Spar forced to close stores following a Ransomware Cyber Attack

More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company’s IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar’s till systems by the attack.

What caused the Spar’s Cyber Attack?

The exact details of exactly how Spar’s systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.

How does a Ransomware attack work?

Ransomware is a form of malware, and the key to its objective lies in the prefix, ‘ransom’. Ransomware infects organisation’s IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.

Once the ransomware has accessed an organisation’s system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal’s intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.

Image

What types of Ransomware are there?

The type of threat posed by Ransomware is entirely dependent on the type of Ransomware used to infect an IT system. The two main categories of ransomware are:

Within these categories sit the specific Ransomware methods used. For example, Bad Rabbit and the aptly named WannaCry.

Crypto Ransomware – what is it?

It is a type of malicious programme that encrypts files on a device, such as a phone or laptop, with the goal of extorting money from the owner.

There are 2 ways which crypto ransomware is usually delivered:

  1. Files and links sent via email, instant messaging services or other digital communication channels.
  2. Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.

Email, instant messaging, and digital communications

Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.

These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.

Image

Exploit Kits and Trojan Downloaders

Exploit kits can be thought of as digital toolboxes that cyber criminals’ plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.

Locker ransomware – what is it?

Locker ransomware is less dangerous, but only if you know how to deal with it. It attacks when an individual visits a compromised website, and it usually only attacks a single device.

A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.

If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.

In some circumstances users that are not tech savvy may not realise they are being defrauded.

The solution is simple…

The solution is as simple as shutting down the device as soon you get hit by Locker ransomware. Do not make the phone call, and do not pay any fees. Simply shut the device down and reboot it.

How to detect ransomware

The first step to protecting your IT systems is to ensure adequate preventative methods are put in place.

Prevention is made up of two components,: a watchful eye and market-leading security software.

How to build a watchful eye

While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.

Image

Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation’s cyber safety, but it can be applied at home by employees too.

There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.

We offer a comprehensive range of Cyber Security and Information Security courses to help your business defend itself again cyber criminals.

Common Ransomware methods once a system infection has started

Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.

Illegal content claims:

  1. Cybercriminals pose as law enforcement or a regulatory body.
    They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
  2. Unlicensed applications:
    Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.

Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar’s example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.

Ransomware epidemic and its impact on organisations around the world

Ransomware epidemic and its impact on organisations around the world

It’s boomtime for ransomware and the cybercriminals making easy profits using this virulent strain of malware. The ransomware epidemic will not come as a surprise to the NHS, who recently had thousands of computers frozen by the WannaCry virus.

What can we learn from the spread of ransomware around the world? And what can organisations do to resist the onslaught of attacks?

A ransomware infection often starts with spam. Hackers use social engineering to nudge users into saving attachments or clicking links that look genuine. Emails may appear to be a request from the CEO, a parking fine notification, or a penalty notice from HMRC. Users are often scared into action, believing that something bad will happen if they don’t act quickly. But not all infected computers are the result of user error. In the case of the NHS and WannaCry, hackers exploited a known vulnerability in Microsoft Windows to gain entry into unpatched systems.

A popular exploit kit used by cybercriminals, called Angler, allows for drive-by downloads, in which malware is downloaded automatically when a user visits an infected site. The download happens in the background, without the user’s knowledge. These kinds of technologies are not just the preserve of expert hackers or international criminal gangs; anyone with criminal intent can access ransomware-as-a-service offerings on the underground Tor network, making cyber-crime as easy as setting up a website.

This demonstrates how unsophisticated some hackers are. These are rarely master criminals; they are often just chancers who recognise an opportunity for making easy money. And because web technologies allow ransomware to be deployed and utilised remotely, with money collected using anonymous crypto-currencies like Bitcoin, there is the lure of consequence-free crime. Why risk jail time for the takings in a petrol station when you can work from home and watch your Bitcoin wallet slowly fill? Of course, some of these perpetrators are caught and tried; there is no such thing as the perfect crime.

The ease of use of these tools might be one reason for their proliferation, and may explain why ransomware is on the rise. Security software company Sophos detected thousands of new pages booby-trapped with Angler every day in May 2015. And in their annual security survey, SonicWall reports that ransomware attacks increased by 167x year-on-year and was “the payload of choice for malicious email campaigns and exploit kits”.

