Every year, the Cyber Security Agency of Singapore (CSA) publishes its Singapore Cyber Landscape report, summarising the state of cybersecurity threats across the city-state. The 2024 edition contained a figure that should concentrate the attention of any Singapore business owner: reported ransomware cases rose 20% in 2024 compared to the prior year, and infected infrastructure rose 67%.
These are not abstract statistics about a threat that affects large organisations in other countries. Ransomware in Singapore in 2024 affected manufacturing companies, logistics firms, and professional services businesses. The targets were not exclusively enterprise. Small and medium-sized businesses were among those affected, precisely because they tend to have fewer technical defences and less ability to absorb the operational disruption that ransomware causes.
This post explains what ransomware is and how it works, what the impact on a Singapore SME looks like in practice, and how cyber insurance responds.
What ransomware actually does
Ransomware is a type of malicious software that encrypts the files on a computer system, making them inaccessible to the owner. The attacker then demands a payment, typically in cryptocurrency, in return for the decryption key that would restore access.
The encryption itself is usually the result of one of a small number of entry points. A phishing email that tricks an employee into clicking a link or downloading a file. A vulnerability in software that has not been updated. Remote desktop access that is inadequately secured. A compromised account from a third-party supplier who has access to the business's systems. In most cases, the attacker has been inside the system for days or weeks before the ransomware is triggered, mapping the network, identifying backups, and positioning to cause maximum disruption.
When the ransomware executes, the effect on operations is immediate. Files cannot be opened. Systems cannot run. Databases are locked. For a business that depends on its computer systems to operate, which is most businesses in Singapore, the interruption can be total.
The demand follows. The amount varies. For SMEs, demands typically run from tens of thousands to hundreds of thousands of dollars. The attacker sets a deadline. If it is not met, they threaten to delete the decryption key permanently, or to publish any data they extracted before encrypting.
Why the 67% infrastructure figure matters more than the 20% case figure
The 20% rise in reported ransomware cases is significant. But the 67% rise in infected infrastructure is the more important number for business owners to understand.
Infected infrastructure refers to the servers, devices, and systems that have been compromised by malware and are being used by attackers as staging points for further attacks. This includes systems infected with malware that has not yet been triggered, systems being used as part of botnet networks to distribute attacks, and systems that have been used to launch ransomware against other targets.
The implication is that the pool of compromised infrastructure available to attackers in Singapore is growing faster than the number of executed attacks. Criminals are spending more time establishing positions inside networks before deploying ransomware. This increases the potential for attacks to succeed, because by the time the ransomware triggers, the attacker has often already located and deleted or encrypted the backups that would allow the business to recover without paying.
What happens to an SME that is hit
The immediate and visible cost is the ransom demand. But for most businesses, the ransom is not the largest cost of a ransomware attack.
The first cost is business interruption. While systems are down, the business cannot operate normally. For a logistics company that cannot access its dispatch system, a manufacturing firm that cannot run its production scheduling, or a professional services firm that cannot access client files, the revenue loss accumulates by the hour. The interruption period is typically days to weeks, depending on whether the business has clean backups and how quickly they can be restored.
The second cost is incident response. Understanding what happened, what was accessed, and how to restore systems securely requires specialist expertise. Forensic investigators, incident response specialists, and IT recovery teams all charge significant fees and are often in high demand immediately following a large ransomware campaign.
The third cost is data-related. If the attacker extracted data before encrypting, the business has a potential data breach. Under Singapore's Personal Data Protection Act 2012 (PDPA), a breach affecting personal data above certain thresholds requires notification to the PDPC within three calendar days and notification to affected individuals. Legal advice on the notification obligation, drafting the notifications, and managing the regulatory response are additional costs.
The fourth cost, which is harder to quantify but real, is reputational. Clients, suppliers, and partners who discover that a business has been the subject of a ransomware attack may have concerns about the security of their own data and their confidence in the business as a counterparty.
How cyber insurance responds to a ransomware attack
A well-structured cyber insurance policy addresses all four of the cost categories above.
Business interruption. The policy covers the loss of revenue during the period the business cannot operate normally as a result of the cyber incident, and the additional costs of maintaining operations while systems are restored.
Incident response. The costs of forensic investigation, specialist IT recovery, and crisis management are covered from the moment the incident is confirmed. Many cyber policies include access to a pre-arranged panel of incident response providers, which means the business does not need to find and engage a forensic firm under pressure during an active attack.
Data breach and regulatory response. Legal advice on PDPA notification obligations, the cost of notifying affected individuals, and regulatory defence if the PDPC investigates are all within scope of a well-structured cyber policy.
Cyber extortion. Where a ransom payment is made, and where this is legally permissible, the policy can cover the ransom amount. The decision to pay is always context-specific, and authorities generally advise against payment on the grounds that it funds criminal activity and does not guarantee file recovery. But the cover means the decision is made on its merits rather than purely on the basis of whether the business can afford the alternative.
What insurance does not replace
Cyber insurance is not a substitute for basic security measures. A business that holds no backups, uses default passwords on remote access systems, and has not trained staff to recognise phishing emails will face higher premiums, more restrictive policy conditions, and a harder time with claims than one that has taken reasonable precautions.
The CSA recommends that businesses maintain current, tested backups stored offline or in a separate cloud environment. This is the single most effective measure against ransomware, because it allows recovery without paying a ransom, regardless of whether the insurance responds. A backup that has been encrypted by the attacker alongside the primary data is not a backup.
For a Singapore SME, the practical starting point is straightforward: understand what data and systems the business depends on, maintain tested backups of those systems, apply multi-factor authentication to remote access and email accounts, and keep software and systems updated. These measures reduce both the likelihood of an attack succeeding and the severity of the impact if one occurs.
Cyber insurance addresses the costs that remain even when these measures are in place, because no set of precautions eliminates the risk entirely. For more on how cyber insurance works for Singapore businesses, our post on Cyber Insurance in Singapore covers the full picture.
If you would like to understand how your business would be protected under a cyber policy, and how the cover sits alongside your current security arrangements, we would be glad to work through it with you.
This article provides general information only. It is not insurance advice. Policy availability, terms, conditions, and exclusions vary by insurer and product, and cover is subject to the full policy wording. Please contact TZY CO for advice on your specific situation.