Like so many other things over the past year and a half, the ransomware/malware landscape has changed quite a bit, and not for the better. The sudden shift to a work-from-home (WFH) environment forced many businesses to come up with patchwork solutions, and the inevitable security flaws that resulted were quickly exploited by the bad guys.
How big was the spike? ABC News estimated an increase of 600% in malicious emails during the pandemic, and the pace of ransomware attacks nearly doubled in the first half of 2021 (source: Cognyte).
There have been a few major attacks targeting the cannabis industry, but remember the saying: “There are two kinds of companies; those who’ve been hacked and those who don’t know it yet.” Several estimates agree that 2021 has seen a pace of one ransomware attack every 11 seconds, and cannabis dispensaries possess vital stores of customer data, so simply hoping for the best is not an option. Worse still, beyond the sheer number of attacks, the malware environment has changed dramatically.
5 things you may not know about ransomware.
1.) Your backups won’t save you. In the good old days, you paid the ransom and your data was unencrypted, and if you had current backups you might not need to pay the ransom at all. No more. Most ransomware attacks now take the form of extortionware, meaning you pay the ransom or your sensitive employee and customer data gets published to the Dark Web or leaked to your competitors. While backups are still important to safeguard your data from hardware failure and other issues, they won’t protect you in this case.
2.) Everyone can play. The tech world was changed in a good way by software as a service (SaaS), which replaced boxes full of disks and manuals with subscription-based platforms. Now comes the other side of that coin, ransomware as a service (RaaS). Someone with ill intent now needs zero technical skills to get in the game … they can buy ransomware right off the shelf on the Dark Web, in exchange for a promise to split the proceeds with the developers. In other words, the number of potential bad actors has grown exponentially. Costs are spiraling. According to Purplesec, the average ransomware payment in early 2021 increased by 82% year over year. Worse, while estimates on this vary, most agree that the actual ransom figure is a relatively small percentage of the total cost to a business. Add in lost revenue from down time, reputational damage and, in a worst-case scenario, litigation over compromised customer or employee data and the costs grow quickly. With cannabis dispensaries being depositories for sensitive personal and medical information, it’s easy to see them as ripe targets for ransom attacks.
3.) Phishing? Yes … and no. Conventional wisdom dictates that ransomware attacks usually occur when an employee inadvertently opens a malicious file, the classic phishing attack. This remains a real concern, and employees should be regularly trained to spot these attempts. But in recent conversations with security professionals, we’re hearing of more incidents where system admin credentials are hacked, or – even more chillingly – team members are bribed with a portion of the ransom proceeds to provide those credentials. Be careful of who you trust.
4.) Ransom isn’t the only game in town. While ransomware attacks deservedly get most of the headlines, your email is another ripe target. In fact, there are so many different types of email attacks (phishing, spear phishing, clone phishing, whaling, pharming, angler phishing and more) that it’s hard to keep track of the differences. In one common scenario, your client receives an email that appears to be from you, explaining that you’ve changed financial institutions and that they should pay their invoice by clicking on a link in the email. They pay, you never see the money … and you can’t very well bill them again.
5.) Patience. One misconception about ransomware and other attacks is that your employee clicks a malicious link or attachment and you’re instantly locked down. This is typically not so. Having gained access to your network, hackers will take their sweet time and poke around, finding where the sensitive data lives, where the weaknesses are … and which of your email contacts are likely to respond to that invoice request. You may not know anything has happened until days or weeks after you’ve been compromised.
3 best practices for avoiding a cyber attack.
Even with the changing landscape of ransomware, the best practices for avoiding an attack haven’t changed all that much.
1.) Employees still should be trained thoroughly on spotting and avoiding phishing attempts, and on the social engineering tactics that drive some attacks. Coach them up on passwords, also: Don’t reuse passwords from one site to another and don’t use words that can be found in the dictionary, for a start.
2.) If you’ve had to enter the code texted to you when you tried to log in to view your credit card balance, you know what two-factor authentication is (2FA, also known as multi-factor authentication, or MFA). It’s a real pain. And it’s also one of the most effective ways to prevent being hacked. In short, it’s worth the hassle. Your team will get over the inconvenience.
3.) Too often we see companies put the cart before the horse in choosing software solutions and then trying to build appropriate security around them. Instead, begin with a holistic approach to your network and its security. Then and only then should you choose software that will fit that profile.
The scary world of ransomware has gotten much scarier, there’s no doubt. Don’t just hope for the best … are you covered?