Cybercriminals have recently been focusing their efforts on the retail industry, launching ransomware-based attacks that could prove disastrous for businesses if it disrupts their operations during important shopping seasons.
In the short term, a ransomware attack on a retailer could mean thousands of lost sales opportunities. Black Friday, Cyber Monday, and the Christmas season, in general, are the busiest times of the year for retailers, and with the plethora of options available, there is no shortage of places from which consumers can get their items. If a retailer can’t offer satisfactory service, consumers will take their business elsewhere.
Perhaps more damaging is the damage to reputation. Failed POS transactions, long delivery times, and the perception of an “unsafe” business could turn customers towards competitors who can offer a better and more secure shopping experience.
The most common ransomware families used in retail attacks
Data from the Trend Micro Smart Protection Network™ security infrastructure revealed a number of ransomware families being used in attacks against retail companies. Sekhmet, a relatively new ransomware family with extensive anti-obfuscation abilities, had the second-most number of detected ransomware files based on our data. Although not much is known about the Sekhmet, there have been reports that it has already successfully infected other organizations. What makes this ransomware family particularly alarming is that besides encrypting files, its operators also threaten to publish stolen data — presenting a double whammy for victims who fail to pay the ransom demand. For retailers, this means that it could leak customer data, leading to further reputation damage and even legal consequences.
Some of Sekhmet’s variants are being offered as ransomware-as-a-service (RaaS), which means that its use is not limited to its creators, potentially leading to a rise in attacks using the ransomware family and its variants in the future.
We also found other veteran ransomware families such as Cerber and Crysis targeting the retail sector. Both families have been around for years and can be considered “traditional” ransomware that spreads primarily via social engineering emails. However, this doesn’t mean that they have stood pat as newer ransomware families have emerged — they have also undergone multiple updates that added new capabilities and features, typically making them stealthier and more difficult to detect.
The Crysis ransomware family is an extensive one that has been observed targeting organizations around the world. It is also offered as an RaaS, which means that even low-level malicious actors can use it to target companies and individuals. The ransomware family is also known to be distributed via remote desktop protocol (RDP) attacks, which means that organizations might need to prioritize updating and strengthening RDP credentials, implementing two-factor authentication, and changing the RDP port to a non-standard port (or even closing RDP access altogether).
Meanwhile, Cerber, which has largely operated in the US, is another ransomware family that offers RaaS for affiliates. Cerber’s operations are highly efficient, offering automation for malicious actors that use the platform and even for payment options, making it attractive for potential cybercriminals who don’t have the resources or knowledge to build their own ransomware variants.
Our data shows that ransomware families offered as RaaS are popular among malicious actors. It’s highly likely that it’s not just large threat actor groups that are potentially operating in the space, but also smaller ones that are possibly looking to take advantage of popular shopping seasons.
We also found a large number of files related to WannaCry, which gained notoriety in 2017 after its initial campaign infected hundreds of thousands of machines across the world. It has since remained a cybercrime staple, even with the emergence of newer ransomware families such as Ryuk.
Other threats to retail businesses
Ransomware isn’t the only cyberthreat to retail businesses. One of the most prominent groups targeting online shopping systems is Magecart, using an online credit card skimming attack. The group has been observed targeting everything from online shops to hotel booking websites and even US local government services to steal customer payment information. In many of these cases, the threat actors targeted the supply chain and compromised third-party software from a systems integrator (such as e-commerce service providers), typically by injecting malicious scripts.
All of this demonstrates the importance of securing the entire retail ecosystem from possible malicious attacks. Ransomware operators might decide to launch attacks via social engineering emails to infect a company’s machines with ransomware, or in the case of WannaCry, via unpatched systems. The Magecart attacks, in which threat actors indirectly compromised businesses by targeting their service providers, showed that the supply chain could also be a potential target.
Defending against ransomware attacks
Although ransomware comes in different forms and features different capabilities, the methods used to gain access to a target machine remain relatively unchanged.
Ransomware operators often use social engineering emails to gain a foothold into the system, a simple tactic that can be thwarted easily. Businesses should educate their employees on social engineering techniques such as spam and spear phishing, and teach users to avoid clicking on email attachments and links from suspicious or unverified sources as they are some of the most common infection vectors for ransomware.
Furthermore, organizations need to patch and update systems software to address any exploitable vulnerabilities that malicious actors can use to infect systems. Ransomware can also exploit vulnerabilities for lateral movement after they enter the network, allowing a malicious actor to use a single machine as an entry point and jump to other systems and devices from there. Patching bugs is especially important for retail companies, given that WannaCry, the most widespread ransomware family in the industry, exploits vulnerabilities as part of its routine.
Businesses with e-commerce operations should perform an audit of their sites and apps to ensure that they are as secure as can be. They should also create backups of store and customer data, preferably using the 3-2-1 rule (three copies in two different formats with at least one copy off-site) if possible. Another option for e-commerce operators is to use intrusion prevention software that can detect and prevent network attacks, as well as virtually patch vulnerable systems.