The New Bank Robbers – Ransomware’s Rise in Financial Services

During the pandemic, the cybersecurity risk faced by the financial services sector has shown no signs of slowing down and in fact, in many ways, it’s grown in significance. At the top of the list of security concerns is ransomware, one of the major trends threat researchers have observed across sectors in 2020 so far.

Ransomware becoming a bigger menace to financial services

Financial services and banks are prime targets for ransomware attacks due to the breadth of information they store about their customers. The SEC’s Office of Compliance Inspections and Examinations recently issued an alert warning firms to beware of a rise in ransomware attacks. The OCIE has also seen an increase in the level of sophistication used in ransomware attacks on SEC registrants. These include investment companies, investment advisers and broker-dealers. Attackers usually demand a ransom to maintain the integrity and/or confidentiality of customer data or for the return of control over registrant systems. The OCIE has also seen ransomware attacks affecting service providers to registrants.

Ransomware capitalizes on COVID-19

Attackers have been using COVID-19-themed messages and attachments as lures in a number of different ransomware campaigns. FortiGuard Labs threat researchers tracked three ransomware samples that fell into this category in H1 2020: NetWalker, Ransomware-GVZ, and CoViper. Of the three, CoViper was especially pernicious because it rewrote the computer's master boot record (MBR) before encrypting data. We have seen several attacks in the past where adversaries have used MBR wipers in combination with ransomware to effectively cripple the PC.

In addition, there was an increase in ransomware incidents where adversaries not only locked a victim organization's data but stole it as well and used the threat of widescale release as additional leverage to try to extort a ransom payment. The trend significantly heightens the risks of organizations losing invaluable information or other sensitive data in future ransomware attacks. 

The evolution of ransomware

Globally, no industry was spared from ransomware activity in 2020 so far, including financial services. We’ve also seen the rise of ransomware being sold as a service (RaaS). Ransomware-as-a-Service and other kit-like tools have lowered the entry bar for cybercriminals, enabling even novice attackers to succeed against scattered security infrastructures. And monetary technologies like Bitcoin make it essentially impossible for law enforcement authorities to track ransom payments.

The evolution of certain variants indicates that the situation with ransomware is not going away. By the time one strain has been identified and blacklisted, cyber criminals have already moved to a new variation. The Ryuk and Sodinokibi ransomware families, for example, both contributed to an increase in the ransom amounts demanded by attackers in Q1 of 2020.

An additional and fairly new strategy of ransomware hacktivists is to target and compromise vulnerable business servers. By targeting servers, hackers can identify and target hosts, multiplying the number of potential infected servers and devices on a network. This compresses the attack time frame, making the attack more viral than those that start with an end-user. This evolution could translate into victims paying more for decryption keys and an elongation of the time to recover the encrypted data.

Stemming the ransomware tide

The financial sector faces a greater threat of ransomware than at any previous time. Piecemeal approaches to security are not sufficient to thwart ransomware attacks. Integrated models using next-generation firewalls, layered security, and proactive threat intelligence are critical when mounting a strategic defense. The proliferation of ransomware attacks highlights the need for better approaches—including zero-trust models—for protecting their networks against workers connecting from weakly protected home networks. It also emphasizes the need for defenders to keep an eye on the news to stay ahead of the latest threat types and that users are trained to spot email phishing attacks, which is common vector for ransomware.

The proper tools and intelligence will help financial institutions secure their high-value assets both now and in the future.

Renee Tarun is deputy CISO at Fortinet