Ransomware

Ransomware in Singapore: Escalation, Response, and Institutional Guidance

Visual map of internet connectivity showing global network infrastructure
Ransomware exploits global connectivity to target organisations across jurisdictions. Image: Wikimedia Commons, CC license.

Ransomware incidents reported in Singapore increased by 21% in 2024 compared to the prior year, according to the CSA's Singapore Cyber Landscape 2024/2025 report. While headline-grabbing attacks on large enterprises attract media coverage, the data indicates that small and medium enterprises and professional services firms bear a disproportionate share of the impact.

The 2024 Ransomware Data

The CSA documented several characteristics of the 2024 ransomware landscape in Singapore:

How Ransomware Enters Singapore Organisations

The primary infection vectors documented in CSA and industry reports include:

The Singapore Police Force Position on Ransom Payment

The Singapore Police Force maintains a clear advisory against paying ransoms. The published rationale includes:

According to international incident data compiled by cybersecurity firms, approximately 80% of organisations that paid a ransom experienced a subsequent attack, and 46% found their data corrupted after decryption.

CSA's Recommended Response Framework

When ransomware is detected, the CSA's published guidance recommends the following sequence:

  1. Isolate affected systems — Disconnect infected machines from the network immediately, but do not power them off (forensic evidence may reside in volatile memory)
  2. Activate incident response plan — Engage the designated incident response team or external cybersecurity firm
  3. Assess the scope — Determine which systems, data, and backups are affected using network logs and endpoint detection data
  4. Preserve evidence — Retain logs, disk images, and ransom notes for law enforcement and forensic analysis
  5. Report to authorities — File a police report online and notify CSA via SingCERT. If personal data of 500+ individuals is affected, notify the PDPC within 3 days
  6. Restore from backups — Rebuild affected systems from clean, verified backups after the infection vector has been identified and remediated
  7. Conduct post-incident review — Document lessons learned, update security controls, and revise the incident response plan

SME Protection Measures

The CSA's SG Cyber Safe programme and industry associations recommend the following defensive measures, particularly for small and medium enterprises:

The Insurance Dimension

Cyber insurance uptake among Singapore SMEs remains below 20%, according to industry estimates. Policies typically cover incident response costs, business interruption, data restoration, and third-party liability. However, insurers have progressively tightened underwriting requirements, often mandating specific security controls such as MFA, EDR, and offline backups as preconditions for coverage.

The Monetary Authority of Singapore (MAS) has issued guidance on cyber risk management for financial institutions, requiring regular cyber risk assessments, penetration testing, and board-level oversight of cybersecurity posture.

Content last reviewed: March 25, 2026