Ransomware, Threat Management, Malware

New ransomware variants, tactics rattle financial industry

A silhouetted programmer sits in the dark in front of two computer monitors.
Ransomware has evolved in ways that make it difficult for organizations, such as financial services industries, to defend against since their emergence. (Photo by Matic Zorman/Getty Images)

This is the second part in a three-part series on ransomware’s impact on the financial industry. Click here for Part 1.

Since its emergence on the popular cyber scene in 2016, ransomware has not only afflicted virtually every major industry — including financial services — but it has evolved in leaps in bounds in ways that have made it increasingly difficult to fend off or mitigate.

At a basic level, ransomware uses malware to encroach on corporate systems to encrypt and lock up the company’s data and systems and demand payment to turn control back over to the company. As a highly regulated industry, understandably a prime target for ransomware attackers from the earliest days, financial institutions have typically taken a more proactive approach than most businesses in terms of improving their backup systems, and taking steps to prevent against breaches, especially to systems that house their most sensitive or valued information.

But just as the attacked institutions have evolved, so too have the attacker — and arguably, even more quickly than their victims. Ransomware agents are not only encrypting corporate data, but taking it out, too — which means attackers can demand a ransom to decrypt files and also can threaten to sell or post sensitive information that they have exfiltrated.

Erich Kron, security awareness advocate at KnowBe4, pointed out that threats of data exfiltration were seen as far back as the 2016 attack against the San Francisco Municipal Transportation Agency.

However, the more recent emergence of the popular Maze variant of ransomware has “made the threat real, a tactic now employed by most modern strains of ransomware.”

“The threat of public disclosure of stolen data puts a significant amount of pressure on the victims,” Kron said, “and gives the attackers significant leverage in ransom demands.”

Ricardo Villadiego, founder and CEO of Lumu, an IT company that measures compromise, said that since its discovery, at least 60 large organizations — including the Fairfax County Public Schools (FCPS), the 10th largest school division in the U.S., Canon, Cognizant, Chubb Insurance, Xerox and LG — have publicly admitted to falling prey to Maze attacks. Experts believe that hundreds of companies overall, potentially including financial firms, were victims of this pernicious malware threat.

Threat groups often revamp ransomware variants, along with tactics

While ransomware threats are often repackaged versions of older variants, organizations should not let their guard down, experts say.

Earlier this month, mobile developer Blackberry released research on an emerging ransomware group that called itself “Monti”, which had encrypted nearly 20 of Blackberry’s customer companies by early July, demanding a ransom to release. As Blackberry researchers and other analysts pointed out, the name and the attack methods of this group were eerily similar to so-called “Conti” ransomware incidents that plagued hundreds of organizations last year. More advanced than Conti, Monti was found to use the company’s own remote monitoring agent to its own ends, and to insert a password stealer (dubbed “Veeamp” since it targeted the Veeam backup application) as part of its malware payload.

And financial institutions need to be wary of more than online intrusion when it comes to ransomware. The recently discovered “Lorenz ransomware” had been using a vulnerability in a popular series of voice-over-IP devices as an inroad to corporate phone systems and to then access the wider computer systems to lock up and ransom. A September 2022 report from Arctic Wolf Labs connected this particular phone-based malware to ransom attacks.

“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect,” the Arctic Wolf report said, “to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment.” The Lorenz group has also been known to exercise “double exploitation” by selling the data it exfiltrates (before it encrypts it) as well as access to victims’ systems to other online attacker groups, experts said.

David Bennett, CEO at Object First, described ransomware as the modern-day version of “hostage taking” in a bank robbery to facilitate an outcome. “Now you can essentially expand ‘bank robbing' to a wide market with the click of a mouse,” Bennett said. “In the old days, you had to protect a bank’s front door and the vault. Now you have to protect every entry way. Every employee, every contractor and every customer is a potential way into that vault now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.