what actions the attacker took.
Response:
- Solid Incident Response Plan (IRP): A well defined and regularly tested Incident Response Plan is paramount. This plan outlines the steps your organisation will take in the event of a cyber incident, minimising downtime and damage.
- Malware Analysis Expertise: Having access to skilled technical resources who can analyse the malware involved in an attack is crucial. This allows you to understand the specific commands and objectives of the ransomware, aiding in effective remediation. At Sentry Cyber, our senior cybersecurity engineers are certified in malware analysis, providing invaluable expertise when you need it most.
Protecting Your Google Workspace: A Specialist Approach
As specialists in Google Workspace, we understand its critical role in your business. Yes, Google Workspace can absolutely be affected by ransomware. Often, staff use Google Drive Sync tools that regularly synchronise local files to the cloud. Once these local files are encrypted by ransomware, the encrypted versions can quickly sync to your Google Drive, rendering your cloud data unusable.
We strongly recommend third-party software like Spin.ai for Google Workspace protection. Spin.ai is capable of:
- Detecting sudden and anomalous changes to Google Drive data, which can indicate a ransomware attack in progress.
- Stopping further encryption by identifying and halting the malicious synchronisation.
- Suspending compromised Google Workspace users, preventing further spread of the ransomware.
- Providing rapid and granular recovery of your Google Workspace data from secure backups.
The Path Forward: Layered Security and Proactive Measures
In conclusion, there is no single “silver bullet” that can provide adequate protection against ransomware. It will always be a layered security approach covering your cloud applications, local devices, and, crucially, your staff awareness.
We recommend conducting annual risk assessments. These assessments can expose all of your vulnerabilities, allowing you to create a comprehensive roadmap to remediate them effectively.
To help you get started, we offer a complementary cyber security workshop (https://sentry.cy/security-assessment/complementary_cyber_security_workshop/). In this workshop, we can identify the “tip of the iceberg” issues within your current security posture and provide tailored recommendations on how to remediate these, as well as advise on which cybersecurity framework would be most suitable for your organisation. Don’t wait until it’s too late, protect your business today.