This is the third and final article in a three-part series on ransomware in the financial industry. Read the first and second installments here.
Ransomware is clearly a huge problem for the financial industry, one that is just getting worse with more sophisticated attacks and outside service providers to facilitate attacks.
As Rick Vanover, senior director for product strategy at Veeam, a data protection, back-up and recovery platform, pointed out that ransomware continues to be “a huge concern due to the potential payout.”
“In the end, it is truly a numbers game,” Vanover said, adding that it only takes one attempt out of 1,000 for bad actors to consider their ransomware attack to be successful and payout handsomely. However, Vanover and other experts agreed that while the odds of attack are high, “the opportunity for resiliency is also high.”
“The good news is that each and every financial sector organization can take steps now to prepare for recovery,” Vanover added. “Techniques such as immutable copies of data, having a response plan, and simply applying best practices throughout IT, will go a long way in being able to respond effectively.”
Training and preparation are key components to an effective response, even to simply spotting these ransomware threats as they happen, according to Ricardo Villadiego, founder and CEO of Lumu.
“Ransomware continues to rise and financial institutions face a huge problem: not being able to know if an attack is already underway,” Villadiego said.
Whether the threat is coming from a more traditional ransomware gang or one of the more insidious recent incursions that often prove more difficult to weed out and can lead to “double exploitation," financial organizations should make sure that their strategy allows them to intentionally anticipate threats, and detect compromises in real-time and respond fast and precisely, Villadiego said.
“In addition, they need to make sure that their cybersecurity investments are working on the same page,” he added. “Some ransomware groups leave traces and they can be stopped if the precursors are intentionally detected and eradicated in time.” This becomes more complicated as newer ransomware like Maze can be distributed in myriad ways, including phishing or whaling, remote desktop protocol (RDP) brute force attacks and exploit kits, according to Villadiego.
Indeed, the question of whether or not a victimized organization should pay the ransom is still not clear-cut, as many experts have said this simply emboldens attackers. According to Villadiego’s research, more than one-third of ransomed companies (36%) paid the ransom; but 17% of those organizations that paid never received access to their encrypted data and systems afterward. Hence, he said that choosing whether to pay the demanded ransom “is no longer a cybersecurity decision but a business decision, and organizations need to do what is best for their businesses.”
“It is important to know that paying the ransom creates a vicious cycle,” Villadiego continued, “the more we pay, the more ransomware incidents we see.”
Invest in educating and training employees on phishing
Erich Kron, security awareness advocate at KnowBe4, suggested that since most ransomware perpetrators use email phishing to enter corporate systems, financial organizations “are wise to invest in user education and training related to phishing, and to provide simulated phishing emails to allow the users to hone their skills.”
In addition, Kron added that banks, investment firms and other financial players should invest in strong data loss prevention (DLP) controls to reduce the possibility of data theft, and backups that are “tested and isolated from the network.”
Leaning on detection as the first layer of defense, as many financial organizations do, can also be problematic, according to Mark Guntrip, senior director of cybersecurity strategy at Menlo Security.
“Focusing in this way means that organizations have to be right 100 percent of the time to prevent an initial access attempt,” Guntrip said, “and that relying on whichever flavor of detection and response you choose means that the intrusion has already occurred and now you try to minimize the damage.”
“With this mindset, malware infections as a whole, including those that end up in a ransomware demand, are almost guaranteed to keep growing in volume and associated losses,” said Guntrip.
Hence, Guntrip recommended that organizations shift their “mindset to prevention rather than detection if they want to prevent ransomware at the source — before an attack occurs. As companies continue to shift toward adopting technology such as isolation powered technology, that promise of ransomware prevention can become a reality and the threat of ransomware diminishes.”