Articles

Ransomware's Next Move

By Aaron Branson

Have we seen the true business impact of of ransomware yet, or has this just been a proof-of-concept? The recent news about WannaCrypt and Petya ransomware should not come as a surprise. The outbreaks are due not only to the ransomware’s ability to spread but also to mutate. While IT security teams identify, hunt, and remove specific variants of the ransomware, there may already be unknown mutated varieties lurking dormant and ready to execute. We expect stories like this will continue to pop up as organizations only hunt “known” threats after enough other organizations come across them. As shown in the graph below provided by Proofpoint Q1 2017 Quarterly Threat Report, there were 4.3x new ransomware variants in Q1 2017 than in Q1 2016!

Polymorphic and mutating malware… yep, you read that right

EventTracker Security Center 8.3, the latest version SIEM platform released June 8 includes just such a capability to combat modern ransomware and polymorphic and mutating malware. Dormant Malware Hunter is a new capability introduced by EventTracker. Modern malware, including ransomware, copies itself with different names and hashes to various folders, so that if the original is identified and removed, the clones remain ready to attack at a later time. Dormant Malware Hunter identifies hidden EXE and DLL files that have never executed, while exempting those found on a known safe files list. As a result, copies of malware can be removed from the network, preventing re-infection or propagation.

Such capability to hunt down these dormant and unknown threats allows IT security teams to fully cleanse their network of ransomware variants… even the ones not yet known to global threat intelligence feeds.

“Ransom-a-Retailer” may be cyber-criminals next game

EventTracker, along with parent company, Netsurion, also predicts the next wave of ransomware attacks could be retail and hospitality, and the impact could be crippling. Incidents like these that impacted Honda and Renault certainly impact the bottom-line by slowing production. But sales are still being made and orders fulfilled. Granted, they may have experienced a hiccup in efficiency. If these attackers turn their attention to the much-maligned POS system which frequents the headlines for credit card data theft, and choose to hold a retailer ransom by preventing them from making transactions with consumers, such retailers could bleed millions of dollars in lost revenue daily until they recover the function of the POS systems.

Black Friday 2017 may truly be a dark day

Consider things from the cyber-criminals point of view. They apparently have no problem hacking into a POS system and siphoning off credit card data for months undetected. I’ll forego naming the many brands victim of such breaches as I’m sure the incidents are already familiar to you. But here’s the thing… the going rate for stolen credit card data on the black market is in decline. A US credit card used to be able to fetch $20-30, but of late that data is falling closer to $5-10. Simple supply-and-demand – there’s too much stolen credit card data available!

What would prevent that same cyber-criminal from using those same infiltration tactics to deploy ransomware on the POS and within minutes, not months, have what they need. If a major retailer was unable to ring out a single consumer on Black Friday, the busiest brick-n-mortar shopping day of the year, what ransom would they be willing to pay? How many millions of revenue would they lose even if they recovered without paying the ransom?

To guard retailers from such harm before it becomes the “next big thing in ransomware”, EventTracker launched SIEMphonic MDR Edition in December 2016. The managed endpoint threat detection and response solution is unique in that it takes the appropriate set of capabilities from its enterprise SIEM and makes it logistically and economically practical to deploy to each and every POS system across every retail outlet.

IT security for franchise retailers is tougher than herding cats

In the more complex franchise-model space, retail and hospitality brands have the added challenge of wrangling thousands of storefronts owned by upwards of hundreds of different franchise owners running their own show. Without a proper solution that accounts for such complexity, securing a franchised brand from ransomware at these many vulnerability points (think X number of POS terminals multiplied by Y number of locations across multiple/separate franchise businesses) is like herding cats (still one of my favorite commercials of all time). Netsurion, however, has added a specially packaged version of SIEMphonic MDR into its already leading managed network security, resilience and compliance service for merchants. The solution, named SIEM-at-the-Edge, brings the same needed endpoint threat detection and response capability to the “edge” locations of the franchise merchants.

Here’s to hoping merchants of all shapes and sizes heed the prevalent warnings and evidence that POS systems are extremely vulnerable and a ransomware attack could be devastating. An ounce of prevention is worth a pound of cure!