Turning the tables: how to improve ransomware defence in the finance sector

John Michael looks at the evolution in ransomware attacks, methods of infiltration and

how to fight fire with fire when it comes to banking technology

The financial sector has always been a prime target for ransomware. This is understandable. Disrupting or locking financial systems creates a significant impediment and potentially delivers a massive monetary cost; an attack which threatens to steal sensitive data could cause huge regulatory and reputational damage. And financial institutions can, in theory, afford to pay.

John Michael: makes the case for proper data management

This was the case when a large financial corporation and commercial insurance company, based in the US, found its network locked and a significant amount of employee and customer data held to ransom1. At a cost of $40 million the company was able to regain control of its network2 following the attack, which had been launched using legitimate user credentials following two weeks’ covert reconnaissance3.

An increasing reliance on the cloud, and on mobile and hybrid working, makes account security and data integrity more difficult to ensure. Every new online tool is an avenue through which an attacker could enter a network and deploy ransomware and the problem is only set to get worse in 2023.

Hackers know this, and the tactical development of the structure and deployment of modern ransomware means its impact has never been more keenly felt. 46% of those hit by a ransomware attack make the payment, which currently averages US$800,0004. What steps, then, can financial firms take to prevent such an attack?

How ransomware infiltrates

To speak plainly, ransomware works. Increasingly, malicious actors will infiltrate finance networks by exploiting zero-day attacks.

These previously unreported software or protocol vulnerabilities are, by their nature, not looked for – meaning an attacker may be able to intercept network data, steal credentials, or otherwise gain control in a manner which could go completely unnoticed, and which even a robust security upgrade plan wouldn’t cover.

Information on zero-day vulnerabilities is often shared or sold through underground criminal networks – and ransomware’s potential profits mean the value of selling an exploit on the black market can outstrip the rewards of reporting it to a bug bounty program.

Attackers also use phishing attacks to gain legitimate-looking access to a network, which again allows them to operate under the radar. Phishing isn’t new, but many of the techniques now available to hackers are: artificial intelligence (AI) can use a data set of a user’s communications to generate realistic-looking emails, or to emulate the voice patterns of, for example, a CEO, CFO or other senior manager over the telephone.

One successful phishing expedition may be all it takes to gather the passwords required to log in to an account with elevated access – thus attackers now regularly study company hierarchies and directly target those whose credentials might be most useful.

The new ransomware landscape

Ransomware’s profitability has caused an increasingly professional structure to grow beneath it. Off-the-shelf or even bespoke ransomware packages are now available through Ransomware-as-a-Service (RaaS) schemes, enabling even non-technical hackers to launch attacks; databases of online credentials and expertise from the cybercrime community are available for a fee.

A level of professionalism is also attached to the post-attack phase, with hackers regularly offering 24/7 support to victims; if paying to recover data is the most attractive option, it is reasonable to suggest that many will chalk up the loss rather than suffer an average of 20 days’ business downtime5.

But ransomware doesn’t necessarily have to result in downtime. Attack attempts may be inevitable, particularly in the potentially lucrative financial sector. Indeed, a malicious actor may successfully infiltrate your network through any number of means.

But proper data management practices can neutralise the impact of such an attack, ensuring that your business gets back online fast and with minimal disruption, and helping to defend your clients’ data from being stolen.

Turning the tables

There are several important steps to consider in maximising defence against ransomware attacks: create a zero trust culture, one in which every user, resource and asset must prove its security credentials; build policies around data management which put security and safety first for everything from employees to software to data centres; consider everything in the context of a potential attack and generate an architecture that simply isn’t worth the effort of attacking; build on hardware and services which can be securely locked down at a moment’s notice, and which can be restored to full functionality quickly.

The best defence is a good offence. In the case of ransomware, this means using hackers’ key tools against them. A ransomware attack might deny access to your data by encrypting it, but diligently storing that data in an encrypted form in the first place makes it useless to an attacker.

A typical attack may restrict access to mission-critical hardware, but if your data is properly air-gapped a hacker’s own access attempts will be entirely thwarted.

Finally, taking login power out of a hacker’s hands by using multi-factor authentication to protect both your employees’ credentials and their access to data – and, furthermore, making such authentication biometric, remotely managed, and hardware-based – removes any opportunity for a hacker to intercept it through a man-in-the-middle attack.

We may never be able to stop ransomware from happening, but with financial data presenting such a lucrative prize to malicious threat actors, strength lies in maximising defences to make any attack seem like an increasingly unattractive option.

Learn more about defending against ransomware

John Michael is CEO, of iStorage