In 1986, evolutionary biologist Dr. Joseph Popp infected many people with AIDS, just not the way you might think. “AIDS Information Introductory Diskette” was the world’s first known ransomware attack and was introduced into systems through a floppy disk which Popp mailed to his victims. 30 years later, the bad guys are still relying on human error to bring forward a new generation of even more dangerous ransomware threats. If you’ve missed out on encryption ransomware, lock screen ransomware, master boot record (MBR) ransomware, consider yourself lucky! Dr. Popp defended his hostage taking by explaining that the money was going to the PC Cyborg Corporation for AIDS research. Today’s hostage takers are harder to find and more interested in stealing your money than social causes. These days, if your network, mobile or desktop computer, falls victim to “ransomware” your financial data and business records could be locked with strong encryption along with a demand that you to pay for a key to unlock the files. Are you familiar with Bitcoin and the dark internet?
The evolution of IP connected devices at retail has changed the nature of threat vectors. Today, retailers must be as concerned with their Non-Card Data environment as they are protecting the card data environment. Ransomware is one of the clearest examples of the expanding data security threats. According to an analysis published by Trend Micro the average ransom demanded was approximately $722. Hollywood Presbyterian Medical Center paid $17,000 and The University of Calgary paid $20,000. Trend Micro found the majority of organizations that are infected by ransomware end up paying the ransom. Three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat. Retailers have millions of dollars in sales at risk, would you pay if your stores where offline?
How big of a problem is ransomware within the C-store space? During this year’s NACS conference at the “Technical Tools of Data Protection” session, Hugh Williams, CIO of Maverick said: “We focus so much on the CDE, but probably the biggest threat out there is ransomware. It’s looking for ingress right now. They are not some much interested in your card data, they want your other stuff”. When the room was asked who had been attacked by ransomware, nearly a dozen retailers raised their hand.
Protecting yourself from ransomware attacks, or how not to be the next ransomware victim, is a major challenge. The first step is to understand that this challenge is beyond the scope of PCI and your POS. Ransomware finds its way into your environment in a number of ways. Two common threat vectors are leveraging iOT devices or tricking people to inadvertently undermining the security of their device, like enabling a marco on a windows document.
Stopping employees from opening the door to the bad guys takes “people and process”. Maintaining a secure network that closes the door to the bad guys requires good tools and proper scanning and patching. Management often doesn’t prioritize internet security until it’s too late. CIO’s work to develop ROI analysis to drive budget for investment network security. CEO’s need be educated on protecting the business from internet threats like ransomware, and having a full disaster recovery scenario that is fully backed up and periodically tested. To harden defenses against ransomware attacks, retailers can adopt policy changes. IT departments can close the door by expanding the objectives of data security beyond PCI with an emphasis on scanning and patching outside of the card data environment. In the c-store business, iOT is only growing. Are your pumps IP enabled?