Cyber criminals turn to Australian SMEs as ransomware threat escalates

As attackers turn their sights beyond large enterprises, Australian SMEs are paying the price for being underprepared to face growing cyber security threats.

Ransomware attacks are on the rise in Australia, but dollar amounts lost are down, according to the latest Acronis Cyberthreats Report. The shift comes as attackers take advantage of ransomware-as-a-service to cost-effectively launch sophisticated attacks against unsuspecting smaller targets.

The second half of 2024 saw a 5% increase in the number of ransomware attacks across the globe, according to the report, with Australia in the top 10 countries targeted.

Phishing and malicious emails remain the main vectors. According to the report, the number of 4 almost tripled – increasing 197% compared to the second half of 2023 – while the number of attacks per organisation increased by 21%.

Attackers turn their sights on SMEs

As larger enterprises work hard to bolster their cyber defences, criminals are targeting unsuspecting smaller businesses, including managed service providers and managed security service providers.

SMEs make for attractive targets because they often have a false sense of security, warns Gerald Beuchelt, Chief Information Security Officer with Acronis.

These smaller organisations can also make the mistake of assuming their existing business tools, such as the security components included in Microsoft 365, offer complete cybersecurity protection against threats like ransomware and other malware tracked by the Acronis Threat Research Unit.

As a result, Beuchelt says attackers are going "mid-market", taking advantage of AI and ransomware-as-a-service to cost-effectively launch sophisticated ransomware attacks against smaller targets.

"Perhaps, in the past, these targets thought they were too small to be of interest to attackers, but that's changing," he says. "Especially when attackers are leveraging new technologies and economies of scale to launch sophisticated attacks in search of smaller payoffs."

"At the end of the day, there's always some money to be extorted, there's always some information to be stolen, even from smaller and medium-sized businesses or even individuals. It is noteworthy that there have been cases where executives and their families of larger companies have been individually targeted to support attacks against the organisation."

Cyber criminals are working together

Threat actors have established a highly effective underground market for supporting criminal services such as ransomware-as-a-service. Today, attackers need only point-and-click at potential victims, rather than develop their own malware and maintain command and control networks.

"When the ease of use and scaling means it's easy to attack a hundred businesses or a thousand businesses with the click of the button, attackers may as well go for the smaller targets, some of whom may pay up and some of whom may not," Beuchelt says.

Shadow IT leaves the door open

Once again, attackers are leveraging AI to generate convincing spear phishing messages designed to trick employees. As email security solutions improve their ability to identify phishing attacks, attackers are turning to other channels such as SMS, WhatsApp and social media.

To defend themselves, Australian SMEs cannot rely on technological defences alone; they also need to place a greater focus on people and process via cybersecurity awareness training.

The significant rise in phishing as a ransomware attack vector – via a growing range of channels – reflects that attackers realise that people are often the weakest link for smaller businesses.

"These alternative attack channels like social media are becoming more popular because they're not as tightly monitored and are typically unofficial channels within the business," Beuchelt says.

"Beyond simply trying to stamp out this kind of Shadow IT, it's important for businesses to better understand their employee's communication needs and provide sanctioned alternatives which fall under the business' security umbrella."

Cyber awareness is key

Regardless of attack vector, ensuring that all employees are trained to recognise such threat such as phishing is essential for every business.

" It's critical that everyone is trained to a basic level, and that includes new employees entering the business because they may not have had appropriate training prior," Beuchelt says.

"People are absolutely at the centre of cybersecurity and, while they are often the initial attack vector, they can also be an effective last line of defence if they're trained to treat all communications with a healthy scepticism."