As SMEs increasingly adopt e-Commerce, they become prime targets of ransomware attacks by threat actors.

As SMEs increasingly adopt e-Commerce, they become prime targets of ransomware attacks by threat actors.

Retail sector most at risk of ransomware attacks, says Sophos

Ransomware attacks are on the rise, and this time, it seems the retail industry is fast becoming a prime target for attackers.

A report by leading IT security organization Sophos found that the Covid-19 pandemic accelerated the rise of ransomware attacks on retail organizations. This is because many started selling online for the first time in order to survive lockdowns around the world.

Sophos’ State of Ransomware in Retail was a survey that polled 5,400 IT decision-makers, including 435 retail IT managers, in 30 countries across Europe, the Americas, Asia-Pacific, and Central Asia, the Middle East, and Africa.

The survey findings reveal that retail organizations were particularly vulnerable to a small but growing new trend: extortion-only attacks, where the ransomware operators don’t encrypt files but threaten to leak stolen information online if a ransom demand isn’t paid. More than one in ten (12%) retail ransomware victims experienced this, nearly double the cross-sector average of 7%. 

Ransomware attacks are financially painful

Aside from retail, the education sector also faced the highest level of ransomware attacks during 2020, with 44% of organizations hit (compared to 37% across all industry sectors).

The total bill for rectifying a ransomware attack in the retail sector, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more, was US$1.97 million on average – compared to a cross-sector average of US$1.85 million

Over half (54%) of the retail organizations hit by ransomware said the attackers had succeeded in encrypting their data. 

A third (32%) of those whose data was encrypted paid the ransom. The average ransom payment was US$147,811 (lower than the global average of US$170,404.) However, those who paid recovered on average only two-thirds (67%) of their data, leaving a third inaccessible; and just 9% got all their encrypted data back

The Kaseya lesson for Malaysia

Ransomware attacks are not new, but due to rapid digitalization, many businesses are at high risk of attacks due to a lack of digital readiness. The recent ransomware attack on Kaseya, an enterprise tech firm, saw their stolen data held at ransom for a whopping US$ 70 million (RM 291 million). 

According to Goh Chee Hoh, Managing Director, Trend Micro Malaysia, and Nascent Countries, in just the first four months of 2021, Trend Micro’s Research team detected 22,428 ransomware threats in Malaysia. 

Ransomware attacks of yore were straightforward, in that a randomly chosen victim would click on a link which would lead them to a compromised website. They would then find themselves locked out of their computer and be forced to pay some amount of cash to regain control. 

In modern times, however, tactics are more sophisticated. Attackers are now more discerning, and target companies and high-profile victims by threatening their reputation so as to gain a larger payout. This is known as a “double-extortion” strategy.

According to Trend Micro’s research, criminals take these steps to personalize the attacks:

  1. Organize alternative access to a victim’s network such as through a supply chain attack 
  2. Determine the most valuable assets and processes that could potentially yield the highest possible ransom amount for each victim
  3. Take control of valuable assets, recovery procedures, and backups 
  4. Steal and threaten to expose confidential data 

“In Malaysia, Trend Micro found that the industries that are most targeted by ransomware are government, healthcare, and manufacturing. As these sectors continue to play a role in driving economic growth in the country, it’s clear that a multi-layered cybersecurity defence system is necessary for enterprises to defend their networks and protect their business-critical data to keep up with the ever-evolving ransomware landscape,” explained Hoh in a commentary.

So how can enterprises protect themselves?

In order to keep up with the ever-evolving ransomware landscape, Goh Chee Hoh shared that the three most important must-dos for Malaysian organizations include:  

  1. Maintaining IT hygiene factors: Security teams should ensure that proactive countermeasures, such as monitoring features, backups, and training in security skills, are in place to enable early detection. Alongside that, everyone in an organization should also have the latest security updates and patches installed.
  2. Work with the right security partners: Start by clearly defining the needs and priorities around enterprise security in an organization. Then, collaborate with a security vendor that aligns with these priorities to create a solid security response playbook to be used on an ongoing basis.
  3. Have visibility over all the security layers: In order for security teams to be able to detect suspicious activity early-on to respond faster to attacks, organizations should utilize tools such as Trend Micro Vision One, which collects and automatically correlates data across email, endpoints, servers, cloud workloads, and networks.

By putting the right technologies in place, enterprises can also help reduce the alert fatigue commonly faced by security operations centers (SOCs), with 54% reporting that they are overwhelmed by alerts.

According to Chester Wisniewski, principal research scientist at Sophos, “It’s not all bad news for retail IT managers, however. While enabling, managing, and securing IT during the pandemic increased the overall IT workload for three-quarters of retailers – the sector was also the most likely (at 77%) to see a positive return in terms of enhanced cybersecurity skills and knowledge.”

Wisniewski added that in order to secure retail IT networks, IT teams should focus resources on three critical areas: building stronger defenses against cyberthreats, introducing security skills training for users including part-time and temporary staff, and, where possible, investing in more resilient infrastructure.

No organization is truly safe until cybersecurity is made a top priority, and dealt with proactively — and not just on the system side. 

The weakest link for remote working organizations is still the users, and a robust cybersecurity strategy would also include strategies such as zero-trust, as well as the use of multi-factor authentication (MFA), and well-trained staff and users.

While an organization can eventually recover its data or financial resources post-attack, the loss of trust among customers and partners will be a difficult challenge to come back from.


We originally published that Trend Micro’s Research team detected 113,010 ransomware threats in Malaysia. This is a mistake, and the correct number is 22,428, which has been reflected in the article.