PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is archived content from PCI Security Standards Council bulletins, preserved for tracking changes over time.
View Original →

Bulletin: Ransomware Attacks Back on the Rise

PDF

10 February 2022
BULLETIN: RANSOMWARE ATTACKS BACK ON THE RISE
The PCI Security Standards Council (PCI SSC) and the National Cybersecurity Alliance
want to highlight an ongoing and growing threat that requires urgent attention.
What is the threat?
Ransomware attacks have been front and center in the news recently due to high-profile
breaches that have impacted businesses across the globe. Over the calendar year
2021, it is estimated that ransomware attacks cost the world $20 billion and hit 37% of
all businesses and organizations. These cyber threats are real and require immediate
action to better protect against these ongoing criminal activities.
How do these attacks work?
Ransomware attacks have been around for years but are now increasing as cyber-
criminals see new opportunities due to the disruption created by the global COVID-19
pandemic, and as the ability to monetize these attacks has been made easier. Everyone
is vulnerable to ransomware attacks – businesses large and small as well as local,
state, and federal government entities.
A ransomware attack involves cybercriminals gaining access to your network, systems,
and data. These criminals may then use encryption to render parts of these unusable,
and potentially steal some of the data you have stored. The cybercriminal then
‘ransoms’ the data back requiring payment to provide a decryption key to allow for the
recovery of the encrypted data and systems or to guarantee sensitive data is not further
exposed.2 Ransomware attacks are often the result of a phishing attack where a
company employee clicks on a malicious link or the exploitation of known vulnerabilities
in outdated software that an organization has not updated using patches they receive
from software vendors.
Internet Crime Complaint Center (IC3) Ransomware Fact Sheet
What are some prevention best practices?
When it comes to protecting payment card data, which is often the target of a cyber-
attack, adherence to the PCI DSS is considered a best practice. PCI DSS is the global
data security standard adopted by the payment card brands for all entities that process,
store or transmit cardholder data and/or sensitive authentication data. It consists of
steps that mirror industry accepted security best practices and at a high level asks you
to consider:


● How do you keep the criminals out?
● How do you slow them down if they get in?
● How do you detect them and respond to that detection in the quickest and most
appropriate way?
For any ransomware event, it’s important to understand the scope of the data which
may have been potentially exposed. Criminals have been in your network and even if
data is not included in the ‘ransom’, it may have been copied to be used later. All such
data must be considered compromised, and appropriate actions taken.
For dealing with the threat of ransomware attacks related to payment security, the PCI
DSS can be helpful in addressing all three of the above. Best practices within the DSS
include:
KEEP THEM OUT
Train your employees - PCI DSS 12.6
● Develop a plan that educates your employees on the best ways to avoid these
types of attacks and how to handle an attack if one does occur.
● Most ransomware attacks start with a phishing email. Make sure your employees
are aware of the risks and are trained on how to recognize phishing emails.
Suspicious emails should be reported as phish, then deleted.
● Think before you click. Emails can look like they come from anyone in the
company. If there are any questions, always contact that person to confirm
before clicking on a link or opening a file.
● Contact the sender through their known contact information, not contact details in
the suspicious email.
Test your systems - PCI DSS 11
● Have you tested your systems lately to see if it’s easy for someone to break in?
Criminals are persistent, you should be too.
● A vulnerability provides a “broken” door that criminals can just walk through. It’s
important that vulnerabilities are fixed and that you have other controls, such as
those listed below in place to prevent a malicious individual from getting into your
systems.
SLOW THEM DOWN
Maintain a secure network - PCI DSS 1 and 2
● What does someone have access to once they are ‘in’ your network?
Configuring systems to isolate and secure sensitive data, such as cardholder
data, can reduce the impact of ransomware events. Reducing access to only
those people who ‘need to know’, and ensuring systems only use or provide the
services that are required, can help minimize your risk.
● Have you changed the vendor default passwords or settings in your systems?
Criminals will often use ‘dictionaries’ of known passwords to gain access.

Patch - PCI DSS 6


● Your vendors send you “patches” to fix problems in your payment systems or
other systems.
● When is the last time you checked for new security patches from your payment
system and software vendors?
● Patches close doors criminals use to get into your systems. Follow your vendors’
instructions and install patches as soon as possible.

