This blog post is part of Forrester’s Holiday 2019 retail series.

The number of ransomware attacks on enterprises is up 500% from this time last year. Threat actors are becoming increasingly sophisticated and targeted. Ransomware is a business, and these actors want to get paid.

Researcher Madeline Cyr interviewed me to help retailers understand the threat of ransomware for the upcoming holiday retail season.

How would a ransomware attack affect a retailer if it hit during Black Friday or Cyber Monday?

Besides the fact that I always seem to find myself in a jewelry store on December 24, I use Black Friday weekend and Cyber Monday to shop for deals. If a retailer were hit with a ransomware attack during this time period, I might not be able to access those deals during the time I am doing the most shopping. There is a chance I would wait for a website to come back online, but then again, I’m not that organized, so I’m probably going to end up on a competitor’s website to buy the item.

Do you think we will see an increase in ransomware attacks on retailers this holiday season?

Ransomware attacks are economically driven. We have seen a trend of increasingly targeted ransomware attacks asking for larger ransoms, as opposed to opportunistic attacks that we saw in previous years. To carry out a targeted attack, threat actors research their targets to figure out how to make it hurt enough to pay and how much they can squeeze out of you. Once they enter your network, they search for your critical business systems that are vulnerable. Sometimes they even find ways to decrypt your backup. What they want is the most leverage they can get before they attempt to extort you. They want you to have no choice but to pay for decryption keys.

Black Friday, Cyber Monday, and the whole holiday season is a critical time for retailers. Therefore, threat actors may feel that this is a time that they have more leverage on extortion attempts. They may assume that a retailer is facing losing a significant amount of revenue if their business systems are down for any point during this period. I could see a case where an adversary may decide that an attack that would hurt a retailer most would be decrypting their inventory system and their backups. And because what they are locking down is minimal, you would be very tempted to decrypt via key.

What measures should retailers ensure are in place to defend themselves against ransomware attacks between now and Black Friday?

There are really three ways an adversary is going to get in: phishing, brute-force remote access using something like Remote Desktop Protocol (RDP), or hitting a vulnerable server that’s externally addressable. To combat this, you should consider using October as Cybersecurity Awareness Month to reinforce anti-phishing training and invest in an attack surface monitoring capability to understand the digital footprint of your environment. As an everyday security practice, you need to review your vulnerability management processes, specifically with an eye to your current risk posture, and understand any vulnerabilities that are outstanding that would be an easy way in.

Should retailers test their ability to recover from backup between now and Black Friday?

You should be constantly testing your ability to back up. If you realize during the holiday season that you have not been diligent in this effort, you need to go through the exercise of identifying the critical assets that you would need to restore for specific events. Let’s take, for example, Cyber Monday: Determine the critical systems you need to recover to restore business processes for Cyber Monday. Figure out what your actual recovery points are and what you can do from cold storage. And understand that adversaries are attacking you with an eye of doing the most damage.

Should retailers ever consider paying a ransom?

You should never automatically decide that you are going to pay or not pay. You need to build a parallel process through which you evaluate your ability to recover from backup and begin negotiations with the threat actor. (See my report, “Forrester’s Guide To Paying Ransomware.”) Though attacks can be more damaging during the holiday season, the process remains the same.