SINGAPORE– A group of journalists huddled around a screen flashing threats and blackmail, all part of a simulation where they acted as managers of a global doughnut chain hit by a ransomware attack.  (straitstimes.com)

As fryers and delivery vans ground to a halt, they grappled with mounting pressure from the media, franchisees and employees. 

If they caved in, they would be joining scores of Singapore companies that pay millions of dollars each year to hackers that infiltrate computer networks with malicious software and withhold access or steal data until a sum of money is paid.

Despite warnings from the authorities and cyber security experts, a majority of Singapore firms continue to fuel a vicious circle that emboldens criminals and puts more organisations at risk, noted a new survey. 

It found that these companies sometimes defy even their own corporate policies. 

The survey conducted between June and July by Cohesity, which organised the simulation exercise, found that 65 per cent of 302 firms here reported being victims of ransomware in 2024.

The data security and management firm’s global cyber resilience strategist, Mr James Blake, said: “It’s not earth-shattering that organisations are being hit with cyber attacks.

“But what is of major concern is that 64 per cent of respondents said their organisation had paid a ransom, with many breaking their ‘do not pay’ policies.”

Another survey by cyber security firm ExtraHop of 100 local respondents around February noted that local organisations dealt with at least eight ransomware incidents in the previous 12 months, with 95.7 per cent succumbing and paying out an average of $4.49 million. 

Mr Daniel Chu, ExtraHop’s vice-president of systems engineering for Asia-Pacific and Japan, called it “shocking”, given that 98 per cent of IT and cyber security decision-makers indicated confidence in their organisations’ ability to manage cyber risks.

As a key hub for finance and technology, Singapore is an attractive target for cyber threats, he added. 

The national Cyber Security Agency (CSA) strongly discourages ransom payments, telling The Straits Times: “There is no guarantee that locked data will be decrypted or that stolen data will not be used for malicious purposes once ransom has been paid. 

“Paying the ransom also encourages the threat actors to continue their criminal activities and target more victims. Threat actors may also see your organisation as a soft target and may strike again in the future.”

A CSA report in 2023 showed that ransomware cases remained unchanged from 2022 at 132, hitting manufacturing and construction firms the most. 

However, industry players believe many cases likely go unreported, as only regulated firms are mandated to disclose ransomware attacks.

Why do organisations succumb?

Mr Terry Ray, field chief technology officer for cyber security firm Imperva, said: “Most organisations don’t typically back up every single night. Sometimes they (do it) once a week, maybe once a month. They rarely test their backup.”

So, confidence falters during an attack.

And with more companies hosting both backups and actual assets in the cloud, more firms risk getting both sets of data encrypted by the threat actors, he added. 

When that happens, “you have no choice; you must pay the ransom or lose your business”.

About 52 per cent of incidents cited in the CSA report impacted small and medium-sized enterprises (SMEs).

Association of SMEs (Asme) president Ang Yuit said: “SMEs just want to get the business moving.

“The consideration is whether the boss has time to deal with it via other means, or just pay up if the data is important enough.”

Although the CSA pointed out that insurers raise cyber hygiene by underwriting risks only when requirements are met, their coverage of losses and incident costs also inadvertently encourages settlement.

New types of risks? 

Global ransomware payments hit a record US$1.1 billion (S$1.46 billion) in 2023, according to cryptocurrency-tracing firm Chainalysis, a rise attributed to the commoditisation of ransomware. 

An attacker on the dark web could be hired for a few hundred dollars to get at certain individuals or organisations. 

Also available are subscription-based ransomware services dressed up just like normal software companies, offering even customer service.

Two broad trends emerged in 2023, the CSA said.

Ransomware groups are now extorting data without encrypting files, making attacks faster and stealthier, and using pressure tactics like harassing victims’ clients.

The rise of artificial intelligence (AI) allows hackers to analyse vast data sets, evade detection, and use dynamic ransom pricing and bot-led negotiations. 

Imperva’s Mr Ray noted that many executives overrate their preparedness, and stumble when asked about the data they are connecting their AI applications to. 

“That’s where they start to, you know, eyes glass over a little bit,” he said.

“You can put controls anywhere you want to but if you don’t know what data is in there, you don’t know what you’re connecting AI to. You are opening a can of worms.”

Ideas at play

The US government considered banning ransom payments in 2023, while Britain proposed mandatory reporting and licensing for firms wishing to pay.

But there are concerns that publicising cases and payouts could encourage more attacks and damage reputations, making such legislation difficult to pass.

The first step to surviving ransomware attacks must be to quickly recover business-critical data, and to that end, the CSA and Singapore Police Force have set up a ransomware portal for one-stop recovery resources. 

The rise of chief information security officers (CISOs) in firms in recent years can be made more effective by putting these hires under finance, legal or risk management chiefs rather than chief information officers (CIOs), suggested Mr Ray.

It is the job of security chiefs to say “no” to tech features that are not secure, and that puts them in conflict with CIOs whose agenda is to provide IT that supports business growth, he said. 

Professor David Tan, co-director at the Centre for Technology, Robotics, AI & the Law, emphasised enhancing cyber security over legislative bans.

In serious cases, companies could be deliberating over threats to endanger human lives, he noted, adding: “No legislation can prevent a company from voluntarily paying a ransom.”

The human guardrails that need power

Singapore organisations are overwhelmed by a multitude of barriers holding them back from managing cyber risk, Cohesity’s survey showed.

A lack of funds, immature processes, old technology or a lack of talent, and lack of recognition for cyber security functions within organisations add up to weak cyber defences.

This was borne out by the make-believe crisis meeting of the doughnut company. 

A board member, having also been contacted by the hacker, ranted against management but offered nothing of use.

Around the table, legal counsel regurgitated the law, the head of communications grumbled about the hit to reputation, and the CISO – under fire – kept reminding all that the fault was not his alone.

Little time was spent on finding out the actual scale of the damage and business recovery time. 

Eventually, the chief executive, relieved that he had broken no law and dodged personal liability, decided not to pay up.

A collective sigh of relief and mumblings about doing the right thing were heard. 

The doughnut company, however, was fried and about to go under.