Robust DR Planning Helps Combat Rising Retail Ransomware Attacks

Retail businesses are vulnerable to all sorts of disasters that can interrupt operations, ranging from natural threats such as storms, fires and floods to environmental events such as power outages, cable cuts and HVAC failures. However, the most dangerous threats to retail operations these days are decidedly man-made.

Retail organizations are now prime targets for ransomware attacks. More than three-quarters (77 percent) of retailers experienced at least one such attack last year, according to the 2022 Sophos State of Ransomware report. And the worst may be yet to come. Industry analysts anticipate a sharp spike in ransomware during the current holiday season when retailers stand to record about 25 percent of their annual sales totals. Malicious actors fully understand that retailers can’t afford downtime and lost sales during this critical period and are likely to simply pay a ransom without delay or negotiation.

While retailers can often prevent ransomware attacks with a variety of strong cybersecurity measures, they must also be prepared for worst-case scenarios. When an attack successfully breaches network defenses, a well-designed disaster recovery (DR) plan can help retailers minimize the impact by outlining steps necessary to restore data and resume operations as quickly as possible.

Not enough retailers have made such preparations, however. According to the Sophos report, less than half of retail organizations have a “full and detailed” DR plan. Ransomware victims often choose to simply pay the ransom, but that doesn’t always produce the desired effect. According to a recent Cybereason report, only 9 percent of retailers get all their data back after paying a ransom.

Here are three basic elements every retail DR plan should address:

1) IT Asset Protection

Robust backup practices help ensure that resources can be reliably accessed in the event of an attack. The 3-2-1 approach to backup calls for making three separate copies of data, storing them on two different types of media with one copy stored at an offsite location. Because some ransomware strains target backup systems, your plan should include an option for an immutable backup that cannot be altered or deleted. This ensures you have an untouched version of data that is always recoverable and safe from any attack or system failure.

2) Containment & Eradication

Once an attack has been identified, you should isolate infected servers and endpoints as soon as possible to protect networked and shared resources. All network passwords and online account passwords should also be changed as soon as possible. Following these initial containment efforts, you can focus on long-term corrective measures that will allow systems to be restored for use in production environments. This includes removing malware from all affected systems, finding and removing accounts or backdoors left by attackers, and installing security patches on affected systems. In severe cases, you may need to completely reimage hard drives to ensure that malware is removed and can’t cause reinfection.

3) Post-Attack Analysis

Conduct post-attack forensics to understand how the attack happened and how other attacks can be prevented in the future. Work with IT staff to evaluate decisions made during the recovery process and how they might be improved. If the attack resulted from an employee error such as opening an infected email or web link, implement additional awareness training efforts to reduce your risk profile.

Ransomware attacks on retail operations will almost certainly increase during the holiday shopping season. If you don’t already have a plan, now is the time to make one. If you do have a plan, test it now to ensure there are no flaws that could place your organization at risk. If you aren’t sure where to begin, give us a call. SageNet can help you develop and implement a plan that will boost your ability to survive a disaster.