The past two years have seen merchants become frequent targets of ransomware attacks, largely due to their weaker cybersecurity practices. The threat only promises to get worse.
For cybercriminals, ransomware attacks are easy money. To cash in, hackers need only plant malware on a target’s network to gain entry. Once inside, criminals can identify personal consumer data, lock up the data using encryption, and then send the business a digital ransom note threatening to erase or publish the data online unless the ransom is paid.
Upon payment, which typically takes place by depositing cryptocurrency in the attacker’s crypto wallet, the victim receives the key to decrypt the data.
Considering that ransom demands can range from five figures to millions of dollars, and that attacks will target multiple companies at once, that’s not a lot of work for a lucrative payday. Further enhancing the appeal is that cybercrooks don’t have to assume the risk involved in stealing and selling data, a crime that puts them at greater risk of being caught by law enforcement.
“Criminals can make so much money from ransomware, they only need to work a work a couple of months a year, if they choose,” says Gideon Samid, chief technology officer for McLean, Virginia-based BitMint, a digital currency. Samid writes the monthly “Security Notes” column for Digital Transactions.
No surprise, then, that ransomware has become one of the fastest-growing cybersecurity threats. In 2021, ransomware attacks represented 21% of reported data breaches, up from 17% in 2020, according to Risk Based Security Inc. Overall, ransomware attacks hit a remarkable 37% of all businesses globally last year, according to the PCI Security Standards Council. Of these, 32% paid a ransom demand, the Council says.
Ransomware has become so problematic the Council in February issued a joint bulletin with the National Cybersecurity Alliance warning about the growing threat. “These cyber threats are real and require immediate action to better protect against these ongoing criminal activities,” says Lance Johnson, the Council’s executive director.
Low-Hanging Fruit
Since the start of the Covid-19 pandemic in 2020, retailers in particular have come under severe attack. As of August 2021, 44% of retail organizations had been hit by ransomware in the last year. Of these, 54% said the attackers succeeded in encrypting their data, according to the latest figures from cybersecurity firm Sophos Ltd. The average ransom payment was $147,811, Sophos says.
There are myriad reasons why retailers have become such prime targets. First, many have experienced explosive growth in online sales during the pandemic, which in turn prompted those with a modest e-commerce presence to expand that part of their business or add an e-commerce channel if they lacked one. But, by expanding their e-commerce operations, retailers unwittingly opened up more avenues of attack for hackers.
Furthermore, some retailers expanded their e-commerce operations so rapidly that appropriate cybersecurity was left behind, says Daniel Tobok, chief executive of Cytelligence, a Toronto-based cybersecurity firm.
Another contributing factor is that merchants typically don’t spend as much on cybersecurity as a financial institution or payment processor does, even though they house reams of personal consumer and account data. In many cases, retailers’ cyber defenses meet payment card industry (PCI) security standards, but they rarely extend beyond those minimums.
Retailers may struggle to justify the return on investment from more extensive cybersecurity spending and instead prefer to view security as a one-time investment. And some retailers operate legacy systems that are costly and time-consuming to update, while others face the challenge of integrating disparate systems from a recent merger or acquisition.
But the most telling reason for retailers’ susceptibility to attack is that criminals know they are likely to pay. In 2020, 32% of retail organizations whose data was encrypted as part of a ransomware attack paid the ransom to recover their data, according to the latest figures from Sophos.
Complicating matters is that many retailers can’t afford to have their businesses shut down for any length of time. Paying the ransom is often seen as the easiest and most cost-effective path to getting back in business quickly, cybersecurity experts say. Another key factor in the decision is whether the company has insurance covering a ransomware attack.
“Whether or not to pay a ransom is a business decision,” says Dan Holden, vice president for cybersecurity at Austin, Texas-based e-commerce platform provider BigCommerce Inc. “It’s not uncommon for retailers to figure the [return on investment] of paying vs. not paying, especially if they have no hard-and-fast rules in place for dealing with a ransomware attack.”
For some retailers, indeed, the decision whether to pay a ransom has been made in advance, which is why they have pre-funded cryptocurrency wallets at the ready. Not surprisingly, criminals know this, experts say.
“This strategy has unwittingly made it easier for criminals to launch attacks, because cryptocurrency is how they want to be paid [because of the anonymity it provides],” says Tari Schreider, strategic advisor for the cybersecurity practice at Aite-Novarica Group, a Boston-based consultancy. “Ransomware attackers view retailers as low-hanging fruit.”
A retailer initially may refuse to pay the ransom, but cybercrooks have contingencies in place. One tactic is to shame the retailer on social media by publicizing the attack and the retailer’s unwillingness to pay the ransom. Such tactics can damage the target’s brand and drive away repeat customers, who may fear their data is inadequately protected.
“Criminals have multiple avenues for coercing people into paying beyond just encrypting data,” says Schreider.
Watering Holes
Further fueling the rise of ransomware attacks is advances in the technology itself, which has made the crime even more financially attractive.
