5 ransomware trends that should alarm banks
Ransomware attacks have been accelerating during the pandemic, as cybercriminals take advantage of the security vulnerabilities and disruption caused by the massive movement toward working from home and they find ransomware increasingly profitable.
According to a report published Tuesday by the security company Arctic Wolf, the banking sector saw a 520% increase in phishing and ransomware attacks between March and June of this year. Arctic Wolf has 250 bank and credit union customers.
In April and May, there was a rash of ransomware attacks on bank technology vendors like Finastra, Diebold and Cognizant.
On Sept. 9, BancoEstado, one of Chile's three biggest banks, was forced to shut down all branches after a ransomware attack. The Development Bank of Seychelles incurred a ransomware attack that same day.
It’s hard to get precise data on ransomware attacks because most companies disclose them only if they absolutely have to, such as when customer data is potentially exposed.
“If their hand is forced, they make only a very limited disclosure,” said Brett Callow, threat analyst at the ransomware hunting and recovery services firm Emsisoft, which has its headquarters in New Zealand but operates all over the world. “Terms such as ‘cybersecurity incidents’ are often used in place of the dreaded ‘r’ word, ransomware, which companies don’t want to use at all,” he said.
Though they’re targeted with ransomware all the time, U.S. banks have mostly escaped being paralyzed by ransomware so far because they have strong controls in place.
“But if the trend continues toward bigger and bigger companies being hit, it’s only a matter of time before a bank is taken down,” said Callow.
There are at least six reasons why ransomware attacks are on the rise and are posing challenges for banks and their customers.
Hackers are taking advantage of confusion caused by COVID-19
“Attackers are always looking for soft targets and they follow the news to figure out how to do that,” said Mark Manglicmot, vice president security services at Arctic Wolf, which is based in Sunnyvale, Calif. “The COVID-19 pandemic just released a bunch of ideas for attackers to go after and they crafted their phishing emails and their lures accordingly.”
The sudden provision of government relief, such as the Paycheck Protection Program through which banks made loans to small businesses, provided one idea.
“Banks and credit unions that were small all of a sudden had to become very large overnight, and they didn't have the cybersecurity controls or monitoring in place that they needed,” Manglicmot said. “And so they were a lot more susceptible to COVID-19-specific lures.”
The mass pivot to working from home has also made banks more vulnerable to phishing attacks, according to Manglicmot.
“Users are now on home networks that aren't as well protected,” he said. “As an employee opens up their corporate email and gets that phishing attack and clicks to open that attachment, the hacker is able to from that one system pivot into the rest of the banking infrastructure if it's not architected correctly.”
According to Manglicmot, about half the time, ransomware attacks start with phishing, in which employees are sent emails designed to trick them into clicking on a malicious link or attachment.
The other half of the time, ransomware attackers break into a network through vulnerabilities in improperly secured internet servers or remote desktop protocol vulnerabilities. Some ransomware, however, will bypass home users' computers and focus on computers that have access to a company network that links to servers containing sensitive data.
Ransomware has become cybercriminals’ preferred attack method
“Ransomware has been escalating at a pretty healthy clip over the last couple of years. Certainly that was accelerated with COVID,” said Adam Meyers, senior vice president of intelligence at CrowdStrike, the incident response company (also based in Sunnyvale) that became famous when it helped the Democratic National Committee investigate a data breach conducted by Russian hackers in 2016.
Many criminal groups that once targeted bank customers with malware to steal banking credentials have moved towards ransomware, which has become their dominant revenue generator, Meyers said.
For instance, a Russian cybercriminal gang that calls itself Evil Corp. used to focus on online banking credential theft through banking malware Zeus, Bugat, Cridex and Dridex. In 2017, the group moved exclusively toward deploying malware to encrypt files. It recently attacked the wearables manufacturer Garmin and demanded a $10 million in ransom. The FBI is offering a $5 million reward for information that could lead to the arrest of Maksim Yakubets, a member of the group.
Banks’ large customers are being targeted with ransomware
Cybercriminals are currently focused on what Meyers calls “big game hunting.”
“They are getting into large enterprises and moving laterally, escalating privileges, and then ultimately deploying a crypter, which allows them to encrypt the victim’s files and then demand a ransom payment,” Meyers said.
These attacks are primarily targeting organizations that have to be up and running for some reason, that don’t have the most effective security programs and that are therefore most vulnerable, he said. Manufacturing, healthcare, state and local governments and school districts are all examples.
Ransomware attacks are doubling as data breaches
In one out of four cases, hackers are not just locking up servers and demanding ransom, they are also exfiltrating some of the data in those servers, such as customer data, and posting it on the dark web, according to Callow.
Recently customer data from a few community banks has been posted on the dark web, indicating a ransomware-based data leakage. The banks did not respond to phone calls or emails about this.
The data exfiltration trend means that when banks are hit with ransomware, in addition to figuring out how to unencrypt their data and regain control of their systems, they need to know that their customers’ data may be posted on the internet. Then they will be legally required to notify customers of the fact that their data has been breached.
Attacks are becoming more profitable, as victims and ransom demands get larger
In 2018, the average ransom demand was $5,000 and the average victim was a small business, such as a corner store, according to Callow. In 2020, the average ransom demand is somewhere between $150,000 and $250,000, multimillion dollar demands are the norm, and victims are large, multinational companies like insurers and mortgage brokers, he said.
In July, a Russian ransomware gang member offered a Tesla employee a $1 million bribe to introduce malware into Tesla’s Nevada Gigafactory computer networks. The employee turned the criminal in to the FBI.
“How do you protect against something like that?” Callow said. “Tesla got lucky. Every organization has disgruntled employees. The more money you give these groups, and it's been going up and up all the time, the more alternatives they have to compromise networks and systems in unconventional ways. If they can't get in via remote hacking, they can attempt to buy their way in.”
Banks have been freshly warned against facilitating ransomware payments
The Treasury Department gave a stern reminder to banks last week that they’d better not facilitate ransomware payments.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyberinsurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the Treasury said, referring to the Office of Foreign Assets Control.
The warning may have been triggered by the Garmin case, in which the wearables manufacturer paid $10 million in ransom to the Evil Corp. cybercriminal gang.
OFAC sanctions are of limited value in combatting the ransomware problem, Callow pointed out, because only a few groups are currently on the OFAC list, and none of the major ransomware groups are.
Experts said there are a number of things banks can do to prevent attacks or minimize the damage.
The most important thing any organization can do is stay on top of system patching, Callow said. (Malware commonly exploits unpatched systems to break in to systems.)
He also recommended using multifactor authentication everywhere possible and monitoring for signs of compromise.
“That way incidents can be shut down quickly, before they become catastrophic," he said.
Meyers also puts patching first in his list of anti-ransomware practices. Other items on his list include network segmentation, gaining visibility into activity on end points, use of machine learning and artificial intelligence to detect unusual network or data access behavior, and preparing for ransomware attacks through simulations and response plans.
Valerie Abend, managing director at Accenture, emphasizes the need to plan for an attack — for instance, deciding in advance what the policy will be on paying ransom.
“You should have plans on how you're going to deal with this, if it happens to you or if it happens to a third party,” she said. “Beating up the third party while it's happening is not particularly helpful. But part of the plan needs to be, how do you quickly identify the corrupted machines and disconnect them really fast?”
And among the many security steps a bank needs to take, Abend said special attention needs to be paid to access management, limiting and monitoring the access employees have to sensitive data and documents.
And when all else fails, having a cold backup, or a copy of all data that's kept offline, is critical to getting a company up and running again.