Ransomware's arms race: What banks have to do
Ransomware is on the rise, and it’s more destructive than ever.
On Friday, a hacker group that calls itself Shadow Kill Hackers infected the city of Johannesburg and held its data for ransom. The hackers demanded four bitcoins be paid by Monday at 5 p.m. local time, or they said they would upload the city's data on the internet. The situation was still up in the air late Monday, with city officials saying they would not cooperate, according to news reports.
Billtrust, provider of a cloud-based service that lets customers pay bills via email or fax, was hit with a ransomware attack last week, according to Brian Krebs’ security blog. The company said it was in the process of restoring its systems from backup. Pitney Bowes, a technology company in Stamford, Conn., was hit with a ransomware attack in mid-October.
On Oct. 2, the FBI issued a warning about ransomware. “Ransomware attacks are becoming more targeted, sophisticated, and costly,” the announcement read in part. “Since early 2018, the losses from ransomware attacks have increased significantly.”
Ransomware is a form of malware that encrypts files on a victim’s computer or server, making it unusable. Cybercriminals demand a ransom in exchange for providing a key to decrypt the victim’s files.
More than 600 ransomware attacks hit local governments, schools districts and health care providers across the U.S. in the first three quarters of this year, according to a study by the security firm Emsisoft.
Reports of ransomware attacks rose 37% in the third quarter of this year, compared with the previous three months, according to Beazley Breach Response.
“Ransomware is a major concern across all sectors because it’s been successful for the cybercriminals,” said Gary McAlum, chief security officer at USAA.
The financial sector is better positioned than most to deal with this threat because of its focus on cybersecurity across the threat spectrum, he said. But banks obviously have a lot to lose when they become victims.
“The greatest risk within the financial sector is on the smaller financial institutions who may not be as mature in their processes or security technology stack,” McAlum said.
The rise of ransomware is partly a technology innovation story: Ransomware code keeps getting better all the time.
In 2017, when Wannacry and Notpetya were the go-to malware strains for ransomware attacks, WannaCry used an exploit called EternalBlue that was developed by the U.S. National Security Agency; it is now embedded in other types of malware including TrickBot, a banking Trojan that targets Windows machines. The malware has also gotten better at lateral movement and spreading from one endpoint to another.
“We've seen TrickBot and related malware receiving significant amounts of technological development and investment over the last couple of years,” said Adam Kujawa, director of Malwarebytes Labs.
Ransomware has become so accessible and easy to use that Sean O’Brien, president of @Risk Technologies, calls it Walmart for cyber.
“Just go down to your local online dark web exchange and download ransomware,” he said.
Hackers are targeting organizations of all kinds, including the financial sector, according to Joel DeCapua, supervisory special agent in the Federal Bureau of Investigation’s cyber division.
“If you're connected to the internet, you're at risk of ransomware and you're probably going to be targeted,” he said.
A new breed of hackers is attracted to ransomware because it has been so profitable in recent years, he said.
“Instead of focusing on stealing credit cards or mining [the cryptocurrency] Monero, now they've made it part of their illegal business model to deploy ransomware,” DeCapua said.
The most common way hackers get an initial foothold into a company system is through remote administration tools, DeCapua said, particularly the remote desktop protocol built into most modern operating systems that lets someone from a remote location connect to a computer over the internet to do an administrator's tasks.
When information technology staff set up these remote administration tools, they often use weak passwords, reuse passwords and do not use multifactor authentication, DeCapua said.
“Each time someone makes one of those mistakes when they’re setting up a password, it creates an opportunity for hackers to crack the password and log in to their system,” he said.
In some cases, a managed service provider sets up the remote access sloppily. Beazley found that in the past year, 24% of ransomware attacks happened through a vendor or managed service provider.
Email phishing is another popular approach for ransomware perpetrators.
According to the FBI, the majority of ransomware phishing emails are deployed through Microsoft Office documents that contain Word macros.
Banks can mitigate this threat by having strong firewall rules that scrub emails for suspicious attachments and deactivate macros for attachments received over the internet.
Ransomware attackers also take advantage of security weaknesses in software programs to get control of victim systems and deploy ransomware. Here, diligent patching is the antidote.
Most financial institutions already devote a lot of effort to preventing, detecting and responding to the daily deluge of ever-changing malware threats, including ransomware, McAlum said.
“Cyber actors are constantly morphing their techniques to bypass security layers, so prevention is only part of the equation,” he said. “Detection and response are even more important because incident management is time-critical.”
One specific defense against ransomware is cold backup.
Once ransomware hackers break into a computer network and start moving around, they can potentially encrypt or destroy backup systems as well as production servers.
“A sophisticated ransomware actor who's targeting an enterprise will take their time,” DeCapua said. “They will try to understand your network. They'll understand where everything is — What servers are backup servers? Where's your web server? And they will target your backup if it's connected to your network.”
But cold backup, in which copies of documents, data and applications are completely detached from a network, is effective.
“We tell people the No. 1 inoculation from ransomware is to have offline backup,” DeCapua said. “Nothing is better than when you're hit with a ransomware attack than to be able to not give the attacker what they want, wipe your systems and restore from a backup.”
Some big banks are part of Sheltered Harbor, an initiative through which banks maintain overnight cold backups for one another.
Companies need to test their backups and restoring from backup, DeCapua said.
“When you're hit by ransomware, if you've never tested your backups, you might look at restoring from backup as something that's too risky to attempt,” DeCapua said.
McAlum notes that coping with ransomware ultimately comes down to operational resilience, which leans heavily on business continuity planning processes and recovery strategies along with IT architectural designs, like network segmentation and the ability to compartmentalize threats.
“Concepts like Sheltered Harbor can also play a role for some companies as well,” he said.
Another best practice for banks, according to DeCapua, is to watch all attempts to access data on a network.
“It is so difficult to keep attackers out of your network," he said. "The recommendation I give is to assume that there's a compromise somewhere in your network." An employee must have opened a malicious attachment, a computer connected through the internet has a vulnerability that a hacker has taken advantage of, or an RDP instance has been cracked by a hacker.
Ransomware attackers are not going to look like normal users when they are poking around, looking for valuable data to encrypt.
DeCapua recommends hunting for malicious actors on a network, “not waiting for them to come get you.”
O’Brien’s advice for banks concerned about ransomware is to better understand what is on their network.
“Ninety percent of American companies don’t inventory what’s on their network, so they don’t know what they have,” he said. Therefore, they are unlikely to spot ransomware creeping in.
Ransomware attackers have been known to continue lurking in a computer network after their incursions, even if the ransom they demanded is paid.
So companies have to have their network examined by IT professionals after an attack to figure out if the criminals are still there, DeCapua said.
This is especially important for financial institutions, which store valuable data a hacker could use or sell.
Companies that withstand ransomware attacks are those that give network security people the resources they need to do their job effectively, DeCapua said.
“In some companies, security takes a back seat to other areas of IT,” he said.
A common question is, should you pay the ransom?
“A company should think through the worst-case scenario and answer the question: 'Would we pay a ransom if all prevention and recovery efforts failed?' ” McAlum said. “The time to think through that question, with all the right stakeholders, is before that bad day.”
The FBI’s answer is no.
“I say very strongly don't give in, because when you pay a ransom, it just emboldens the attacker,” DeCapua said. “It doesn't mean you're going to get your data back. We have seen situations where companies pay the ransom and they don't even get their data back.”