November is Retail Privacy Month
In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million in the US. Source: FBI, Internet Crime Report
Ransomware is the result of an unsuspecting user (victim) clicking on or installing malicious software, or malware, resulting in the encryption of data on a computer making it inaccessible to the original owner until they respond to a ransom request.
In other words, a malicious cybercriminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable to them. This data may contain company secrets but could also be a whole database of contacts and well, possibly all that business’ customers. Not a good thing. Cybercriminals put pressure on victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public.
When it comes to retail, especially those with memberships, the problem is that the account data of the customers are now in the hands of the criminals. If they can unencrypt the credentials, they can also try and breach other accounts these customers have where they use the same Id and password.
Although cybercriminals use a variety of techniques to infect victims with ransomware, the most common means of infection are:
• Email phishing campaigns: the cybercriminal sends an email containing a malicious file or link which deploys malware when clicked by a recipient. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, though recent ransomware campaigns have been more targeted and sophisticated. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cybercriminal to use a victim’s email account to further spread the infection.
• Remote Desktop Protocol (RDP) vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cybercriminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware – including ransomware – to victim systems.
• Software vulnerabilities: Cybercriminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. The FBI, and Canadian cybercrime fighting agencies, do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.
Regardless of whether you or your organization have decided to pay the ransom, the FBI in the US and the Canadian cybercrime agency urge you to report ransomware incidents. This is a good practice for two reasons: they may be able to help you and your organization may not need to pay the ransomware, but they can also keep on top of trends and various criminal methods and be able to preempt other attacks.
However, a recent bad news story emerged from simply obeying the “do not pay the ransom” adage. A patient lost their life in a hospital in Ontario who was not prepared for a ransomware attack and was also not certain what to do – so they opted for not paying the ransom, which resulted in the inability to operate and save a life. Cybercriminals are getting a lot more crafty and let’s face it, they are not ethical!
The most important lesson learned here is: organizations need to build business resilience, and successful cyber attacks or ransomware attacks should be at the top of their preparedness list.
Is your organization conducting scenario-based incident preparedness exercises, including all the appropriate stakeholders, including the privacy team?
At Managed Privacy Canada we have the expertise, experience and we have developed best practices and documentation to support retailers to thrive.
✅ Our approach to practical privacy begins with your free 20-minute consultation. For more information, visit www.managedprivacy.ca
✅ For privacy updates, follow us @ Managed Privacy Canada on Linkedin