Up until May 12, 2017, ransomware had not gained the same notoriety as other types of cyberattacks, despite repeated public warnings from cybersecurity experts about its growing proliferation. That changed when Europol estimated that 200,000 computers, in more than 150 countries, had been infected with ransomware known as WannaCry.
Since then, ransomware attacks have increased in frequency, sophistication and maliciousness. Our nation’s vital infrastructure, which includes the financial services sector, remains at risk for ransomware attacks and should be on high alert. These attacks are perpetrated with relative ease and anonymity, resulting in speedy payouts and providing more than enough motivation for cybercriminals to rely on this type of malware.
According to Forbes, “a growing number of organizations, such as DarkSide, REvil and others, franchise their ransomware-as-a-service (RaaS) capabilities to attackers.” This model lowers the barrier to entry, making it easier than ever to put ransomware into the hands of opportunistic cybercriminals.
In May 2021, Colonial Pipeline, one of the largest providers of fuel to the U.S., was hit with an attack by DarkSide ransomware group, the same organization responsible for the SolarWinds cyberattack. This attack resulted in a temporary suspension of company operations and a ransom payment of nearly $5 million. Relatedly, the Kaseya attack in July 2021 was linked to the REvil cybercriminal group—which also uses the RaaS model—and affected an estimated 1,500 companies around the globe, including U.S. financial institutions.
These recent examples demonstrate that ransomware attacks aren’t likely to slow down anytime soon. Financial institutions should take ransomware seriously and prioritize enhancing their defenses. To understand the urgency, let’s go inside the machinations of a ransomware attack. While not based on actual events, this true-to-life depiction is real in character, scene and plot.
Meet the Characters
Cybercriminal Organization: Despite its unfamiliar darknet domain, its well-oiled structure is quite similar to the classic mafia framework. It develops its own RaaS plot and recruits soldiers with little to no technical skill—but plenty of motivation to make money through deception and intimidation. They attack a bank or credit union using the organization’s RaaS. The organization takes its cut, while keeping a safe distance from the actual scene of the crime.
Lowly Hack: This cybercriminal wannabe, who up to now has been limited by his lack of technical expertise, answers the recruitment call.
Financial Institution A: This institution’s board of directors heeded the ransomware alert from the SEC’s Office of Compliance Inspections and Examinations sent July 10, 2020, and charged its CIO with developing a plan to mitigate this risk and authorized the budget to implement it. The resulting multi-layered security approach provided prevention, detection and recovery practices in the following areas:
- Continuous user education and awareness training
- Advanced technology such as an up-to-date email filtering system, an intrusion prevention system, regular social engineering and penetration testing, and an endpoint protection system
- Stronger system infrastructure to ensure that security rights and privileges are properly assigned and monitored, all security and operating software is kept updated with available patches, a strong password policy is enforced and networks are carefully segmented
- Detailed response and recovery plans that ensure a quick reaction to any detection and quick recovery of operations and data
- Cloud-based data backup services to further ensure the recovery of lost data
Financial Institution B: This institution’s board of directors understands the ransomware threat, but has directed the CIO to manage with minimal budget increases. Thus, investments in the latest technology are out of reach. Instead, IT staff focus their limited resources on system infrastructure prevention areas, including password protection, privileges and rights monitoring and network segmenting. They also conduct a semi-annual employee awareness campaign.
Financial Institution C: Using its limited IT resources for system implementation projects and general cybersecurity protections, it has not tackled the ransomware threat on any real level.
Hear Their Stories as a Ransomware Attack Unfolds
After a day of gaming, Lowly Hack decides to look for a job as funds are running low. Without any real skills or desire to get off the couch, he turns to options on the darknet, where he finds Criminal Organization’s RaaS. After paying a small fee, he gains unlimited access to a customizable ransomware kit. Lowly Hack will maintain 80 percent of his ransoms in untraceable cryptocurrency collected automatically through the RaaS website, while Criminal Organization will keep the remaining 20 percent.
To choose his victims, Lowly Hack turns to financial institutions that he suspects have limited cybersecurity budgets or inadequate defenses. Using spam email distributed via the RaaS’ botnets, a vast array of compromised computers, Lowly Hack launches his first commercial ransomware attack.
