Ransomware in Singapore: Escalation, Response, and Institutional Guidance
Ransomware incidents reported in Singapore increased by 21% in 2024 compared to the prior year, according to the CSA's Singapore Cyber Landscape 2024/2025 report. While headline-grabbing attacks on large enterprises attract media coverage, the data indicates that small and medium enterprises and professional services firms bear a disproportionate share of the impact.
The 2024 Ransomware Data
The CSA documented several characteristics of the 2024 ransomware landscape in Singapore:
- Volume increase: 21% more ransomware cases reported compared to 2023, with the actual number likely higher due to underreporting
- APT involvement: Advanced Persistent Threat groups, including UNC3886, targeted high-value strategic assets such as critical information infrastructure
- Sector distribution: Manufacturing, professional services, retail, and healthcare were the most frequently targeted sectors
- Ransom demands: Demand amounts varied from tens of thousands to several million Singapore dollars, with double-extortion (encrypting data and threatening to leak it) becoming the dominant model
- Dwell time: Attackers maintained presence within compromised networks for an average of 5-14 days before deploying ransomware payloads, conducting reconnaissance and lateral movement
How Ransomware Enters Singapore Organisations
The primary infection vectors documented in CSA and industry reports include:
- Phishing emails — Malicious attachments or links that install initial access malware, which is later used to deploy ransomware across the network
- Exploited public-facing applications — Unpatched VPN concentrators, web application servers, and remote desktop gateways
- Compromised credentials — Credentials obtained from previous data breaches or purchased on dark web marketplaces, used to access RDP or VPN without triggering alarms
- Supply chain compromise — Attacks on managed service providers or software vendors that propagate to downstream clients
The Singapore Police Force Position on Ransom Payment
The Singapore Police Force maintains a clear advisory against paying ransoms. The published rationale includes:
- Payment does not guarantee data recovery — multiple documented cases where decryption keys were defective or never provided
- Payment funds criminal operations and incentivises further attacks
- Paying may violate sanctions regulations if the ransomware group is on international sanctions lists
- Organisations that pay are frequently targeted again, having demonstrated willingness to comply
According to international incident data compiled by cybersecurity firms, approximately 80% of organisations that paid a ransom experienced a subsequent attack, and 46% found their data corrupted after decryption.
CSA's Recommended Response Framework
When ransomware is detected, the CSA's published guidance recommends the following sequence:
- Isolate affected systems — Disconnect infected machines from the network immediately, but do not power them off (forensic evidence may reside in volatile memory)
- Activate incident response plan — Engage the designated incident response team or external cybersecurity firm
- Assess the scope — Determine which systems, data, and backups are affected using network logs and endpoint detection data
- Preserve evidence — Retain logs, disk images, and ransom notes for law enforcement and forensic analysis
- Report to authorities — File a police report online and notify CSA via SingCERT. If personal data of 500+ individuals is affected, notify the PDPC within 3 days
- Restore from backups — Rebuild affected systems from clean, verified backups after the infection vector has been identified and remediated
- Conduct post-incident review — Document lessons learned, update security controls, and revise the incident response plan
SME Protection Measures
The CSA's SG Cyber Safe programme and industry associations recommend the following defensive measures, particularly for small and medium enterprises:
- 3-2-1 backup strategy: Maintain three copies of critical data, on two different media types, with one stored offline or offsite. Test restoration procedures quarterly
- Patch management: Apply security updates for operating systems, applications, and firmware within 48 hours of release for critical vulnerabilities
- Network segmentation: Separate operational networks from corporate networks and restrict lateral movement between segments
- Endpoint Detection and Response (EDR): Deploy EDR solutions on all endpoints with real-time monitoring and automated threat containment
- Privileged access management: Implement the principle of least privilege, require MFA for all administrative access, and monitor privileged account usage
- Email security: Deploy advanced email filtering, sandboxing for attachments, and URL rewriting for link inspection
- Employee training: Conduct awareness sessions specifically covering ransomware indicators and the procedure for reporting suspicious activity
The Insurance Dimension
Cyber insurance uptake among Singapore SMEs remains below 20%, according to industry estimates. Policies typically cover incident response costs, business interruption, data restoration, and third-party liability. However, insurers have progressively tightened underwriting requirements, often mandating specific security controls such as MFA, EDR, and offline backups as preconditions for coverage.
The Monetary Authority of Singapore (MAS) has issued guidance on cyber risk management for financial institutions, requiring regular cyber risk assessments, penetration testing, and board-level oversight of cybersecurity posture.
Sources and References
Content last reviewed: March 25, 2026