Ransomware’s lucrative next stop? The Point of Sale

ransomware posWith the influx of credit card breaches over the past few years at major brands, hackers may have reached a point of supply exceeding demand, as awareness of breaches, security on credit cards, and excess supply have all led to a reported drop in prices on the dark web for stolen data.

Researchers have seen prices for stolen card information drop from $30 to as low as $5, depending on the data.

If we are to believe that the price of stolen credit card data is in fact dropping, where are hackers going to turn next? The instances of point of sale (POS)-based ransomware have been sporadic so far, but what’s to stop the POS malware trend from turning into this potentially devastating, evolved threat? If retailers don’t protect themselves properly, this is a very real possibility for 2018.

It’s not just about paying the ransom

Malware takes months to siphon credit card data from infected systems. Rather than gain access to a national chain’s POS to exfiltrate credit cards, cybercriminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt.

In the case of a retailer, ransomware isn’t about paying to get data back, it’s about paying to get access to your POS systems back, and, hence, bring your business back to life. It becomes a cost of lost revenue exercise, a much more tangible problem to retailers for whom a day of lost revenue may never be recovered.

This would likely prompt stores to pay the ransom right away, allowing the threat actors to profit within minutes. And with the impressive success of the global WannaCry and NotPetya outbreaks this year, cybercriminals are taking notice of what works.


Companies hit by these attacks will be in a do-or-die position, because these incidents are often very public and disabling. They could suffer:

  • Immobilized store operations and sales for the period of the attack
  • An inability to access much or all of critical business systems
  • Loss of consumer trust and revenues, as shoppers take their business elsewhere
  • The potential that customers will never return due to fears of having their financial data compromised
  • Potential total loss of customer and business data if systems are not fully restored.

What about the damage?

To put the potential damage in perspective, at big brand retailers, stolen credit card data could net upwards of $10 million. A great return for sure, but that requires that malware sits undetected for months. Let’s think about the impacts to that business if that same breach was ransomware instead of malware, and now only has to persist for seconds to be effective.

Consider a major national retail chain with annual revenues of $1.25 billion – about $3.5 million per day. If ransomware were to have infected that retailer instead of card-stealing malware, and that ransomware halted their POS system, that brand would bleed $3.5 million per day in actual revenue, plus more in data breach fines, brand reputation, and customer loyalty loss.

One would have to believe that they would be reluctantly willing to pay a ransom of that same $10 million— less than what they’d lose if they restored operations on their own in just 2-3 days. That’s the same revenue netted from the stolen credit card malware, but now only requiring seconds of persistence rather than months.

Stay ahead of threats

This goes to show that a major ransomware attack could forever harm the competitiveness of a large retailer. It could even put a small- to medium-size retailer out of business after just one breach. To prevent this from happening, retailers should set up a next-generation security system. Buy, build, or borrow the resources to stay ahead of threats and stop ransomware in its tracks with:

  • A next-generation firewall that includes rules you configure to control incoming and outgoing traffic. Manage it 24/7 to make it effective.
  • Properly deploy SIEM to analyze all of your data, filtering out the ‘noise’ or false positives that can make it difficult to detect threat patterns and anomalies that indicate early-stage attacks. The SIEM will issue alerts, so that you can take immediate action when warranted.
  • Employ Threat Detection and Response that will detect incoming and existing malware, whether it is located on a POS system, workstation, or network. Set it to automate immediate, direct remediation, which will help with some threats.
  • Augment your team with SOC-as-a-Service, to do around-the-clock monitoring, evaluation, and response of all security alerts. This team can evaluate the universe of threats you face, triage them, and escalate resources to deal with critical threats on an ongoing basis.
  • Leverage the power of machine learning with User Entity Behavior Analysis (UEBA). This model will do a deep dive on your logs and reports to get better and better at threat detection over time.

These tips should enable companies to expand their businesses while keeping their customers’ data secure and loyalty strong in 2018 and beyond—even as enterprising cybercriminals move toward the lucrative POS ransomware approach.

Don't miss