The rapid rise of ransomware does pose new threats for organisations, but many of the treatments are familiar. Organisations must start with fully patched and up-to-date software and systems. Every uninstalled update is a potential backdoor for an opportunist cyber-crook.

Security systems must also be in place to limit the spread of any infections that take place, and to alert administrators to their existence before they do lasting harm. Backups provide protection against encrypted files and frozen machines. Training is the best way to ensure employees understand the evolving risks. And given the high stakes of IT security, this training should be regularly refreshed so all staff understand the vital role they play in digital defence.

Protecting your business from ransomware

How would your business cope if employees were suddenly unable to access computers, files, or your network? Your customer database, emails, and that critical project due by the end of the week: all locked.

Work would be brought to a halt, I.T. would be inundated with panicked phone calls, and your communications team would be in crisis mode. You might be wiling to do almost anything to regain access to your critical files – which is why ransomware is a growing tactic for cybercriminals.

Ransomware blocks access to critical files or applications and asks users to pay to regain access. And, while in some cases it’s clear to users that they’re being held to ransom, messages often appear to come from governments, law enforcement, or even your own technical team – leading to payments made to cybercriminals.

Falling victim to ransomware creates a dilemma for businesses. Should you pay the criminals, with no guarantee they’ll restore access, or should you go public, take the hit to your reputation and finances, but at least take control of the situation?

Clearly, the best approach is to avoid falling victim to ransomware in the first place. So, with cybersecurity firms warning of increasing ransomware attacks, how can you protect your business?

As with many cybersecurity threats, the answer is a combination of security software and education practices.

1. Keep software up to date

All businesses should use software to protect them from cyber threats which could lead to ransomware infection, such as spam email, unauthorised access, unsafe websites, and unsafe files.

But installing this software is just the beginning. Cybercriminals and tech companies are locked in a perpetual race to stay one step ahead of each other in discovering vulnerabilities. With more uncovered daily, it’s crucial to keep security software updated, protecting your business from known and newly discovered vulnerabilities.

2. Train staff to be vigilant around email attachments

The most common way for computers to become infected with ransomware is through staff opening unsafe email attachments, a trend cybercriminals are increasingly creative in exploiting.

Recent examples include emails appearing to be speculative job applications with attached CVs, and documents ostensibly from the CEO or senior management; but even files attached to gobbledegook emails are opened alarmingly often.

Banning email attachments altogether isn’t feasible and antivirus software isn’t 100% effective at identifying viruses, especially when they can be hidden in seemingly innocuous files like Word documents or images. Combat this risk by training staff to recognise suspicious emails, check the email address of the sender is recognised, and to get verbal clarification from the sender if any suspicion arises.

3. Prevent access to unsafe websites and files

Another way ransomware finds its way onto your machines is when employees visit compromised websites or download unsafe files. We recommend limiting what sites staff can access so unsafe ones are automatically blocked, and only giving rights to download and install files to those employees who need them.

But even with these measures in place, employees often end up getting granted admin rights when they really shouldn’t, just for convenience’s sake, eventually resulting in cybersecurity issues.

Rectify this by making cybersecurity awareness a part of your business culture, ensuring people only have the access rights they need, and that they know what risks to look out for when browsing the web.

4. Implement a strong password policy

The above techniques are all designed to prevent cybercriminals from accessing your systems by the back door – but don’t forget to lock the front with strong passwords.

A cybercriminal would only need to determine one employee’s password to access your network and install any software they want. It could be as simple as methodically attempting to gain access with the most common passwords, words from dictionaries, or even using passwords seized from another site.

Prevent this by ensuring your employees understand good password practices such as ensuring passwords are hard to guess, using combinations of lower and uppercase characters, numbers and symbols, and using unique passwords for different websites.

5. Make technical support the first port of call for problems

In the unfortunate event that one of your employees falls victim to ransomware, they’re likely to be shown an error message either asking for payment, to click a link or call a phone number.

Genuine error messages would never ask for payment, nor would they include manipulative language that’s designed to incite fear in the user, and your employees should be aware of this.

If they ever receive error messages, their first port of call should always be technical support, who will be able to determine if the error message is genuine, and what action should be taken.