Ransomware attacks are on the rise and becoming the weapon of choice for cybercriminals. Most recently, ransomware attacks have disrupted a major gasoline pipeline and food supplies. Cybersecurity experts told the Washington Post that ransomware attacks have become “a national security, public health, and safety threat.”
Retailers are a preferred target of ransomware attacks. In 2020, North American retailers suffered at least 142 data extortion attacks. Ransomware attacks on retailers have surged, increasing by more than 159% in the last year. And ransomware attacks on retailers show no sign of slowing in 2021. In early July, Guess?, Inc. notified individuals of an attempted ransomware attack on their systems. In April, the Home Hardware Store, Ltd., a Canadian-based retail hardware chain with 1,060 stores, was attacked with ransomware. In January, a large retailer, Dairy Farm, suffered a ransomware attack that led to a $30 million ransom demand.
Ransom payments can be in the millions of dollars. One insurance company reportedly paid $40 million dollars to cybercriminals. Colonial Pipeline, the company that shut down a major gas pipeline after a ransomware attack, paid nearly $5 million. In the retail industry, the estimated cost of ransomware attacks could range from $85 to $193 billion. Indeed, retail companies should be proactive in addressing the growing threat of ransomware. But before taking any steps to protect against an attack, it is important to have a general understanding of ransomware attacks and how they work.
What is a ransomware attack?
Ransomware is designed to extort ransom payments from companies. Cybercriminals lock companies out of their computer systems and files by encrypting a company’s digital files and holding the decryption key hostage until the company pays the ransom. While they’re at it, cybercriminals may also steal sensitive information and threaten to release the information on the Internet unless the company pays the ransom.
How does a ransomware attack work?
Cybercriminals generally use two tactics to infect a company’s computer system. The more common tactic starts with a phishing email. These emails deceive the victim by appearing as e-mails from a trusted source. Cybercriminals design these emails to bait the victim into clicking on a link or attachment that then gives the cybercriminal access to encrypt files and folders on the company’s system. The second, less common tactic involves cybercriminals finding and exploiting a vulnerability in the company’s network in order to download the ransomware into the company’s systems.
The aftermath of a ransomware attack
Ransomware attacks can be devastating for several reasons. First, a ransomware attack can disrupt all operations in an instant. Shifting to pen-and-paper over night – without email or virtual communications – is downright debilitating in this digital age. Second, companies must make the difficult decision of whether they should pay the ransom demand, which can range from six to eight figure sums in a cryptocurrency of the cybercriminals’ choice. Third, recovering from a ransomware attack can be more time-consuming and expensive than the ransom itself. According to a group of cybersecurity experts, it takes an average of 287 days for a company to recover its systems from a ransomware attack. Companies also have to restore systems, build better security mechanisms, provide notice to impacted parties, and ensure that the cybercriminals did not leave themselves secret access through a backdoor to the victim’s systems, all of which cost significant time and money. Fourth, ransomware attacks can damage a company’s brand, especially retail companies. A 2020 survey showed that a ransomware attack on a retailer can hurt their customer retention and loyalty.
What can retailers do to prevent ransomware attacks?
Despite the large target on the retail industry’s back, many retailers are ill-prepared to deal with a ransomware attack. To better prepare, retailers should take several steps to make their systems more secure. Retailers should also know what to do if they suffer a ransomware attack. The following are steps and strategies for retailers to take in order to avoid becoming the next victim of a ransomware attack.
Steps to protect against a ransomware attack:
- Train employees: require each employee to attend a cybersecurity training on ransomware attacks and how they happen. Ensure that your cybersecurity training includes tips for employees on how to avoid clicking on malicious e-mail attachments and website links. Many companies send fake phishing emails to employees as training exercises.
- Set up multiple data backups of your company’s systems: develop a recovery plan that includes multiple backups of your company’s systems that are stored separately in an offline external drive or a segmented cloud space that is not connected to your company’s systems. Update your backups routinely so the backups are ready to go in case a ransomware attack encrypts all or part of your company’s systems.
- Segment your network: where possible, segment areas of your company’s network in order to limit the reach of a ransomware attack. For example, limit user access only to systems or folders that are absolutely necessary, create unique access gateways for each segment, and create separate firewalls for each segment.
- Keep your software up-to-date: update company-wide applications, programs, devices, and software on a regular basis in order to avoid vulnerabilities that cybercriminals could exploit in a ransomware attack.
- Install device protections for end-point users: use multi-factor authentication, virtual private networks for remote work, rigorous password standards, and clear labels on all incoming e-mails from external senders.
- Consider purchasing cyber insurance that covers ransomware: not only may the insurance provide financial protection if a ransomware attack impacts your company, but insurance companies are incentivized to help companies use best practices to protect against ransomware attacks.
- Test your company’s vulnerability to a ransomware attack: run tests to determine employee password vulnerabilities, out-of-date and unpatched software, and employees’ propensities to click on risky e-mail attachments and links. Testing your company’s systems will shed light on where to invest your company’s resources in ransomware prevention.
- Put a plan in place for the ransom demand: the FBI advises against companies paying the ransom because it fuels more attacks and does not guarantee an encryption key. However, companies have paid the ransom in order to avoid a catastrophic disruption in their operations. Whatever your company decides, it’s best to make the decision in advance, thereby being prepared to respond to an attack and how your company plans to pay the ransom, if applicable.
- Ensure that any ransomware payment complies with federal law: the U.S. Treasury’s Office of Foreign Assets Control (OFAC) advised that ransomware payments to Specially Designated Nationals and Blocked Persons (SDN List) are prohibited and violations are subject to sanctions and fines. You must therefore ensure that your company or anyone assisting in a ransom payment is in compliance with applicable law.
Steps to take if your company falls victim to a ransomware attack:
- Determine the scope of the ransomware attack: find out the extent and type of data encrypted and/or stolen on your company’s systems.
- Isolate the ransomware attack: where possible, disable the ransomware attack from infecting any uncompromised system segments or connected systems.
- If your company makes a ransom payment, take the following steps: identify the cybercriminals demanding the ransom payment, cooperate with law enforcement in their investigation, and ensure that any ransom payment to the cybercriminals complies with federal law, the OFAC regulations, and the SDN List.
- Notify law enforcement, legal counsel, and possibly impacted parties: whether required by contract or law, you may wish to notify the parties impacted by the ransomware attack on your company. Consult with your legal counsel on notification duties required by law or by contract.
- Ensure that your backups are fully secure: confirm that your data backups are not connected to the infected system in any way that could allow the ransomware to infect the backups.
- Conduct a forensic analysis: find out how the cybercriminals accessed your company’s systems. Determine the vulnerabilities that led to the ransomware attack.
- Fix the weaknesses and vulnerabilities of your company’s systems: fix the vulnerabilities that led to the attack. Failure to do this will lead to future attacks because cybercriminals know that some companies will not fix their weaknesses. It took two ransomware attacks and two ransom payments for this company to learn this lesson.
Ransomware attacks are a growing threat to retail companies, but there is much that your company can do to prevent falling victim to such an attack. Taking these steps to secure your company’s systems is a great way to start.
The Privacy and Data Security Group at Vorys, Sater, Seymour and Pease has counseled clients involved in some of the country’s largest breaches. For further information about ransomware attacks and how to protect your company, please contact John Landolfi, Esq. or Christopher Ingram, Esq.. Or call our 24/7 cybersecurity emergency hotline at 833.525.2100.