Damage Control

With ransomware attacks on the rise, retailers can take steps to secure their networks and assets.

Damage Control

April 2021   minute read

By: Jerry Soverinsky

Days before Black Friday this past November, South Korean conglomerate E-Land, which owns 60 brands, including dozens of retail stores, restaurants and hotels, suffered a ransomware attack on its corporate network. To minimize the damage and prevent further disruption, the company closed 23 of its 50 physical NC Department Store and NewCore Outlet stores.

The closures represented 46% of the company’s total stores, exacting a significant revenue loss during the busy Thanksgiving week sales period. Yet the short-term hit no doubt paled in comparison to the potential long-term damage had the attack spread to the remainder of E-Land’s stores and other properties. (As of this writing, the case is unresolved, with E-Land denying paying anything to the cybercriminals and an investigation and remediation efforts ongoing.)

While retail events in South Korea may not garner much notice here in the U.S., in a digital world unrestrained by physical boundaries, the scenario should serve as a warning to any company whose balance sheet provides temptation for cyberthieves. Cybersecurity firm McAfee, in fact, warned retailers to be vigilant against attacks over the Black Friday week and through New Year’s, citing its July 2020 report that found cyberattacks against retailers had climbed 15% in the first quarter of 2020. “This is serious business for the cybercriminals, and protecting your systems, customers and even vendors must be a priority,” it said.

So just what is ransomware, and what can retailers do to prevent an attack or mitigate the impact should their system become compromised?

Ransomware Defined

A ransomware attack occurs when a cybercriminal locks a user’s computer system, holding its network and data “hostage” until a ransom is paid. “It’s a variant of what you’d consider malware,” explained Tom Callahan, director of MDR operations for ControlScan. “It’s software that is designed to not only access, infiltrate and exfiltrate data off a customer system but also then encrypt the data on the customer’s system with the sole purpose of a financial gain.”

Using any number of attack methods that trick the user into downloading malware or visiting a website that triggers an automatic download of malware, the malicious code rapidly unfolds and shuts down a system, demanding money to unlock it. And when it comes to a c-store, the entry points are numerous.

“In a c-store, these attacks can start at the POS, the front of the store or the back of the store,” Callahan said. “Because the systems are interconnected, the operation can start at one point and then move laterally, spreading to other systems in hours or even minutes, subjecting all systems on the network to ransomware.”

According to Callahan, convenience stores are an attractive ransomware target, with millions of transactions and their accompanying bank account numbers, credit card numbers and personally identifiable information accumulating each day.

Cybercriminals are finding success, with 59% of energy, oil/gas and utility companies in 26 countries having suffered a ransomware attack in the past year, according to a May 2020 report by Sophos, with 47% of attacks hitting smaller organizations (less than 1,000 employees) and 54% hitting larger ones (1,0001 to 5,000 employees). These attacks are overwhelmingly successful (for the attackers), with 73% of ransomware cybercriminals encrypting the data they target.

These are more than just statistics, with the attacks producing profound and very tangible impacts on corporate balance sheets. Depending on the compromised company and its resources, ransom demands can reach into the millions of dollars, with hackers threatening to publish stolen data online unless payment is made. “Targeted companies effectively face a tough choice,” reported the Wall Street Journal in November 2020. “Either pay the attackers or hire others to help recover systems, which can take weeks or longer” at great expense.

But payment comes at a legal cost. “The U.S. Treasury recently issued an advisory of potential sanctions for paying ransomware,” said Ajith Edakandi, director of product management and marketing for Hughes, during a recent Conexxus webinar. “So, if you look at it, once you’ve been hit by ransomware, you’re between a rock and hard place. Do you pay and get back to normal, but then possibly get sanctioned? Or do you not pay and accept the total loss of your data?”

Protecting Systems

The choice, of course, becomes moot if systems are protected and are able to prevent a ransomware attack from locking up data. That requires a proactive security posture. “Traditional services are becoming ineffective,” Edakandi said. “The protection you need today is for fileless attacks and even insider threats. These are some of the most sophisticated and damaging, and these are the ones which require more analysis to determine if it’s a true threat.”

For that, Edakandi recommends a solution powered by artificial intelligence, where machine learning can “understand and detect unknown threats, mitigating them before it’s too late.”

The most susceptible points are network endpoints, Edakandi said. “These are the devices on your store’s network, like tablets, laptops, connected devices, forecourt controllers and tank monitors. … They should be protected before they are exploited.”

Whatever solution retailers ultimately deploy—they come in a variety of three-letter acronyms today, like EDR (endpoint detection and response), MDR (managed detection and response) and XDR (cross-layered detection and response)—Callahan recommends using one that incorporates a systematic process of assessment, detection, monitoring and response capabilities.

“First, you need to understand your environment and its susceptible points,” he said. “A lot of companies can help you see where those vulnerable points are. You can’t implement a solution unless you know your risks.”

Once retailers have performed the assessment, they should review who uses the environment and their access points. “You don’t want to have a system with highly regulated data being used for browsing Facebook and checking email,” Callahan said. “The personal use of corporate devices is where over 90% of attacks start, so you don’t want to have non-work activity on those devices.”

Convenience stores are an attractive ransomware target, with millions of transactions and their accompanying information accumulating each day.

Heed Alerts

From there, review monitoring and detection capabilities. “You don’t want to find out from an employee that everything was locked down because of ransomware,” Callahan said. To that end, a managed detection and response solution can help identify attacks and either block them or stop them from spreading.

Edakandi agreed: “The right managed security service provider should be a 24/7 managed service, with an augmented SOC (security operations center) and one that is staffed by qualified support personnel.”

Commensurate with implementing these preventive measures is developing a compliance framework that addresses PCI and other standards and regulations, like capturing log data and datasets.

What to Do If Attacked

Even the most proactive cybersecurity efforts are not foolproof, which speaks to the need for adopting response and recovery capabilities. If a system is being held ransom, “Be careful and don’t turn everything off, because there’s a further risk of corrupting your data if you decide to restore it on your own,” Callahan said.

From there, recovery efforts unfold, whose success and timing depend on the availability of backups and their condition—for example, when did they occur, how much data was seized, etc.? As a result, the restoration process can take hours, days or even a few months, Callahan said.

Without backups, the process becomes more complicated. If companies have cyberinsurance, they will need to work with their provider and their facilitators to negotiate a ransom payment—if they decide to pay. “That could take a couple of days just to have the conversation before you agree on an amount,” Callahan said.

If companies commit to paying a ransom, they’ll need a facilitator to negotiate the bitcoin transfer, which carries multiple complexities. Of course, all of this (ransom payment) can be illegal, depending on your jurisdiction and current laws (see above). “In which case, you might have to shut your doors,” Callahan said.

The latter is an extreme but conceivable scenario. “You don’t often hear of cases where people couldn’t or didn’t pay and lost their business. But it could happen,” Callahan said. “You could lose your business because one of your employees opened an email.”

Jerry Soverinsky

Jerry Soverinsky

Jerry Soverinsky is a Chicago-based freelance writer and NACS Magazine contributing writer. He can be reached at [email protected].

Share:
Print: