[BreachExchange] Ransomware And Retail

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 9 19:22:12 EDT 2017


Imagine turning on your smartphone and finding that it has been completely
locked out by a stranger demanding payment, a cybercriminal. If you have
ever lost access to your phone for other reasons, you know the frustration
of not being able to get to your contacts, emails, calendar or any
communication convenience. Now imagine this frustration applied to your
entire retail operation — blocking all transactions and disrupting your
connection to the customer. This is what ransomware can do to your

The persistent need for transactions within retail makes it a highly
targeted industry. Everyone is painfully aware of the Target breach and the
various data breaches at multiple retailers that followed. On the periphery
are smaller POS skimmer attacks at specific stores, as well as the
ever-present mass proliferation of online product counterfeiting, knockoffs
and diversion. However, something much worse is coming: the power to
completely stop your business for hours, even days.

Ransomware Defined

The simple scheme of ransomware is basic but effective. Ransomware, either
on a single device or a whole enterprise, is malicious software that
encrypts data storage, including software, rendering the technology
basically inaccessible to the user. The attacker presents the victim with
instructions to pay a ransom, usually in a virtual currency like Bitcoins
that are difficult to trace. Consider your logon screen, replaced with
another logon screen controlled by some remote criminal. Sometimes the
encryption can be defeated with decryption tools, but there may be better
solutions, discussed below.

Ransomware In The Enterprise

This threat is about shutting down your enterprise until the ransom is
paid. Ransomware has already been successfully used against dozens of major
hospitals, busy hotels, and even a San Francisco transportation authority.
These enterprises lost control of their operational systems. The “damage”
in these attacks is not being able to access your data or process to serve
clients. Your relationship with the customer is broken along with your
transaction-based income. Consider it a total loss of productivity until
the system is restored.

Think about what you have built over the last decade. Your retail operation
is a quality, consumer-driven platform. Whether the customer is in-store,
on their phone or on their laptop, they can get to the products they know
and trust. The bumps in web-carts and online transactions have all been
long smoothed over. Even through partner channels, your customers can
easily get to you and execute transactions with very little effort.

This value and trust took time to build. It is the value and trust that
will be used as leverage against you. Instead of your data and literal
money being seized, it is your relationship with the customer that is
actually held for ransom. Not only will transactions be blocked, but all
the market research and advertising dollars will be wasted.

Address The Problem Now, Not After

How much would your operation lose if it were down for eight hours? How
much would it lose in 24 hours? The simple answer is significantly more
than the attackers will ask for. Victims of ransomware may be shocked at
how little is actually demanded. The criminals have researched your company
and know you pain points as well, and maybe even better, than you do.
Ransomware operators actually make the choice very easy. If your store
makes a daily average of $500K and the attacker wants $10,000 it will
usually be paid. Once paid, the criminals will unlock your computers and
your operation will return to normal. Not unlocking after payment would be
bad for the criminal business model.

The holiday season is often seen as a period of high risk for security, but
attacks appearing during the holidays have been months in the planning. The
time to think about security is all the time, because ransomware may
already be awaiting activation. This is why solutions need to be deployed
to the endpoints and not just the enterprise. Security teams need to look
at all devices on their network and add local protection. Cybereason has
developed and released a free ransomware prevention tool for Windows. This
type of measure should be applied to reduce the spread and activation of
ransomware. Start thinking about the whole enterprise as a collection of
potential threats.

Understand and then discuss the cycle of this attack with your staff.
Simply knowing that “ransomware” is out there is not enough. Thoughtful
executives need to understand why it is different from a data breach or
transaction skimming. This is an opportunity to create a culture of
security within your organization, one that fosters information sharing,
initiative and proactive security. When banks started going online in the
1990’s the criminals were ready with a number of attacks. Banks were slow
to respond, but have significantly hardened their environments following
various breaches. Retail can avoid mistakes made in the past by other
industries and protect now.

Finally, let your customers know that protecting them is your priority.
Your relationship to the consumer is everything; it is worth making them a
virtual partner in your efforts.

Criminals are going to target your retail operation with more sophisticated
attacks; this is a certainty. Executives should be aware of the threat and
how they can work with their various teams to prepare for the inevitability
of ransomware. The constant onslaught of critical management decisions does
not always leave time for strategic planning around digital enterprise
security. This is a fact that innovative organized crime entities are
counting on — that you are too busy to think about ransomware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170509/1b219a9d/attachment.html>

More information about the BreachExchange mailing list