One of the biggest game-changers to emerge is ransomware-as-a-service (RaaS), which allows larger criminal organizations to sell their proprietary ransomware to affiliates in exchange for a monthly or one-time licensing fee or a percentage of each ransom paid to the affiliate. RaaS is a criminal variation of the increasingly popular software-as-a-service (SaaS) business model.
The rise RaaS has made it ridiculously easy for criminals to get in the game, which has only exacerbated the ransomware threat.
Indeed, “cybersecurity experts have reported that almost two-thirds of 2020 ransomware attacks came from cybercriminals operating on a RaaS model,” says Marwan Forzley, chief executive of Veem, a San Francisco-based online-payments platform.
“It is also predicted that RaaS will rise in 2022 as attackers with non-technical knowledge can carry out the attack more easily by purchasing ransomware kits,” Forzley says. “What makes it worse is that some ransomware creators provide the ransomware kits for free in exchange for a share of the profit.”
A RaaS kit can be readily purchased on the dark Web. With the kit, a novice attacker can open and pay for an account using Bitcoin, then get access to programming code and instructions for easily creating a malware program. The most sophisticated RaaS operators reportedly offer portals that let their subscribers see the status of infections, total payments, total files encrypted, and other information about their targets, as well as provide access to support, user communities, updates, and other benefits.
The most common attack vector into a network is through phishing. Phishing attacks download malicious software from email sent by a criminal masquerading as a trusted entity to an unsuspecting employee when the message is opened. Once the malware is activated, criminals can gather employee usernames and passwords that can open doors to sensitive data within the network, all while avoiding detection.
Other types of attack include downloading malware to a computer when an employee visits an infected Web site; fake service scams, such as technical-support ploys that launch malware to the employee’s computer when the user clicks on the service message or pop-up window; and malicious links or attachments in an email.
Attacks can also be launched against vendors connected to a targeted company’s network. The vendors then unwittingly transfer the malware to their trading partners.
One of the more exotic tactics, though, is a so-called watering-hole attack. This tactic, which got its name because criminals launch it where potential targets are likely to congregate on the Internet, poses a considerable threat because it is difficult to detect. The attacks can target individuals, a group of people, or an entire organization. When the intended target arrives at the “watering hole,” the attacker pounces.
Once the victim’s device is infected, the user can easily spread the malware to other employees through email, file sharing, or other forms of digital communication over the company network, which in turn opens more attack surfaces to execute a ransomware attack, says BigCommerce’s Holden.
“The sophistication of a ransomware [attack] is usually determined by who the intended target is and the sophistication of their cyber defenses,” he adds. “Less-sophisticated attacks tend to be more spray-and-pray style, [and] are driven by botnets.”
A botnet attack is a large-scale cyberattack carried out remotely. It downloads malware when connecting with other devices.
A Blind Eye
While much has changed on the ransomware landscape the past couple of years, one thing that hasn’t is where the attacks originate. Russia, China, Iran, and North Korea are the nations that account for about 80% of all attacks, says Aite-Novarica’s Schreider.
One reason Russia is a popular home to cybercriminals, Holden notes, is that it is common knowledge the government will turn a blind eye to such activity as long as the cybercrooks confine their attacks to companies outside the country.
Guarding against ransomware attacks requires a great deal of diligence. Best practices include keeping tight control over network access keys and passwords, using strong passwords, preferably passphrases that are uncommon, and not reusing passwords across multiple sites.
Other strategies include regularly changing passwords and usernames. “Criminals hate seemingly random security changes,” says BitMint’s Samid. “It requires a lot of work to make those changes regularly, but they can dramatically improve cybersecurity.”
The best defenses against ransomware, however, are employee awareness of the problem and a companywide commitment to prioritize cybersecurity daily. “In the majority of cases, the attack vectors would fail if people were aware and prioritized cybersecurity in their day-to-day activities,” says Cytelligence’s Tobok.
“The majority of [cybersecurity] gaps can be rectified with little to no cost, such as configuring multifactor authentication on cloud email systems, limiting access to externally facing systems, and ensuring backup servers are protected in the event threat actors utilize privileged accounts [to launch an attack],” Tobok continues. “Most of these changes require no additional expenditure except solid processes and some attention.”
Still, no matter how strong a retailer’s cyber defenses, there is always a risk a cybercriminal will find a way to beat them. So one thing retailers need to keep in mind is that if they choose to pay a ransom, they will become known marks to other hackers, and will likely become the target of later attack from another criminal. As a result, retailers should reassess and revamp their cybersecurity after a ransomware attack, experts say.
“If the business did not learn anything from the attack, did not improve its security posture and close off any security gaps, they are 100% more likely to get hit again and again,” says Tobok “This is precisely why it is critical that any [cyber incident/attack] is investigated properly without cutting any corners. Those who forget history are doomed to repeat it.”
With cybersecurity experts forecasting no slowdown in ransomware attacks, and with merchants as a prime target, it’s not a question of if a retailer will be attacked, but when.