Skip to content

Safe Tuesday with SNOK: Ransomware in SAP applications - an analysis of threats, losses and defence strategies

In the era of digital transformation, SAP applications have become a critical element for many organisations around the world. These comprehensive…

In the era of digital transformation, SAP applications have become a critical element for many organisations around the world. These comprehensive solutions manage key business processes, from finance and accounting, through supply chain management, to human resources and customer service. However, as the importance of SAP applications grows, so does the attractiveness of these systems as targets for cybercriminals, particularly in the context of ransomware.

The value of SAP applications for organisations

SAP applications are often described as the “backbone” or “heart” of modern enterprises. Their importance to day-to-day business operations is difficult to overstate:

  • Integration of business processes: SAP enables seamless integration across different departments and processes, leading to increased operational efficiency.

  • Real-time analytics: With SAP, companies can make business decisions based on real-time data, which is crucial in today’s dynamic business environment.

  • Resource management: From inventory management to production planning, SAP optimises the use of enterprise resources.

  • Regulatory compliance: SAP applications often include functions supporting compliance with various industry and international regulatory standards.

  • Customer service: Many SAP modules are dedicated to improving the customer experience, which directly translates into loyalty and revenue.

Potential losses resulting from SAP application downtime

Given the critical role of SAP applications, their disruption as a result of a ransomware attack can lead to catastrophic consequences for an organisation:

  • Direct financial losses: Downtime in SAP applications can cost companies millions of dollars per day. According to various industry estimates, the average cost of an hour of downtime for a large corporation can range from 100,000 to as much as 5,000,000 US dollars, depending on the sector and scale of operations.

  • Supply chain disruption: For manufacturing and logistics companies, halting SAP can mean a complete stoppage of deliveries, causing a domino effect throughout the entire supply chain.

  • Data loss and recovery costs: A ransomware attack can lead to the loss of critical business data. The costs of recovering this data, even where possible, can be enormous.

  • Reputational damage: Security incidents affecting systems that process customer data can seriously damage a company’s reputation, leading to long-term financial losses and a loss of customer trust.

  • Legal and regulatory consequences: In many industries, data security breaches can lead to serious financial penalties imposed by regulatory bodies.

  • Loss of competitive advantage: Prolonged disruption to SAP systems can lead to a loss of market share to competitors.

Given these potential losses, it is unsurprising that many organisations face a difficult dilemma: to pay or not to pay the ransom in the event of a ransomware attack on their SAP systems.

The scale of the problem: a global CISO perspective

According to Proofpoint’s “2024 Voice of the CISO” report, ransomware remains one of the leading concerns for Chief Information Security Officers (CISOs) worldwide. More surprisingly, as many as 62% of CISOs surveyed stated that their organisations would likely pay a ransom to regain access to systems in the event of a ransomware attack. These figures vary by country - the highest are in Saudi Arabia (83%), Canada (82%) and South Korea (79%).

This data illustrates just how serious and widespread the ransomware problem is, even among organisations that should theoretically be best prepared for such threats. In the context of SAP applications, which often form the heart of business operations, this problem takes on even greater significance.

Cost-benefit analysis: why do companies decide to pay?

The decision to pay a ransom is often based on a detailed cost-benefit analysis. Here are the key factors companies take into account:

  • Direct financial losses: Comparing the size of the ransom demanded with the potential losses resulting from system downtime. For example, in the case of the 2021 Colonial Pipeline attack, the company paid a ransom of 4.4 million US dollars, representing a small fraction of its annual revenue of 1.3 billion US dollars.

  • Data recovery costs: As Derek Gooh, CISO of Singaporean retailer NTUC, notes, rebuilding systems from scratch can be time-consuming and costly. By comparison, using a decryption key can enable a much faster restoration of system operations.

  • Criticality of services: Chris Haigh, CISO of MercuryIT, emphasises that organisations providing critical services, such as hospitals, may be more inclined to pay a ransom given the potential consequences of prolonged downtime.

  • Insurer influence: Ken Newton, CISO of secondwave, notes that insurance companies often prefer a quick resolution through ransom payment in order to minimise losses.

  • Legal and regulatory risk: Leonard Kleinman, CISO of Enablis, highlights the additional risk for listed companies, which may breach disclosure obligations if they fail to report an attack in a timely manner.

In the context of SAP applications, which often process critical financial and operational data, these factors become even more significant. Downtime in SAP operations can paralyse an entire organisation, increasing pressure to resolve the problem quickly.

Ethical dilemmas associated with paying a ransom

Despite potential financial benefits, the decision to pay a ransom involves serious ethical dilemmas:

  • Funding criminal activity: Ken Newton emphasises that by paying a ransom, organisations effectively fund criminal activity, which can have far-reaching consequences.

  • Sanctions risk: Chris Haigh notes that some ransomware groups may be subject to government sanctions. Paying them could expose a company to serious legal consequences.

  • Reputation and business ethics: Kleinman notes that many companies want to avoid dealing with criminal groups for ethical and reputational reasons.

  • Encouraging further attacks: Paying ransoms may encourage cybercriminals to continue and escalate their attacks.

  • National security: Gooh cites the example of Singapore, where authorities discourage paying ransoms in order to avoid creating an image of an “easy target” for cybercriminals.

For SAP systems, which often contain sensitive corporate and personal data, the ethical aspects of the ransom-payment decision take on an additional dimension linked to the responsibility of protecting this information.

The CISO’s role in the decision-making process

Contrary to popular belief, the CISO often does not have the final say in the decision to pay a ransom. Nevertheless, their role as a key adviser is invaluable:

  • Risk analysis: The CISO provides a comprehensive risk analysis, taking into account threats to production, legal and regulatory obligations, potential revenue losses and reputational impact.

  • A counterbalance to other perspectives: The CISO can provide a counterweight to other board members, who may be more inclined to pay a ransom because of short-term financial benefits.

  • Education and preparedness: The CISO’s role also involves educating the board and employees about ransomware threats and preparing the organisation for potential attacks.

  • Working with external experts: The CISO often coordinates cooperation with external security experts and negotiators who can help manage a crisis situation.

In the context of SAP systems, the CISO’s role is particularly important given the complexity of these systems and their critical significance for business operations. The CISO must not only understand the technical aspects of SAP security, but also be able to communicate this information in a way that is understandable to the board and other stakeholders.

Risk minimisation strategies and alternatives to paying a ransom

To avoid the need to pay a ransom, organisations should focus on prevention and preparedness:

  • A robust backup system: Regularly creating and testing backups, including offline ones, can significantly reduce the impact of a ransomware attack.

  • Network segmentation: Isolating critical SAP systems from the rest of the corporate network can limit the spread of ransomware.

  • Advanced detection and response systems: Deploying EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) systems can help detect and neutralise threats quickly.

  • Cooperation with law enforcement: As Kleinman notes, working with the authorities can help mitigate the effects of an attack, even if payment is ultimately made.

  • Cyber insurance: Appropriate insurance can help cover the costs associated with an attack, including potential operational losses.

  • Using negotiators: In the event of an attack, professional negotiators can help lower the ransom amount demanded or even obtain a decryption key without payment.

  • Dark web monitoring: In the event of an attack involving data exfiltration, monitoring the dark web can help enable a rapid response to potential disclosures of information.

  • Regular updates and patching: Keeping SAP systems up to date and rapidly deploying security patches is key to minimising risk.

  • Employee training: Regular cybersecurity training can significantly reduce the risk of successful phishing attacks, which are often the entry point for ransomware.

An expert perspective: ethics in the face of ransomware

Michał Korzeń, CTO and Partner at SNOK, emphasises the importance of an ethical approach to the ransomware problem:

“At SNOK, we believe that ethics in cybersecurity is not solely a matter of morality, but also of long-term business strategy. Paying a ransom may seem like a quick solution, but in reality it contributes to escalating the problem on a global scale. Every payment made provides an incentive for cybercriminals to continue and expand their activities.

Instead, we encourage our partner organisations to invest in robust security systems, regular employee training and business continuity plans. These proactive measures not only protect against attacks, but also build a culture of security within an organisation. In the long run, such an approach is not only ethically sound, but also more economically viable.”

Success in practice: cases of effective ransomware defence

Jarosław Zdanowski, Partner at SNOK, shares experiences from real-world ransomware attack cases:

“At SNOK, we have dealt with several cases involving clients whose SAP systems were attacked by ransomware. Thanks to previously implemented security strategies and appropriate incident-response policies, we were able to successfully repel these attacks without having to pay a ransom.

Key to these cases was having up-to-date and isolated backups of the entire SAP environment. This meant that, even in a situation where data had been encrypted by ransomware, we were able to quickly restore systems to their pre-attack state.

In addition, our monitoring tools, including SecurityBridge, enabled early detection of unusual activity, allowing for a rapid response and isolation of infected systems before ransomware could spread throughout the entire SAP ecosystem.

These experiences confirm that proper preparation, investment in security and a rapid response are key to effective defence against ransomware. Paying a ransom should never be the first option - with the right tools and procedures, organisations can effectively defend themselves against such attacks and minimise their potential impact.”

SNOK’s role in the comprehensive protection of SAP systems

SNOK, as an expert in the field of SAP security, offers comprehensive solutions and services aimed at protecting against ransomware attacks and other cyber threats:

  • Security audits: We conduct detailed analyses of SAP systems, identifying potential vulnerabilities and recommending specific remedial actions.

  • Implementing safeguards: We help implement security best practices, including network segmentation, access control and data encryption.

  • Monitoring and threat detection: Our advanced monitoring tools enable rapid detection of potential ransomware attacks and other threats.

  • Training and education: We provide specialist training for employees, raising awareness of threats and building cybersecurity skills.

  • Incident response support: In the event of an attack, our team of experts is ready to act immediately, minimising losses and helping to restore normal system operation quickly.

  • Attack simulations: We conduct controlled ransomware attack simulations to test and refine response procedures.

A key element of our offering is SecurityBridge - an advanced solution for managing the security of SAP systems. In the context of ransomware protection, SecurityBridge plays a particularly important role:

  • Security patch management: SecurityBridge automates the process of identifying, prioritising and deploying SAP security patches. Given the increasing frequency of security updates issued by SAP, this function is key to keeping a system in a secure state.

  • Real-time monitoring: SecurityBridge provides continuous monitoring of SAP systems, detecting potential threats, including ransomware installation attempts, in real time.

  • Vulnerability analysis: The tool regularly scans SAP systems for security vulnerabilities that could be exploited by attackers to introduce ransomware.

  • Security configuration management: SecurityBridge helps maintain a secure configuration of SAP systems, reducing the attack surface for potential ransomware threats.

  • Reporting and compliance: The tool generates detailed reports on the security status of SAP systems, which is key to maintaining compliance with regulations and internal security policies.

  • Integration with DevOps processes: SecurityBridge supports secure DevOps practices, enabling fast and secure deployment of changes to SAP systems without increasing the risk of ransomware attacks.

By combining SNOK’s expertise with SecurityBridge’s advanced functionality, organisations can significantly strengthen their defensive capabilities against ransomware and other cyber threats targeting SAP systems. Given the growing frequency and complexity of attacks, such a comprehensive approach to security is becoming not a luxury, but a necessity for every organisation relying on SAP systems for its key business processes.

Tematy: Safe Tuesday SAP Security SecurityBridge SAP S/4HANA SAP BTP

Get in touch