[BreachExchange] Ransomware’s lucrative next stop? The Point of Sale

[Audrey McNeil]

https://www.helpnetsecurity.com/2017/12/04/ransomware-pos/

With the influx of credit card breaches over the past few years at major
brands, hackers may have reached a point of supply exceeding demand, as
awareness of breaches, security on credit cards, and excess supply have all
led to a reported drop in prices on the dark web for stolen data.

Researchers have seen prices for stolen card information drop from $30 to
as low as $5, depending on the data.

If we are to believe that the price of stolen credit card data is in fact
dropping, where are hackers going to turn next? The instances of point of
sale (POS)-based ransomware have been sporadic so far, but what’s to stop
the POS malware trend from turning into this potentially devastating,
evolved threat? If retailers don’t protect themselves properly, this is a
very real possibility for 2018.

It’s not just about paying the ransom

Malware takes months to siphon credit card data from infected systems.
Rather than gain access to a national chain’s POS to exfiltrate credit
cards, cybercriminals could deploy ransomware that shuts down the POS
systems… effectively bringing the business and all revenue to a screeching
halt.

In the case of a retailer, ransomware isn’t about paying to get data back,
it’s about paying to get access to your POS systems back, and, hence, bring
your business back to life. It becomes a cost of lost revenue exercise, a
much more tangible problem to retailers for whom a day of lost revenue may
never be recovered.

This would likely prompt stores to pay the ransom right away, allowing the
threat actors to profit within minutes. And with the impressive success of
the global WannaCry and NotPetya outbreaks this year, cybercriminals are
taking notice of what works.

Do-or-die

Companies hit by these attacks will be in a do-or-die position, because
these incidents are often very public and disabling. They could suffer:

- Immobilized store operations and sales for the period of the attack
- An inability to access much or all of critical business systems
- Loss of consumer trust and revenues, as shoppers take their business
elsewhere
- The potential that customers will never return due to fears of having
their financial data compromised
- Potential total loss of customer and business data if systems are not
fully restored.

What about the damage?

To put the potential damage in perspective, at big brand retailers, stolen
credit card data could net upwards of $10 million. A great return for sure,
but that requires that malware sits undetected for months. Let’s think
about the impacts to that business if that same breach was ransomware
instead of malware, and now only has to persist for seconds to be effective.

Consider a major national retail chain with annual revenues of $1.25
billion – about $3.5 million per day. If ransomware were to have infected
that retailer instead of card-stealing malware, and that ransomware halted
their POS system, that brand would bleed $3.5 million per day in actual
revenue, plus more in data breach fines, brand reputation, and customer
loyalty loss.

One would have to believe that they would be reluctantly willing to pay a
ransom of that same $10 million— less than what they’d lose if they
restored operations on their own in just 2-3 days. That’s the same revenue
netted from the stolen credit card malware, but now only requiring seconds
of persistence rather than months.

Stay ahead of threats

This goes to show that a major ransomware attack could forever harm the
competitiveness of a large retailer. It could even put a small- to
medium-size retailer out of business after just one breach. To prevent this
from happening, retailers should set up a next-generation security system.
Buy, build, or borrow the resources to stay ahead of threats and stop
ransomware in its tracks with:

- A next-generation firewall that includes rules you configure to control
incoming and outgoing traffic. Manage it 24/7 to make it effective.
- Properly deploy SIEM to analyze all of your data, filtering out the
‘noise’ or false positives that can make it difficult to detect threat
patterns and anomalies that indicate early-stage attacks. The SIEM will
issue alerts, so that you can take immediate action when warranted.
- Employ Threat Detection and Response that will detect incoming and
existing malware, whether it is located on a POS system, workstation, or
network. Set it to automate immediate, direct remediation, which will help
with some threats.
- Augment your team with SOC-as-a-Service, to do around-the-clock
monitoring, evaluation, and response of all security alerts. This team can
evaluate the universe of threats you face, triage them, and escalate
resources to deal with critical threats on an ongoing basis.
- Leverage the power of machine learning with User Entity Behavior Analysis
(UEBA). This model will do a deep dive on your logs and reports to get
better and better at threat detection over time.

These tips should enable companies to expand their businesses while keeping
their customers’ data secure and loyalty strong in 2018 and beyond—even as
enterprising cybercriminals move toward the lucrative POS ransomware
approach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171204/aad56675/attachment.html>