Ransomware: The growing threat
Ransomware is a big and costly business – and it’s growing. The average organisation’s ransomware recovery costs have more than doubled in the past year, rising from $761,106 in 2020 to $1.85 million, according to Sophos’ State of Ransomware Report 2021.
These costs include the ransom when paid, in addition to downtime, people time, device and network costs and other associated financial losses.
For some organisations, the cost of a ransomware attack is even higher. Shipping conglomerate Maersk, which was hit by the NotPetya ransomware in June 2017, said the attack amounted to $300 million in lost revenue.
Ransomware attackers are targeting all industries, and the impact is often significant. In May 2021, ransomware hit Colonial Pipeline in the US after attackers gained access to systems via a compromised password. The cyber-assault halted the pipeline’s operations and caused disruption across the country even after the $4.4 million ransom was paid.
Ransomware is extremely lucrative for cyber-criminals, so it’s no surprise that the data-encrypting malware has become a key part of many cyber-attacks. Recent figures show that of 128 publicly disclosed incidents taking place in May 2021, 40% involved ransomware. At the same time, ransomware-as-a-service offerings including tailored customer service and support are becoming commonplace.
Ransomware is a particularly dangerous threat because it has the ability to grind business operations to a halt. Even if firms are prepared, back up is reliant on the infrastructure to restore it – and this can be compromised as part of the attack.
In some cases, the impact of the attack is so bad that firms are forced to pay the ransom – despite organisations including the UK’s National Cyber Security Centre advising against this. But even if financial firms do pay, there are no guarantees they will get their data back.
In response to this growing threat, the financial sector continues to build robust cyber security measures and segmentation to help it avoid becoming a victim of ransomware, especially in larger banks.
But across organisations of all sizes, increasing digitisation is opening up new avenues through which adversaries can attack. Cyber-threat actors including criminals and nation states are targeting weak points in the supply chain, which in 2020 formed the foundation of the SolarWinds breach that hit a number of major firms and the US government.
Ransomware attacks impact a financial firm’s revenues and reputation, as well as causing regulatory headaches. There is an obligation to notify a regulatory body such as the FCA if operations are impacted by an attack such as ransomware. Meanwhile, the EU update to General Data Protection Regulation (GDPR) outlines fines of up to 4% of annual turnover or 20 million Euros for firms that suffer a breach.
Infiltrating an organisation can be relatively easy, via a phishing email containing a malicious attachment, for example. Once a system is compromised, an attacker can plant malware including ransomware.
Financial firms can ensure they are both more resilient to attacks, and positioned to respond, by ensuring that they perform basic hygiene tasks efficiently.
Once of the most important basic hygiene tasks is to know your estate by having a strong asset management capability in place. Poor visibility of assets can put a company at risk and make it challenging for security teams to respond properly in the event of an attack.
For example, if a business is compromised by a zero day exploit, it will need to know how many servers are on the internet to be able to adequately manage the threat. At the same time, strong asset management makes the security team more efficient: automation processes should be based on a foundation of strong asset management to avoid wasting time manually finding and securing devices.
Having a strong patch management process is also a key hygiene task, ensuring that your environment currency is up to date, minimising vulnerabilities that could be exploited. Supplement this with a defined, tried and tested Emergency Patch process, which provides a capability to respond quickly to emergency patch releases.
Another foundational hygiene task is the installation of Anti-Virus software across your estate, on both your end device and server estates providing another layer of security control.
A robust Backup & Recovery capability is another must have, an infrastructure solution and process that facilitates the taking of regular snapshots of data or ‘ backups’, that can be utilised to roll back or recover data to a specific point it time, should the need arise.
It is also recommended to have a strong Backup & Recovery test schedule, testing data recoveries at regular intervals to ensure that they perform as expected.
People are also an integral factor, taking into account that everyone is a user including CISOs and other senior professionals. Education and awareness is key, with regular training and preparation using defined scenario playbooks. This should include what will happen, when, and what would be done should an attack hit the organisation.
If a firm does decide to pay, negotiation is a key factor. The negotiator needs to make sure the attacker can act and deliver by, for example, asking the adversary to decrypt a ‘sample’ file. After all, it’s not unusual for a criminal to create ransomware that can’t be decrypted.
Another advisable measure is managing user privileges and privileged IDs to prevent attackers from using these credentials to move around inside systems without being noticed.
Testing resilience is integral and this will come to the fore with the FCA’s forthcoming Operational Resilience requirements, which force regulated entities to understand key business services end-to-end. The requirements also outline the importance of understanding the impact of loss of service – which underlines the need to have a robust testing process in place.
At the same time, financial companies should ensure optimal threat intelligence and understand that when a cyber-attack does hit, detection and response is key with a firm’s SIEM (Security Incident Event Management) and SOC (Security Operations Centre) being integral roles.
It is therefore essential to examine how prepared the organisation is in its ability to respond to and prevent a ransomware attack.
Many financial sector companies see ransomware as ‘just’ an IT or cyber problem, but it isn’t – it’s a business problem. Even for financial firms with robust defences, ransomware isn’t going away and it’s integral to be prepared to manage and respond to the threat.