‘Tis the season! Winter holidays are upon us, and with it brings the yearly high-volume online shopping season we all know as Black Friday/Cyber Monday (BFCM). With the total US consumer spending estimated at over $717 billion in the 2018 BFCM season, retailers know that the next few weeks are a critical time for their infrastructure. Unfortunately, so do ransomware attackers.
What will attackers be looking at?
The business of ransomware is profit-driven one. Black Friday/Cyber Monday is arguably one of the worst times for a retailer’s digital infrastructures to go down, and ransomware authors have started to focus their efforts on these retailers who know that even 60 seconds of downtime could mean a huge loss of sales. Knowing this, attackers work to get on your network and find the most critical business systems, find where they are vulnerable and get the most leverage they can before attempting to extort you. They want you to see the option of paying for the decryption keys as your only way out. While trends in other malware attacks generally saw a 30-40% dip in incidents in the 2018 BFCM season, ransomware attacks saw an average increase of 500%, with the number of attacks on Black Friday reaching a staggering 28x increase from the year before.
How would a ransomware attack affect a retail company if it was hit during the BFCM season?
The most obvious way would be the loss of ability to operate and make sales. With thousands of customers looking to do their holiday shopping and take advantage of deals, consumers visiting the impacted sites may see an increase in error messages and difficulties, which eventually lead to higher shopping cart abandonment rates as they look for a different retailer to shop from. Ransomware attacks can also lead to negative, long-term impacts on brand reputation and customer perception. According to a survey done by Carbon Black, 70% of consumers said they would consider refusing to shop with a retailer in the future if it was hit by ransomware.
What measures should retailers put in place to ensure they are best prepared?
1. Network Security/Segmentation
An effective way of containing and/or stopping a ransomware attack is my making sure your network does not have any low-hanging fruit for a potential attacker. Make sure that credentials to remote access systems (such as RDP) are set properly and exposed only where necessary. Do a check to ensure that security updates and patches are up-to-date and applied. Making use of network segmentation, that is, using VLANs and isolating/restricting parts of the network from another, is a great way to make you less susceptible to attack. In a well-segmented VLAN, attackers who gain access to a vulnerable part of the network (a POS system, for example) are limited in what they are able to access.
2. Backups
It’s so commonly said that it often falls on deaf ears: YOU NEED TO HAVE A BACKUP. Though not strictly a defensive measure, a surefire way to recover from a ransomware attack is to have a regular, reliable and tested backup. Take the time to test your ability to back up and restore from your backups. Ideally, you should be doing regular checks on the functionality of your backups across all assets. At the very least, determine the critical systems necessary for operation and what the actual recovery points are. The U.S. Computer Emergency Readiness Team (CERT) recommends storing backups offline and verifying them regularly. Having a backup means there’s no need to decide whether to pay a ransom or whether the attacker will even make good on decrypting your system. Attackers have been known to “decrypt” a system after receiving a ransom payment but then persist and re-attack the system again at a later date. Having a backup avoids this issue entirely and gets you to a known good point.
3. User Training
An often-overlooked attack surface is the user/staff Given that many infections start with a user clicking on a link or opening attachments with malware, a well-trained staff can significantly reduce your chances of falling victim to a ransomware attack. Consider making October a “Security Awareness Month” and reinforce anti-phishing and security best practices training. The training should include both “back of house” and “front of house” staff members.
4. Third-Party Support
Outsourcing the responsibilities of securing your operation to a trusted provider is often a good way to keep up to date on protection technologies and strategies. The US National Institute of Standards and Technology’s security guide recommends partnering with a recognized and certified provider that is experienced in working with similar clients (in this case, retailers). Having reliable tools that monitor your systems for intrusions and file changes (such as the hash of a file being changed due to having been encrypted) can also be critical in helping to identify and shutdown an attack. (Additional ransomware prevention tips are also available on our blog: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/22-ransomware-prevention-tips/)
Should retailers ever consider paying a ransom?
In the face of lost sales and a damaged reputation, it can be quite tempting to give in and pay the ransom (which averaged to about $1.6 million per incident in 2018). In fact, many retailers and wholesalers do. The heartbreak comes with the fact that among those who paid the ransom, only around 49% of them actually got their data back. Keeping in mind that attackers employ a well-known tactic of decrypting the victim’s data while maintaining a presence on the system (so they can easily attack and demand another ransom at a later date), and one might see paying the ransom as a bleak mitigation option at best. The further issue with this is that each successful payoff encourages attackers to launch further attacks. In October 2019, the U.S. Federal Bureau of Investigation recently put out a public service announcement stating:
The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.
Learn how Tripwire's solutions can help protect your retail organization against ransomware attacks this holiday season by clicking here.