<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=6226337&amp;fmt=gif">
When dealing with a cyber attack like ransomware, you are essentially playing a poker game. You know your adversaries are in it to win it, but you may not know who you are playing and what cards they hold: how far into your system they have gotten and what data they have accessed or extracted.

Ransomware schemes are numerous, and the attack strategy is constantly morphing because of its attractive economics, but here are a few basic scenarios:
    • The threat actor may hold your data, your system, or both for ransom.
    • They may lock everything up straight away and demand payment to decrypt.
    • They may send you a note saying they have accessed your systems or data and demand payment.
    • Like a true hostage situation where hostages are killed one by one, they may encrypt/decrypt your data in batches to prove they are serious.
    • They may steal your data and demand money to get it back. Failure to pay results in the posting or auctioning of sensitive data such as customer names, account numbers, and social security numbers on the dark web or even the public internet.

Know When to Hold 'Em

To win in any of these scenarios, you need good cards. Luckily, unlike poker, your hand is not based on the luck of the draw. The risk management and security teams’ mission is to stack the deck in your favor with the following:

  1. Threat intelligence: intelligence sharing communities will help you know your enemies, their motivations, capabilities and attack patterns. For example, you may be able to quickly figure out whether you are dealing with a crime syndicate purely in it for the money, or a state-sponsored actor whose motivation is to cause disruption in the system. This will inform your response strategy.

  2. Security operations center: Whether this is in-house or outsourced, a SOC will monitor your networks and possibly even devices for abnormalities. Analysts will connect threat intel to your specific circumstances. And automated response systems will shut down vulnerabilities as they appear.

  3. Resiliency plan: To ensure both business continuity and regulatory compliance, you need to know how you will handle an attack and test all aspects of the plan regularly. Components may include crisis communications, liquidity and funding contingencies, data management, and crucially, who will be called for what. In the case of ransomware, time is of the essence. It is critical to have a cyber response team in place, either in-house or on retainer, to trace the attack and close all open doors as soon as possible. Prompt notification to your regulator is most likely required, and your plan should be clear about how this will happen for a ransomware issue.

  4. Backups: Institutions have different types of backups and you must know which to use when. Most institutions have primary and secondary sites for production systems. If the first crashes, the second steps in. This is great for operational outages. However, the systems are effectively mirrored; they are working with the same data. Ransomware attackers love this because the data (and their corruption) is propagated to both environments.

    The second type of backups are production backups, often kept on tape, network attached storage (NAS) or worm-drives. Data is usually backed up every 15 minutes or every hour. If you have confidence that this data is clean since you have quickly identified the path the attacker took into the system, these may be the right backups to call on. For example, one branch employee clicked on a phishing email and the damage is contained. However, without absolute certainty of the path of the breach, relying on these backups is dicey. The threat actors may already have gained access to the backups.  They could even be waiting for you to tap into them to gain access. Perhaps they want to tamper with the backup data for fraud purposes, creating new accounts or altering existing ones. The ransomware could even be a front for the larger fraud.

  5. Data Vault: this is a data backup that is air-gapped, i.e. offline and completely separated from all other systems. That copy of the data must be trustworthy and easily accessible. This is your ace in the hole; with an offline data vault you have leverage. Without it, you may have to fold.

Calling Their Bluff

Typically, you will only want to play this ace when you have run out of other options. For example, with a Sheltered Harbor data vault, critical customer account data is archived every night. In the event of a major operational outage, the firm can effectively turn back the clock to the day before the event. This means that all transactions that happened after the last archiving are wiped out, which can be substantial but manageable. It is also an effort to activate; it takes time to get data out of the vault and loaded onto production or alternative systems. In the case of a devastating attack where all systems are down, the industry agreed that last night’s customer account data and balances are enough to maintain public confidence in the financial system more broadly. In the case of a less severe attack, firms need to weigh whether using the vaulted data is their best option; there may be easier and less drastic remedies.

To really be able to call your opponent’s bluff, you must be confident that the data going into the vault is clean. You need an iron-clad process for validating the data before it is encrypted and sent to the vault. Without ensuring the integrity of the data going in, the vault itself is worthless. With it, you have ultimate negotiating power with the attackers when the stakes are high: the confidence that if you walk away, at least a relatively recent copy of your data remains intact.

The Insight

In the poker game that is a ransomware attack, the best thing you can do is stack the cards in your favor ahead of time. No matter the exact scenario, you should ensure you have threat intelligence, a security operations center, a resiliency plan, several kinds of backups, and your ace in the hole: a trustworthy, accessible data vault.

November 2020

© 2024 FS-ISAC, Inc. All rights reserved.

Listen on


The Global Leaders awards program recognizes those members who go above and beyond to support the security and resilience of the financial sector by sharing cyber intel and best practices, helping defend the industry against cyber risks.

Learn More

FS-ISAC members around the world receive trusted and timely expert information that increases sector-wide knowledge of cybersecurity threats.

Learn More