Aussie businesses now have to fess up when they pay off ransomware crims Australia now requires large companies to inform the government if they have paid off ransomware perps. The requirements, as set out in the Cyber Security Bill 2024, kicked in on Friday, May 30. Any business turning over more than AUS $3 million ($1.92 million) must report ransomware payments within 72 hours to the Australian …
That is not a particularly high turnover even for a quite small business although many of those might be sole traders rather than incorporated entities.
I don't imagine smaller businesses would attract ransomware fraternity and a good few would have minimal exposure to the internet or modern technology generally.
I don't imagine smaller businesses would attract ransomware
Pig butchering (romance fraud) is one-on-one. There is no target too small for financial crime.
and a good few would have minimal exposure
The larger the business, the more weak links (people) it has inside the network. In the small businesses I worked for, apart from IT there were only the business owner and the book-keeper with enough network access to be a problem, and as long those 2 people weren't hooked by fishing, we didn't have a problem. The size of the weakness scales with the size of the business.
The difference is that "pig butchering" is a specific type of attack which has the capacity to go after all the assets someone has. One wealthy person can end up providing a lot of funding if they end up bankrupt or even in debt at the end of the process. For a small company (using your scale of two employees) and ransomware, the economics are very different. If you request a ransom so high that it would bankrupt the company, the company is not going to pay it; it's as bad or probably worse than having to rebuild manually.
There's a technical problem as well. Ransomware has an inverse U-shaped viability curve. The best victim for a ransomware attack, speaking only technically, is something large enough where there is tech gluing things together, since that makes it easy to spread, but not something large enough that people have gone through to harden it. The example you provide of the two-person company is likely not to have good defenses, but neither are they likely to have systems that are easy to attack. The people may be using personal laptops, and if they have separate work machines, they may still be administered like personal ones. Those don't tend to have many openings to the outside world, there are fewer people to try to phish, and if you get your software onto one of them, you might not have a great way to spread it onto the other one, but that other one may likely have a copy of many of the important files. Meanwhile, if you succeed, your likely payment is quite tiny in comparison to the schools, utilities, and large companies that neglected their IT security which most ransomware targets.
This has been tried. Early ransomware targeted personal machines in droves. Have you seen any of that in the last few years? I haven't, and it's mostly died because the ransomware operators realized that targeting individuals sucks. It's hard to show people how to navigate your Tor ransom request system, coach them through getting cryptocurrency, convince them that the files which have value to them but aren't going to kill them if they're lost are worth the ransom, get them a working decryptor if you're the kind that has one, and the kind of ransom you can request and reasonably expect to receive is just too small. Larger businesses may take more effort to crack into, but they have more ability to pay, they have enough insulation between the people paying and the source of the money that they're more willing to pay, and they often have a lot more riding on having access to those files.
I don't imagine smaller businesses would attract ransomware fraternity
That's the thing with modern automation and crawlers, you don't have to be an attractive target, they'll just set the systems going and if they find a known vulnerability you've not patched you're popped. There's actually been a big pivot from targeted exploitation to a wider scatter gun approach, even if only a small percentage pay out, if you hit enough, it's worth it and sadly, it seems to be given the numbers seen.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
