Ransomware: Threat no bank can talk about

Banks face an increasingly prevalent and incredibly damaging cyberthreat, yet, for very good reasons, no bank will speak openly about being victimized by it: Ransomware.

Ransomware is a particularly insidious form of malware. The cybercriminal manages to install it in a corporate system and can then lock down or encrypt whatever is on it. The victim not only faces extortion, in the form of having to pay ransom, but also the loss of operations, emotional drain to the point of panic among employees, and catastrophic brand damage.

Threat keeps building

Recent reports from government agencies and private security firms document the growing incidence of ransomware attacks.

Most notably for banks, the Federal Financial Institutions Examination Council issued a statement last November which says in part: “Cyber attacks against financial institutions to extort payment in return for the release of sensitive information are increasing.” 

The U.S. Computer Emergency Readiness Team (U.S.-CERT) issued an alert this March—and updated in May—that reported the spread of ransomware in general: “In early 2016, destructive ransomware variants such as ‘Locky’ and ‘Samas’ were observed infecting computers belonging to individuals and businesses.”

The FBI, in a late April advisory, said: “Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware.” 

Kaspersky Laboratory, which specializes in tracking malware of all types and consults with businesses about how to prepare for and respond to attacks, found that in the first quarter of 2016, the number of attempted ransomware attacks increased by 30% from the previous quarter.

About 2,900 new ransomware modifications were detected during the quarter, which is an increase of 14% from the previous quarter.

Banks keep mum on ransomware

Attacks on specific banks, however, are rarely, if ever reported.

“You’re almost certainly not going to hear about successful ransomware attacks on banks,” says Ross Hogan, global head, Fraud Prevention Division, Kaspersky Laboratory, in an interview with Banking Exchange. “It is probably one of the most catastrophic events that a bank could suffer.”

That’s not only because of the actual money that the criminals demand and the potential for data loss.

“If anyone who was working [or doing business] with that bank were to find that they were susceptible and maybe gave in to these types of attacks, that brand damage would be nearly irreconcilable,” Hogan says.

Which, as the FFIEC notice indicates, doesn’t mean that banks are not being targeted. It means that it simply is not something any bank would admit. Still, says Hogan, who consults mainly with financial institutions: “Anecdotally, yes, our evidence from what we can pull from our systems and from what I’ve been able to glean in speaking with bankers, the attacks are there. They are focusing on banks.”

How to prevent ransomware attacks

All sources agree on one thing: The most effective means of dealing with ransomware is preventing it from infecting systems in the first place.

“First and foremost you should be thinking about prevention,” says Hogan. “It is largely a preventable problem.”

The FBI alert lists these precautions to deal with the ransomware threat:

• Awareness. Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.

• Keep security updated. Patch operating systems, software, and firmware on digital devices.

• Use protection programs’ full features. Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.

• Take care with exceptions. Manage the use of privileged accounts.

• Maintain your “locks and keys.” Configure access controls, including file, directory, and network share permissions, appropriately.

• Watch what goes via email. Disable macro scripts from office files transmitted over email.

• Watch for hitchhiking threats. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations—such as temporary folders supporting popular internet browsers, or compression/decompression programs.

To this list, the U.S.-CERT alert adds: “Use application whitelisting to help prevent malicious software and unapproved programs from running … Application whitelisting allows only specified programs to run, while blocking all others, including malicious software.”

Don’t get too “democratic” with BYOD

Hogan emphasizes the absolute need to place the strongest possible end-point security systems on office computers and mobile devices used for work.

“You might want to consider restricting access to corporate systems and data only to corporate-provided devices,” he says, which means prohibiting employees from using their own devices to access corporate files and systems.

Other things to do, says Hogan, involve strong data backup procedures, and assessing vulnerabilities.

For backup, he recommends a 3-2-1 approach: Three copies, in two different media, and one alternate location.

For assessment—done well in advance of any attack—Hogan recommends consulting with a security-specific provider “to look at systems and to understand all of the different areas of vulnerability, depending on what systems are running, and who has access to them.”

People can be weakness—or strong point

Also high on the list of preventive measures, he says, is training and awareness. “So much of this involves the human factor,” he says.

“Don’t open emails from odd sources. Don’t open spam. Never click on attachments that look suspicious. Don’t go to nefarious sites,” Hogan says.

But things can happen, he admits.

“Training is never foolproof. People make mistakes. People get lazy. People work long hours and they simply let down their guard,” he says.

Plan for the worst

What happens when a bank does get victimized? It isn’t pretty, Hogan admits.

The best suggestion he has is: Have a plan in place, documented, and easily accessible to the people who need to take action.

Aspects of the plan will vary from bank to bank—but should be constructed with the help of security firms that know the latest threat avenues, trends, how ransomware morphs, and what can be done given the latest circumstances.

Nevertheless, the message is clear. As Hogan says, “Prevention really should be the priority strategy that banks should be seeking.”