More than 300 Spar convenience stores have been affected by a significant cyber-attack on its company's IT systems. Many of these stores have been forced to close until the true extent of the damage can be assessed. Any stores that have managed to stay open are operating on a cash-only basis, due to the damage caused to Spar's till systems by the attack.
What caused the Spar's Cyber Attack?
The exact details of exactly how Spar's systems were compromised is yet to be discovered. However, it has already been disclosed that they had fallen victim to a Ransomware attack. This usually indicates that there has been a successful Phishing attack, or that someone in the network has downloaded a malicious file.
How does a Ransomware attack work?
Ransomware is a form of malware, and the key to its objective lies in the prefix, 'ransom'. Ransomware infects organisation's IT infrastructure in much the same way as most Malwares, e.g., through targeted phishing attacks or malicious downloads, and its purpose is to hold the owner to ransom. Users – and indeed entire organisations – are locked out of their systems and told to pay a ransom (usually in hard to trace cryptocurrency) in return for unlocking the device.
Once the ransomware has accessed an organisation's system, it works to either encrypt the entire system or else targets individual files, depending on the type of Ransomware and the cybercriminal's intent. Once the files are encrypted, the owner can then be locked out of their system until they either pay the fee or decode the attack. It is worth noting advice here not to pay the ransom, since there is no guarantee the hacker will return access to your system.
- Files and links sent via email, instant messaging services or other digital communication channels.
- Downloaded onto a device using fake alerts and threats while utilising exploit kits and trojan downloaders.
Emails and messages are sent to the target recipients that contain links/attachments to documents. However, these are not documents, but instead executable programmes that once installed active the crypto ransomware.
These malicious files can look like Word, Excel, ZIP folders, or any other popular email attachment. The email itself does not trigger the infection but opening/downloading the attachments or links does.
Exploit kits can be thought of as digital toolboxes that cyber criminals' plant on websites. They automatically probe each website visitor for a vulnerability in their security defences. If there is a vulnerability found the exploit kit will automatically download and run the crypto ransomware on the device.
A pop-up screen then appears, pretending to be from a well know brand such as Apple, Microsoft, Norton etc, telling the user their system has a virus. It informs the user not to shut it down and provides a telephone number to call to access support. If the user tries to close the pop-up, it returns immediately, locking the user out of the device.
If a user falls for the pop-up and calls the service number a cyber criminal posing as a service technician establishes a remote connection to the device and ask for payment to fix the issue. They may also load other software onto the device as well as try and sell anti-virus software to the user.
While most businesses understand the need to be alert to the dangers of cyberattacks, some do not invest in the most basic of defences – knowledge. There is no better preventative measure than ensuring all staff across an organisation understand the types of cyber threats they may be exposed to, how to recognise each of these threats, and what their role is to combat them.
Businesses should have an annually refreshed, mandatory cyber security training programme to ensure employees understand the basics of how to spot and combat cybercrime. This is not only helpful to an organisation's cyber safety, but it can be applied at home by employees too.
There needs to be a culture of compliance created within the working environment to help develop a watchful eye in every employee within the organisation.
Common Ransomware methods once a system infection has started
Once a system has been infected by a download or link click there are some tell-tale signs that individuals should look out for.
Illegal content claims:
- Cybercriminals pose as law enforcement or a regulatory body.
They will claim to have found illegal content on the infected computer and will ask for a penalty fee to be paid.
- Unlicensed applications:
Much like the above, the cybercriminal will ask for a fee to be paid due to an unlicensed programme.
Unfortunately, most of the time, once a system is infected, a cybercriminal will be less shy about ransoming an IT system than the above examples. Much like Spar's example, businesses systems are shut down with no warning by the attacker. It is critical to use a comprehensive security software package, as well as training staff to be a businesses first line of defence against cyber-attacks.