Ransomware is not a new cyber attack strategy, but it is a growing concern to the financial sector. The old way was to simply hold systems or data for ransom; if you paid the money, access would be granted. However, times have changed. In 2020, the newest extortion tactic is for threat actors to publicly name victims and publish their data online. This has profound implications for financial institutions, whose businesses depend on the trust of their customers.
The main purpose of ransomware is to prevent the user access to their files or system, usually to hold hostage in exchange for money. Ransomware takes a variety of forms: it can encrypt your files and folders or servers, lock you out of your computer or phone, or change the hard drive to interrupt the bootup process. It can be opportunistic - delivered by spam or phishing - or targeted, exploiting unpatched vulnerabilities in a company’s systems. It is easier than ever to execute ransomware attacks; with Ransomware-as-a-Service (RaaS), less technical cyber criminals can simply buy ransomware kits on the dark web.
In December 2019, a ransomware group pioneered a new attack pattern — not just encrypting and ransoming a victim’s data, but exfiltrating it to also extort the victim over the data being leaked publicly, thereby preventing victim companies from keeping an attack under wraps. This tactic has become known as double-tap and has since been adopted by at least a dozen ransomware groups. Most of these groups have set up dedicated leak websites to disclose the victims’ data should the extortion demand not be paid. Another recent development is cooperation between operators to use the same data leak platform to share intelligence and help drive successful extortions.
Additionally, the threat actors have added a third stage to the monetization of compromised data by auctioning compromised data to the highest bidder. This suggests that these groups are taking time to analyze the data for its potential value and will publish the victim data if the auction is not successful. It may become apparent that there is no market for this type of data, or it could drive up the price of compromised data on the digital underground.
While financial services account for only four percent of breaches, third parties such as IT vendors, energy suppliers, telecommunications providers, and transport companies are also susceptible to attacks. With the move to working from home due to COVID-19, cloud providers and other third parties critical to remote operations could become major targets. Even if these are not direct attacks on financial institutions, it has already been shown that financial services could be vulnerable to them. For example, the 2019 ransomware attack on British currency exchange bureau Travelex disrupted operations at multiple client banks. Of course, not all attacks result in major outages, but given our highly interdependent global financial system, it could only be a matter of time until a ransomware attack disrupts the functioning of a large enough institution or multiple institutions to cause a crisis of customer confidence that impacts the larger economy.
Therefore, the potential business impact of ransomware is now much higher than the cost of the ransom. In addition to the compliance and regulatory considerations such as mandatory data breach reporting, public disclosure and GDPR fines, the brand damage could be material and long-lasting.
One of the most important tools that institutions have at their disposal to protect themselves is becoming part of an intelligence sharing community. Since criminal groups often attempt the same attack on many financial institutions in multiple countries, when one member of the financial services community shares information about an attack, vulnerability or threat, others can quickly put up defenses against it, thus lowering the attacker’s returns by forcing them to start over with new infrastructure. It makes ransomware, as well as other kinds of cyber attacks, less cost-effective for the criminals and less attractive as a result.
Intelligence sharing makes cybersecurity cheaper as well. Seeing the techniques that threat actors are using on other institutions enables firms to address vulnerabilities, construct pre-emptive defenses and even block potential attacks before they are attempted. And prevention is much cheaper than picking up the pieces after an attack, both in terms of cost and reputation. Once mainly considered a cost of compliance, strong cybersecurity is increasingly a competitive differentiator in the market.
Ransomware strategies continue to evolve and get even more sophisticated. It is impossible for every institution to anticipate and defend against every attack. Now more than ever, collaboration is one of the best ways for financial services institutions to continue to adapt and thrive in the ever-changing realities of the post-pandemic world.
© 2022 FS-ISAC, Inc. All rights reserved.
Teresa Walsh leads FS-ISAC’s Global Intelligence Office (GIO) to protect the financial sector against cyber threats by delivering actionable strategic, operational, and tactical intelligence products. Based in the United Kingdom, she oversees...Read More
FS-ISAC’s global member sharing operations and a team of regional intelligence officers and analysts who monitor emerging threats. Under Teresa’s leadership, FS-ISAC’s GIO provides an invaluable niche for financial institutions' understanding of how the threat landscape impacts the sector. Previously, Teresa served as the Europe, Middle East and Africa lead for fraud intelligence and external relationships at JPMorgan. Prior to that, she served as a cyber intelligence analyst for Citigroup in the US and Europe. Teresa began her career as a civilian intelligence analyst with the US Naval Criminal Investigative Service (NCIS) and holds a master’s in political science with a focus on international relations from the University of Missouri-Columbia.