Financial Institution A Remains Vigilant
Financial Institution A’s email filtering system detects and thwarts the majority of the malicious spam emails sent by Lowly Hack, but since no prevention technique is 100 percent failsafe on its own, one ransomware-carrying email lands in the inbox of Jane in accounts payable. Even though the email is designed to look like a legitimate request for payment, Jane is cautious because she’s learned through corporate training that the word “invoice” is often used in the subject line of malicious emails. Prior to opening the attached “invoice,” Jane conducts some simple due diligence and determines this is a suspicious email. She alerts IT, which further analyzes the email and confirms her suspicions.
As it does after any attempted cyberattack, Financial Institution A conducts the following post-mortem:
- Adds this example to its ongoing user awareness campaign, along with a reminder about the importance of following the institution’s password policy
- Shares details of the attack with the Financial Services Information Sharing and Analysis Center (FS-ISAC), of which the institution is a member
- Analyzes the current state of all prevention systems, security and operating software vulnerabilities, admin rights and privileges and network segmentation
- Reviews its response and recovery plans to ensure their effectiveness in the event of a more successful attack
- Decides to implement application whitelisting, which goes a step beyond the standard blacklisting of certain applications and specifies “an index of approved software applications that are permitted to be present and active on a computer system”
Financial Institution B Learns a Lesson
Without an email filtering system, the malicious email easily makes its way to multiple persons within Financial Institution B. Its semi-annual awareness campaign helped most recipients recognize the danger. However, John the teller and Susan in loan origination do not. Both open the email, click on the Microsoft Word attachment and allow the macro to run. Within seconds, their computers freeze, each with a ransom demand for $8,000 that blocks all activity. Fortunately, John has limited admin privileges, confining the attack to his computer. Because Susan has broader admin privileges, the attack spreads through her network segment freezing all computers on it and making the same ransom demand on each.
Financial Institution B does not pay the ransom because its damages are limited by two factors: First, its network segmentation did not allow the attack to go beyond John’s computer or Susan’s network segment. Second, the attack did not extend to the server housing its backup data, allowing Financial Institution B to recover the data lost via the unpaid ransom and resume all operations. Even though the institution was able to avoid paying the ransom, it still spent a considerable amount of time, effort and resources recovering the data and getting back to a normal state of operations.
The board realizes it narrowly dodged a bullet and allocates additional funding to thwart a more costly attack in the future. In addition to the inexpensive steps of beefing up the content and frequency of employee training, tightening up admin privileges and disabling Office macros, Financial Institution B invests in the following systems: email filtering, intrusion prevention, end-point protection and cloud-based backups.
Game Over for Financial Institution C
Meanwhile, Financial Institution C is dealing with a near catastrophe. Several employees fall prey to the malicious email, and because of an overabundance of admin rights and non-segmented networks, the ransomware quickly spreads through the institution’s entire network—completely shutting it down. Because the institution has no real response or recovery plan in place, its customers or members are unable to conduct business as branches, call centers, ATMs and mobile and online banking are inoperable for several days.
Fearing the spiraling cost of downtime, the board pays a $20,000 ransom, which pales in comparison to the cost of the public relations campaign it needs to win back consumer and shareholder trust. Not to mention having to make after-the-fact investments in desperately needed prevention, detection and recovery tools and tactics.
Lowly Hack cashes in his $16,000 in Bitcoin, while Cybercriminal Organization pockets $4,000 for their limited involvement. Not a bad payday for a couch potato or illicit organization.
Avoid a Day of Cybercrime Infamy
The number of villains capable of bringing financial institutions to their knees with ransomware is growing at an alarming rate. Follow the lead of our fictional Financial Institution A by taking control of your institution’s fate with a multi-layered approach to ransomware prevention, detection and recovery. Otherwise, like Financial Institution C, you risk establishing your own costly day in cybercrime infamy.
For insight on how your institution can mitigate threats with an integrated, layered approach to cybersecurity strategies, watch CSI’s on-demand webinar.
Tyler Leet serves as director of Risk and Compliance Services for CSI’s Regulatory Compliance Group. With nearly 20 years of experience in the information security, risk and compliance industries, Tyler oversees and participates in the development and maintenance of the risk and compliance-related services conducted for a wide variety of financial institutions and organizations.