Note: This is the first of a three-part series on the growing impact of ransomware on the U.S. financial industry.
Ransomware is nothing new to financial industry cybersecurity professionals, who have seen these attacks wreak havoc on institutions big and small for more than half a dozen years. And in recent months, ransomware attacks have stepped up, putting them front and center for the industry.
Indeed, financial IT security professionals and researchers alike have pointed out how ransomware attacks are not only becoming more pervasive, but more sophisticated — creating a wave of new threats that even the most security-conscious banks and investment firms are hard-pressed to stop.
In the past two years, financial industry observers have seen a greater number of ransomware attacks that utilize outside “service providers” (also known as “ransomware-as-a-service," or RaaS), as well variants that have chosen different attack vectors, such as the corporate phone system (like Lorenzware), and ransom groups that perpetrate “double extortion” through their incursions (as has been the case with Maze).
In 2021, more than half (55%) of financial service firms were victims of at least one ransomware attack, up from 34% the previous year, representing a 62% rise in these threats in just one year, according to Sophos’ The State of Ransomware in Financial Services 2022. The study was derived from research Sophos commissioned with Vanson Bourne, which surveyed 5,600 IT professionals, including 444 from financial services in the first two months of 2022.
In addition to being more widespread, individual ransomware attacks themselves are arguably becoming more effective and doing more damage.Erich Kron, security awareness advocate at KnowBe4, pointed out that ransomware is no longer “limited to denying access to data. It has evolved into a much larger threat that includes the exfiltration of data and establishing persistent network access.”
Early versions of ransomware indiscriminately encrypted files as fast as possible with little or no human intervention, Kron said.
“However, modern strains tend to be more stealthy, gaining network access and looking for critical data, stealing the data, then eventually encrypting it,” he added. “This allows the bad actors to cause the most impact possible in the short time they have available to encrypt files before being spotted by security products, making the victims more likely to pay the ransom.”
Sophistication of attacks on financial firms rises as security ability increases
The Sophos report found that the increase in ransomware attempts in the financial services sector “was part of a broader cross-sector trend in 2021: across all sectors, 66% of respondents reported being hit by ransomware, up from 37% the year before.”
But for banks, investment firms and other financial providers, the main issue is not just the sheer number of ransomware threats, but their rapidly increasing sophistication.
“While the increase in volume and impact of attacks is in line with the global average, financial services experienced an above-average increase in the complexity of attacks,” according to the Sophos report. “It may be that, in response to this sector’s strong ability to stop attacks, adversaries are forced to increase the sophistication of their approaches.”
Other industry researchers have proclaimed ransomware has had an even more dire and profound effect on the financial industry. Last September, Trend Micro released its own research, which found that “ransomware remained the standout threat in the first half of [2021] as cyber criminals continued to target big-name victims. Working with third parties to gain access to targeted networks, they used Advanced Persistent Threat tools and techniques to steal and encrypt victims’ data.” In fact, Trend Micro reported that the banking industry experienced a 1,318% increase in ransomware attacks in the first half of 2021 as compared to the first half of 2020.
Ransomware has become for many cybercriminals the gift that keeps on giving. Recently, some ransomware perpetrators not only get their victims to pay a ransom to have their data and systems released, but they also often will release the sensitive financial corporate data to which they’ve had access on the dark web (known as “data disclosures”) to sell to other bad actors or to wheedle another payout from their victims, according to Accenture.
“The widespread use of ransomware with the use of data disclosures, together sometimes known as ‘double extortion’, has made sensitive corporate data highly available on the criminal underground, with such data available for free or a fee to any threat actor,” according to the August 2022 Accenture report. “The data is a rich source of information for criminals who can easily weaponize it for secondary BEC attacks. This is especially relevant, as markets like Genesis and underground services available in multiple high-end forums allow malicious users to purchase credentials for as little as $10 that provide access to genuine corporate email accounts.”
