Colonial Pipeline shows how not to handle a ransomware attack

The recent cyberattacks on the Colonial Pipeline and JBS, the global food supplier, underscore the damages that can occur from ransomware — a form of malware that appeared in 10% of the cybersecurity breaches studied in the recently released 2021 Verizon Data Breach Investigations Report.

The rise of cryptocurrency has helped fuel the growth of ransomware as a business model. To put the problem into context, the value of ransomware payments made in cryptocurrency rose 337% from 2019 to 2020, to more than $400 million. In response to this growing threat vector, the federal government has now elevated ransomware to a critical priority, with the FBI director likening the recent wave of attacks to what the country faced after 9/11.

It’s clear that no sector is immune and, when hit with a ransomware attack, banks are often tempted to follow the example of Colonial and JBS and pay up. After all, failure to do so will prolong the negative customer impact, brand reputation, logistical headaches and all the other challenges that accompany this nightmare scenario. However, banks must ignore hackers’ ransomware demands for several reasons.

Data decryption: If your organization acquiesces to hackers’ payment demands, you’re essentially relying on the criminals’ promise that they will decrypt your data after the ransom has been paid. But it’s very possible that the hackers will not hold up their end of the bargain. In 2019, 30% of organizations that paid the initial ransom demand did not get access to their data. Some received access after paying a second ransom, while others never got their data back at all.

Malware: Another concern is that hackers may leave malware behind for future attacks. Even though Colonial resumed service on May 12, the company is still in the process of examining the network and installing detection tools to alert it to future attacks.

Legal ramifications: Depending upon the nature of the criminal organization launching the ransomware attack, paying may be illegal under U.S. law.

Of course, in Colonial’s case, the government was able to recover more than $2 million of the initial $4.4 million payment due to the hackers’ use of a weak password on their cryptocurrency wallet. This is not likely something that will happen often, and banks also shouldn’t expect the government to go to great lengths to help them recoup ransom payments. Given the volume of attacks, the government is unlikely to have high recovery rates and, particularly for smaller institutions with less significant ransom demands, tracking down payments would not be a high priority.

So, what should financial services firms do if they fall victim to a ransomware attack?

Unless you can guarantee that the attack is isolated to a single system, the best thing to do is immediately shut down the network. Even if some systems appear unaffected, there’s a good chance that the ransomware could still be propagating around your network.

This would be particularly disruptive for banks and their customers, which is all the more reason to listen to the old adage that reminds us that an ounce of prevention is worth a pound of cure. Ideally, the primary focus should be on what companies can do to avoid falling victim to a ransomware attack in the first place. There are numerous security strategies banks should review as part of this, including password hygiene.

Investigators have now determined that the Colonial Pipeline attack originated when hackers used a compromised password to access an employee’s virtual private network account and, from there, the organization’s network. Compromised credentials are a common attack vector because people are notoriously bad at password management — for example, 65% of respondents in a Google study reuse the same password across some or all of their accounts. If these credentials were leaked in a previous breach, hackers can easily obtain them via the dark web and use them to launch successful attacks.

In light of this, banks would be wise to investigate avenues for shoring up credential security. It’s important that multifactor authentication or another secondary form of authentication be enabled for all critical accounts — a cybersecurity best practice that was not in place for the VPN account breached by the Colonial attackers.

Multifactor authentication is not a magic bullet however, and the reality is there will likely be systems where it is either not possible, not practical or simply not cost effective to implement. That’s why it’s also important to deploy solutions that prevent employees from using known compromised credentials or weak, commonly used passwords. It’s unrealistic to expect employees to change their approach to password management on their own, but password managers and credential screening solutions can close some of the holes left exposed by poor password hygiene.

The fact that the federal government has been so vocal in its ransomware concern is a testament to how grave the threat is for companies today. It’s critical that banks mirror this apprehension and take steps now to improve their security posture and limit the success of these attacks. Ultimately this will prove a much more effective strategy than agreeing to hackers’ terms and paying up.