Ransomware targets SMBs left vulnerable by COVID-19 pandemic

The COVID-19 crisis has transformed the landscape for SMBs in the UK, and companies have had to adapt their way of working with unprecedented speed.

Ransomware targets SMBs left vulnerable by COVID-19 pandemic

The COVID-19 crisis has transformed the landscape for SMBs in the UK, and companies have had to adapt their way of working with unprecedented speed. It is estimated that the pandemic has accelerated digital transformation by around five years, but back in March, getting the tech to work was more important than getting it perfect. The urgent need to equip and enable an unexpectedly remote workforce has left small companies with vulnerable infrastructure and devices, while the closure of workplaces has hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would.

Cyber-attackers have been quick to spot this and to exploit new points of weakness, from misconfigurations in cloud set-ups and remote desktop access left open to the internet, to inexperienced and anxious employees susceptible to COVID-19 themed cyber-scams. 

Ransomware has remained rampant, with one global brand after another appearing to fall prey to attacks accompanied by multimillion dollar ransom demands. But big businesses with big wallets aren’t the only targets: beneath these headline grabbing incidents, common-or-garden ransomware families have been quietly and persistently targeting SMBs. Dharma is one such family. Its success tells us a lot about the risks faced by smaller firms particularly during times of crisis.

The connected business before COVID

Back in January, we published research that looked at security practices and perceptions among SMBs. We found that many firms, especially the entrepreneurial ones established in the last five years, were actively embracing a connected, digital, cloud-enabled set up ‘ but they were not always doing so securely.

For instance, 59 percent of companies had been operational for fewer than five years allowed all employees to connect personal smartphones to the corporate network and access work files, while 44 percent of them gave external contractors full access to the corporate network. More than a quarter (27 percent) of all the SMBs surveyed admitted they lacked full visibility of the cloud services used by their company.

For such businesses, the technology impact of the pandemic has added a further layer of vulnerability onto the existing risk. Dharma ransomware is one of many cyberthreats to take advantage of this.

The harm of Dharma

Dharma is a nasty family of ransomware, active since 2016. Its source code has been published or dumped online in various forms over time, and as a result it use has spread and many different variants now exist. We recently reported on the latest activities of the Dharma ‘ransomware-as-a-service’ (RaaS) offering, a sort of fast food ransomware franchise that has extended the reach of this threat. Dharma RaaS comes with a fully supported infrastructure, tools, malicious code and a step-by-step script so detailed that different attacks mounted by different users of the RaaS service looked almost identical. 

Why the focus on SMBs? 

Dharma attackers target opportunities that are easy to find and easy to hit, and SMBs fall into this category. This is because they don’t always have dedicated security teams and business continuity and security best practices in place, such as controls on remote access and up-to-date offline data backups. Our research found that SMB reliance on remote access tools like the Remote Desktop Protocol (RDP) for various business functions – such as providing access for contractors and supporting remote workers – without VPN protection or multi-factor authentication is the root cause of 85 percent of Dharma attacks.  

The COVID-19 pandemic has exacerbated this problem: the use of RDP has increased by 41 percent recently as companies have rushed to provide remote access to workers. This increased number of unprotected remote workers and RDP during the pandemic has significantly increased the pool of potential targets for Dharma.

The lessons to learn from Dharma

Dharma’s ransomware-as-a-service offerings expand the range of people who can execute ransomware attacks. That’s worrying enough in itself in normal times. But with many employees still working from home and IT staffs stretched thin, the risk of such an attack and its possible impact are magnified. 

Dharma is a reminder of the need to build resilience against all types of cyberattack, regardless of the size or nature of the company. This includes:

  • Shut down internet-facing RDP to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection
  • Check that you have a full inventory of all devices connected to your network and always install the latest security updates, as soon as they are released, on all the devices and servers on your network 
  • Keep regular backups of your most important and current data on an offline storage device 
  • Be aware of the five early indicators an attacker is present to stop ransomware attacks 
  • Remember, there is no single silver bullet for security, and a layered, defence-in-depth security model is essential

Dharma attacks don’t make global headlines because the ransom demands aren’t eye-wateringly huge, on average around £6,500 each, and the victims aren’t household names. But for a small business struggling to navigate its way through the pandemic and the start of an economic recession, the impact of a Dharma attack can be devastating. SMBs in the UK face many challenges over the coming months, it is important to take action now so that a cyberattack isn’t one of them.

Sean Gallagher
Sean Gallagher

Share via
Copy link