S'pore organisations among most targeted in the world by ransomware attacks, study finds

Ransomware is a type of malware that typically infiltrates a computer system and encrypts the data inside. PHOTO: ST FILE

SINGAPORE - Ransomware attacks are on the rise, and organisations in Singapore are among the most targeted in the world, according to a recent study.

Despite this, businesses here tend to prioritise recovery rather than prevention, said a report published last month by cyber-security technology firm Cybereason.

Ransomware is a type of malware that typically infiltrates a computer system and encrypts the data inside. Criminals then demand a ransom, threatening to leave it locked up and inaccessible.

Criminals are also increasingly using a "double extortion" tactic, where they not only encrypt the data but also steal it and threaten to leak or sell it online.

Cybereason said Singapore businesses were witnessing the greatest volume of such attacks among the countries polled, with 80 per cent of respondents here saying their organisations had been hit by a ransomware attack in the past 24 months. Globally, the average figure was 72 per cent.

The percentage of Singapore organisations that reported at least one attack in the past year also rose from 60 per cent in last year's report to 80 per cent this year.

Cybereason’s field chief security officer for the Asia-Pacific region C.K. Chim said the recent ransomware “gold rush” among cyber criminals is due to the fact that it is becoming easier for criminals to carry out such attacks, while many organisations are also now more reliant on digital infrastructure than before.

Many ransomware gangs now operate like legitimate companies with complex yet efficient business models, Mr Chim said.

He added: “Ransomware is an extremely lucrative model with little to no risk involved for the threat actors, as they often operate in countries with no extradition treaty... This allows them to operate with near impunity.”

The developers of the malware are increasingly opting to share their tools with “affiliates”, such as those who specialise in gaining unauthorised access to networks, in exchange for a fee or a cut of the ransom.

Two prominent and commonly used types of ransomware, called LockBit 2.0 and Conti, operate under a “ransomware-as-a-service” model.

Mr Chim said factors like lack of cyber hygiene as well as lack of visibility and detection of cyber criminals are overwhelming many companies’ security operations, including but not limited to those in Singapore.

According to the study, Singapore respondents had the lowest confidence in their organisations’ ability to manage a ransomware attack. About 64 per cent said they were confident in their organisations’ people, while 61 per cent were confident in their policies.

Respondents from Britain had the highest level of confidence in their organisations’ people and policies, at 94 per cent and 77 per cent respectively.

“Basic cyber hygiene is lacking among employees, which is obvious when they open phishing e-mails or select insecure passwords,” Mr Chim said.

“Preventing this may not necessarily require more budget, technology, or manpower. Instead, it requires a better understanding of how ransomware occurs and the implementation of measures that drastically reduce the ability of cyber criminals to snatch valuable data.”

Following an attack, Singapore organisations increased their security budgets by an average of 12 per cent, which was below the global average of 19 per cent.

They were also among the least likely to apportion additional security budget to hiring talent to bolster their defences, with just 41 per cent of respondents here saying their companies would do so, compared with the global average of 51 per cent.

A third of the respondents said their organisations had set up cryptocurrency wallets in anticipation of paying off future ransomware attacks, as the criminals often demand to be paid in Bitcoin.

The survey, conducted in April, polled nearly 1,500 cyber-security professionals from organisations with at least 700 employees in the United States, Britain, Germany, France, Japan, Italy, South Africa, the United Arab Emirates and Singapore. Those in Singapore made up about 7 per cent of the sample, or just over 100 respondents.

The study also found that giving in to the criminals and paying the ransom did not guarantee the safe return of stolen data.


Among organisations that chose to pay the ransom to regain access to their systems, about 54 per cent found that system issues persisted after recovery, or that at least some of their data was corrupted after decryption. This figure is also on the rise, increasing from the 46 per cent who said the same in 2021.

The most common types of stolen data were sensitive customer data, personally identifiable information, intellectual property and protected health information.

Successfully targeted organisations were also vulnerable to repeat attacks. Among the organisations that paid the first ransom, nearly 80 per cent were hit with another attack soon after. Of this group, 68 per cent said the second attack took place within a month of the first and came with a higher ransom amount, while about half said they were hit again by the same attackers.

Despite this, organisations may be motivated to pay the ransom in cases like life-or-death situations or national emergencies, Mr Chim noted.

According to the study, about 28 per cent of all the respondents, including those in the healthcare sector, said they paid up to avoid the potential injury or loss of life that could result from critical systems being blocked.

“Companies might also feel that paying gives them the fastest possible route to return operations to normal,” Mr Chim added.

More than half of the respondents whose organisations were hit by a ransomware attack were forced to temporarily or permanently suspend their business operations as a result.

Some organisations that paid up said they did so to avoid loss of business revenue and expedite the recovery process. Others said they did so because they were unprepared for such an attack and did not back up their data or did not have the staff needed to adequately respond to the attack.

The Cyber Security Agency of Singapore (CSA) said it does not recommend that victims of ransomware pay the attackers, as this encourages them to continue their criminal activities and target more victims.

Organisations that pay up may also be seen as soft targets that can be attacked again in future, the agency added.

“We are seeing the ransomware threat becoming more common and disruptive because it is profitable and lucrative for the cyber criminals behind these attacks,” said a CSA spokesman.

“Disrupting their business model and curbing the profits made will go a long way to tackle the problem.”

CSA said the vast majority of cyber attacks can be prevented by taking proper precautions.

“We encourage business owners to view cyber security as an investment for the future, and put in place robust cyber-security measures to ensure that their systems are protected and resilient.”

Join ST's Telegram channel and get the latest breaking news delivered to you.