WannaCry ransomware's real victim: Your local corner store

Six out of 10 small businesses shut down after cyberattacks. Here's why.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Many small businesses don't have the capabilities to fend off a ransomware attack. And many also don't have what it takes to recover from one.

Many small businesses don't have the capabilities to fend off a ransomware attack. And many also don't have what it takes to recover from one.

Amer Ghazzal/Getty Images

These businesses may be small, but they're a big draw for hackers.

Thanks to WannaCry, ransomware has taken the world by storm, without any discretion on whose computers it holds hostage. It'll lock down hospitals, mailrooms, banks, schools -- if it has a vulnerable computer with outdated software, it'll fall under a hacker's crosshairs.

It's that outdated software part that makes small businesses the most prevalent victims. Your local pizzeria or hair salon doesn't have its own IT department and probably isn't aware of the latest patches for Windows -- or even the latest version of Windows.

"If you're a one-man shop, it's often a nephew or a family member who does that," said Robert Gibbons, the chief technology officer at Datto, a cybersecurity company. "Small businesses suffer because they don't have the skill nor the infrastructure to manage this."

Ransomware spiked from 2015 to 2016, and has become the fifth most common type of malware. The virus takes over computers and encrypts all their files unless victims pay up hefty sums. In 2016, one notorious ransomware demanded $28,730 from each victim. WannaCry has demanded $300 per computer, with the deadline looming on Friday.

If you're a small business, you're stuck between a rock and a hard place once ransomware strikes. If you don't pay, all your records and transactions are lost, giving up crucial information your business needs to function. If you do pay, you're feeding a growing beast and encouraging more ransomware attacks in the future. That is, if you can even afford to pay.

"For a small business, these costs of remediation are simply too high, and the possibility of continuing operations disappears," said Brian Berger, the executive vice president of commercial cyber security at Cytellix.

The threat is real: Six out of 10 small businesses hit by cyberattacks will go out of business within six months, according to the US Securities and Exchange Commission.

Ransomware hits every small business differently. With the hair salon in Scotland, the stylists were locked out of their appointment data and had to confirm with all their customers on Facebook to see who was scheduled when.

Others might not be able to manage payments for hours. Gibbons said his company deals with 100 to 200 cyberattacks on small businesses a day -- about 30 of which escalate to a more serious situation.

"There's thousands and thousands of small businesses that are eating downtime or are paying ransoms," Gibbons said. "It's an underreported, giant tax on small businesses."

What happens when you lose it all

The Clay County sheriff's department in North Carolina is familiar with losing all its files.

When its server crashed in 2014, the department lost all its records and spent four months piecing things back together. The department still feels the repercussions.

"When they had their server crash, there were criminals who walked because the documentation was no longer there, or it was inaccurate, because it was entered by hand," said Des Keller, an IT consultant with the sheriff's department. "That puts criminals on the streets."

The incident was a wake-up call. Keller saw that a similar situation could happen with ransomware, even if the sheriff didn't.

"We actually did hear that remark from our sheriff: 'Who would be interested in our little county?'" Keller said. "We pushed the protection because we've seen what it can do in other places." The department's followup including hiring a cybersecurity company called Untangle for ongoing protection and advice. So far, the sheriff's department hasn't been touched by WannaCry.

But not every small business can afford even a few hundred dollars a year on protection.

Cyberdefense on the cheap

Just because a small business has slim resources doesn't automatically mean they're screwed whenever a virus comes around.

Remember, the WannaCry ransomware spread through very preventable exploits. Setting a computer to automatically update for the latest security patches is free.

The best protection against ransomware is to always have constant back-ups, which would prevent owners from having to pay the ransomware and losing their valued files.

"There are plenty of cloud solutions that are very low cost, and very easy to use," said Aviv Grafi, Votiro's chief technology officer. "For very small businesses, you can use DropBox. I would recommend a solution like that for my mom."

Services like Mozy, Crashplan and Carbonite can offer unlimited storage for as low as $5 a month.

For a small business, they can't afford not to consider these options.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Logging Out: Welcome to the crossroads of online life and the afterlife.