DETECT AND RESPOND

Monitor - PCI DSS 10 and 11.5

● Are you monitoring your systems for changes or suspicious activity? Are
suspicious or unauthorized/unapproved changes investigated?
● Monitoring changes in your systems and critical system files helps you see when
someone makes a change you did not authorize or approve. Investigating the
changes as soon as they happen helps you find problems more quickly and
improve your chances of shutting down an attack.
● A change management process will help you determine if changes are approved.
If the change was not approved or is unknown, you should immediately
investigate to determine if your system has been compromised.

Backup your systems and prepare - PCI DSS 12.10

● Be careful that your backup does not overwrite previous good backups. This may
help prevent backing up the data encrypted by ransomware and overwriting a
good backup. Good practice, regardless of the backup method, is to take regular
full disk backups and incremental backups (which only back up the data that is
new since the last backup).
● Store backup data offsite and in a way that provides additional access controls
where possible (storing your backups “in the cloud” is a common method for
offline storage). This makes it easier to recover your most recent backup if your
data files are held for ransom. Keeping backups on-site or on systems connected
to your network makes them vulnerable to being attacked along with your
production systems.
● Keep multiple generations of backup and have a retention period consistent with
your organization’s ability to detect ransomware and its ability to reconstruct
using older records.
● Have you tested the integrity of your backups recently (both physical and virtual
backup systems)? Have you tested the backup and recovery process recently?
Making sure you can recover data from your backups is crucial in the event your
systems are locked by ransomware.
● When using cloud backups, ensure your cloud service provider is being diligent
and protecting against malware of all kinds. Cloud storage may also get locked
by the attacker if connected to the backup systems doing persistent
synchronization.
● You and your employees should know how to respond to an attack and what to
do when it happens, including who to contact. This should include formal
processes for identifying all sensitive data potentially exposed during the event,
so that this can be considered compromised – regardless of any restoration or
remediation processes.


● Make sure you have a plan in place and communicate it to your employees.
● Review this plan regularly and make an ongoing commitment to educating your
staff.

The Importance of Software Security

Software Security is also a key component to guarding against ransomware attacks,
since ransomware attacks often take advantage of outdated or insecure software. The
PCI SSC developed the PCI SSC Software Security Framework (SSF) which is a
collection of standards and associated certification programs that demonstrate good,
consistent security to protect payment data. There are two standards that have been
developed as part of this framework which were published in January 2019.
• The Secure Software Standard outlines security requirements and assessment
procedures to help ensure payment software adequately protects the integrity
and confidentiality of payment transactions and data.
• The Secure Software Lifecycle (Secure SLC) Standard outlines security
requirements and assessment procedures for software vendors to validate how
they properly manage the security of payment software throughout the entire
software lifecycle.

PCI SSC established the SSF because software development practices have evolved
over time, and the standards address these changes with an alternative approach for
assessing software security. Modern software development requires objective-focused
security to support more nimble development and update cycles than traditional
software development practices. The PCI SSF standards and programs support this
evolution in payment software practices. The framework provides flexibility to
demonstrate protection of payment data regardless of the development methodology or
software platform.

Conclusion and Resources:

Understanding the threat of ransomware attacks and the many ways to better protect
against them is important when dealing with this growing threat to organizations large
and small across the world. Ransomware attacks are not new, but they are increasing
in popularity among criminal syndicates. For more information about ransomware
attacks and ways to guard against them please consider the following resources:

PCI SSC Resource Guide

PCI SSC Document Library - Secure Software

The Value of the PCI Secure Software Lifecycle Standard for Software Vendors

Ransomware Guide - CISA MS-ISAC

FBI Information on Ransomware

Internet Crime Complaint Center (IC3) Ransomware Fact Sheet

NCA’s Ransomware 101 Tip Sheet

NCA’s Free Resource Library

###
About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment
security by providing industry-driven, flexible and effective data security standards and programs that help
businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC
on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.


About the National Cybersecurity Alliance
The National Cybersecurity Alliance is a non-profit organization on a mission to create a more
secure, interconnected world. We advocate for the safe use of all technology and educate everyone on
how best to protect ourselves, our families, and our organizations from cybercrime. We create strong
partnerships between governments and corporations to amplify our message and to foster a greater
“digital” good. Our core efforts include Cybersecurity Awareness Month (October); Data Privacy Week
(January 24 - 28); and CyberSecure My Business™, which offers webinars, web resources and
workshops to help businesses be resistant to and resilient from cyberattacks. For more information,
please visit staysafeonline.org. Follow us on Twitter @StaySafeOnline and subscribe to our newsletter.