More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.

What caused the Spar’s Cyber Attack?

The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.

How does a Ransomware attack work?

Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.

Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.

What types of Ransomware are there?

The type of threat posed by Ransomware is entirely dependent on the type of Ransomware used to infect an IT system. The two main categories of ransomware are:

• Crypto ransomware – individual files are encrypted with this form of attack.
• Locker ransomware – basic computer functions/system functions are affected.

Within these categories sit the specific Ransomware methods used. For example, Bad Rabbit and the aptly named WannaCry.

Crypto Ransomware – what is it?

It is a type of malicious programme that encrypts files on a device, such as a phone or laptop, with the goal of extorting money from the owner.

There are 2 ways which crypto ransomware is usually delivered:

1. Files and links sent via email, instant messaging services or other digital communication channels.
2. Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.

Email, instant messaging, and digital communications

Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.

These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.

Exploit Kits and Trojan Downloaders

Exploit kits can be thought of as digital toolboxes that cyber criminals’ plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.

Locker ransomware – what is it?

Locker ransomware is less dangerous, but only if you know how to deal with it. It attacks when an individual visits a compromised website, and it usually only attacks a single device.

A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.

If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.

In some circumstances users that are not tech savvy may not realise they are being defrauded.

The solution is simple…

The solution is as simple as shutting down the device as soon you get hit by Locker ransomware. Do not make the phone call, and do not pay any fees. Simply shut the device down and reboot it.

How to detect ransomware

The first step to protecting your IT systems is to ensure adequate preventative methods are put in place.

Prevention is made up of two components,: a watchful eye and market-leading security software.

How to build a watchful eye

While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.

Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.

There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.

We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.

Common Ransomware methods once a system infection has started

Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.

Illegal content claims:

1. Cybercriminals pose as law enforcement or a regulatory body.
   They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
2. Unlicensed applications:
   Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.

Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.