Defending the Retail Sector Against Ransomware Attacks

Nearly half of all retailers fell victim to a ransomware attack in 2021. Sadly, 54% reported having their data encrypted and 58% reported having to resort to layoffs after suffering the attack. 

One in three retailers attacked will pay the ransom, but less than ten percent will receive all their data back, noted ITPro. And 80% of victims who pay the ransom end up getting hit with another attack, as we discovered in our recent report, Ransomware Attacks and the True Cost to Business 2022. So, what can be done to keep retail safe?

Retail Sector: A Prime Ransomware Target

What makes the Retail sector such a prime target for ransomware? There are several reasons in play:

  • “Always on” means no time to negotiate: What makes retail so attractive to ransomware operators is that it requires 100% uptime to operate successfully, as noted by ZDNet. Every second your site is down you lose money. Because time is of the essence, that additional pressure means a higher likelihood for a ransom payout.
  • Sensitive consumer info up for grabs: Let’s not forget the obvious – attackers are often also going after payment card info, and nowhere is that more abundant than in online retail operations. Plus, all the sensitive data like shipping info, email addresses and other personally identifying factors gleaned in retail databases makes a significant payload for attackers to either exploit for double extortion or resell to other bad actors.
  • IoT-heavy business ops: As retailers continue to modernize with cloud deployments and ever-more-convenient POS (point of sale) systems, security cameras, consumer-friendly apps and other IoT devices designed to make shopping seamless – they inadvertently widen their attack surface while making themselves more vulnerable. Many IoT devices are not designed with security in mind, so latent vulnerabilities and unpatched bugs jeopardize the security of the network.

Ransomware Trends in Retail

Here are some ransomware trends to watch affecting retail this next year: 

  • Supply Chain Attacks: To support the constant output of large retail chains is a network of suppliers, manufacturers, shippers, and third-party vendors – each with varying levels of cybersecurity. The risk of supply chain attacks is high in this environment, and it not only increases the number of ways a ransomware attack can enter the environment, but also increases the potential for damage beyond just the initial victim. For example, REvil’s Kaseya attack ended up impacting 1,500 upstream customers
  • Double Extortion and Beyond: Double extortion schemes may be old news, but we’ll see a lot of the tactic as the year goes on. Attackers not only exfiltrate sensitive data prior to encryption and threaten to leak it if they don’t get paid, there are also further extortion schemes where the attackers threaten to leak sensitive financial data to competitors or stock shorting investors. 
  • Ransomware as a Service (RaaS): The digital transformation has been transformational for all of us, and attackers are deciding it’s time to work smarter, not harder, too. RaaS is exactly what it sounds like – ransomware attack platforms for hire. This not only makes attacks easier but more prevalent as bad actors with minimal skill can also get into the mix – so long as they pay a portion of the proceeds to the RaaS providers. REvil, Netwalker and Grief are all examples of RaaS groups. 
  • Unpatched Systems: Ransomware actors are still taking advantage of the low-hanging fruit. There are legacy systems with old bugs, and newer systems with unpatched vulnerabilities that make the task of infiltrating a network all too easy for attackers. 

Increasingly Complex Ransomware Attack Sequences

You’re now more likely to find ransomware tacked on to the tail end of an elaborately crafted attack sequence—ransomware in its most pernicious, pervasive and professional form we have seen yet.

While APTs (Advanced Persistent Threats) are most often associated with nation-state attacks, these complex, low-and-slow campaigns are more often being seen in the bigger ransomware operations, or RansomOps. The goal here being the infiltration of as much of a targeted network as possible in order to extract the highest ransom demand possible.

Recently, the foreign exchange services retailer Travelex paid $2.3 million to get their systems back online, and one of Asia’s largest retailers, the Dairy Farm Group, faced a $30 million ransom demand when their email systems were taken over in a double-extortion attack.  

Defending Against Ransomware Attacks

Prevention always costs less than the cure, and that is particularly applicable when it comes to ransomware. An effective ransomware prevention plan includes actions like:

  • Following Security Hygiene Best Practices: This includes timely patch management and assuring operating systems and other software are regularly updated, implementing a security awareness program for employees, and deploying best-in-class security solutions on the network.
  • Implementing Multi-Layer Prevention Capabilities: Prevention solutions like NGAV should be standard on all enterprise endpoints across the network to thwart ransomware attacks leveraging both known TTPs as well as custom malware.
  • Deploying Endpoint and Extended Detection and Response (EDR and XDR): Point solutions for detecting malicious activity like a RansomOps attack across the environment provides the visibility required to end ransomware attacks before data exfiltration occurs, or the ransomware payload can be delivered.
  • Assuring Key Players Can Be Reached: Responders should be available at any time of day as critical mitigation efforts can be delayed during weekend/holiday periods. Having clear on-call duty assignments for off-hours security incidents is crucial.
  • Conducting Periodic Table-Top Exercises: These cross-functional drills should include key decision-makers from Legal, Human Resources, IT Support, and other departments all the way up to the executive team for smooth incident response.
  • Ensuring Clear Isolation Practices: This can stop further ingress into the network or the spread of ransomware to other devices or systems. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. 
  • Evaluating Managed Security Services Provider Options: If your security organization has staffing or skills shortages, establish pre-agreed response procedures with your MSPs so they can take immediate action following an agreed-upon plan.
  • Locking Down Critical Accounts for Weekend and Holiday Periods: The usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly-secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack. For more information on Weekend and Holiday ransomware threats, refer to our other 2021 study, Organizations at Risk: Ransomware Attackers Don’t Take Holidays.

Ultimately, a multi-layered defense approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.


Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed