9 in 10 Financial Institutions Targeted by Ransomware
On New Year’s Eve, international travelers encountered a rude surprise when attempting to exchange foreign currency: systems were down—indefinitely.
Travelex, the popular currency exchange service, had been hit by ransomware. That meant all 1,200 Travelex stores, kiosks and counters in 70 countries around the world had been knocked offline.
To make matters worse, several international banks that rely on the service were also disrupted, including HSBC, Barclays and Royal Bank of Scotland. Two weeks later, systems still remained down, causing headaches for travelers and signaling a troubling trend of ransomware attacks on financial institutions.
A $6 million ransom demand
Travelex revealed that it was a victim of Sodinokibi ransomware, also known as REvil and Sodin. The vulnerability enables the ransomware to gain access to a computer and execute itself with elevated user privileges, so that it can have unrestricted access to all system files.
In most ransomware attacks on financial services companies, the attackers remain silent, letting the ransomware do their bidding while hoping that victims will dump the ransom payment into their anonymous cryptocurrency accounts.
But in the case of Travelex, the attackers went public. Hackers claimed to have stolen 5 gigabytes of customer data over six months. And if they didn’t receive the $6 million ransom payment, they would release the data into the wild.
‘A reminder of how fragile these systems are’
It’s unclear if the hackers truly have access to the data, which is reportedly heavily encrypted, and the company has said its “investigation shows that customer data has not been compromised.”
Still, it’s alarming to see how easily a major financial services company can be disrupted by ransomware, causing lasting reverberations for banks and other companies around the world. Two weeks after the attack, Travelex was exchanging currency in some locations, but without the assistance of its computer systems. All calculations were done by hand.
The incident raises questions about other cybersecurity vulnerabilities in the financial sector. A cybersecurity expert told the New York Times, “We would not normally think of a company like Travelex as infrastructure, but clearly it is. A big payment company that has tentacles into hundreds of institutions: It’s a reminder of how fragile these systems are.”
Banks under attack
At this point, businesses are no stranger to ransomware. A report by Forbes found that the typical American business faces 4 million attempted cyberattacks every year (the vast majority of which are filtered by firewalls and anti-virus systems).
But for the financial services industry, it’s far worse. The typical financial services firm faces a billion attempted attacks a year, according to PayPal CEO Dan Schulman.
Another alarming report by a cloud security firm found that 90% of financial institutions have been hit by ransomware.
And, in a 2019 survey of IT providers, the financial sector was found to be among the hardest hit sectors, along with manufacturing, healthcare and professional services.
How ransomware works
Ransomware strains work in different ways, but the underlying goal is typically the same: to encrypt files on your computer systems and demand money for restoring them.
Ransomware often spreads laterally across a network, locking up every computer or server it can access. This is where the attacks become the most destructive, rendering devices inoperable and halting a business’s operations.
Without a robust system of data backups to fall back on, businesses can be sidelined for days. Meanwhile, the costs continue to rise. Each hour of downtime at a large financial institution can cost hundreds of thousands of dollars, and that doesn’t even take into account the ransom demand.
How infections begin
Ransomware is typically delivered via one of three ways:
- Malicious file attachments and URLs: The vast majority of attempted ransomware attacks on financial institutions come in the form of email. The emails are often disguised as legitimate communications, such as invoices or statements. But when users open the attachments or click the URLs, their computers are infected with ransomware.
- System vulnerabilities: More sophisticated ransomware strains bypass the user altogether, exploiting vulnerabilities within the operating system or applications. This was the method that attackers used in the Travelex ransomware attack, as well as the 2017 WannaCry and NotPetya attacks.
- Malicious advertising / malvertising: In this method, hackers use rich-media ads to deliver the ransomware to unsuspecting users. In many cases, the ads and ad networks are compromised by attackers on legitimate websites. One high-profile example was the 2016 malvertising attack that hit visitors on websites for the New York Times, NFL, AOL and other sites.
Why banks? Big money
It’s no secret why cybercriminals attack financial institutions with ransomware. The potential for a big payoff is hard to pass up.
Savvy ransomware hackers are known for going after industries with the most sensitive data. That includes not just banks, but also medical facilities, insurance companies, government agencies, manufacturers – organizations that can’t survive without their data.
It can be a lucrative strategy for the hackers, because vulnerable companies will be more willing to pay to get their data back. The average ransom demand is $5,900, according to figures from Datto, but hackers will sometimes ask for staggering sums.
In 2017, a South Korean web host reportedly paid a $1 million ransom to restore its data. Last year, the city of Riviera Beach, Florida, paid $700,000 to its attackers.
A critical need for business continuity
Maintaining business continuity in the financial services industry is more important than ever.
As we saw during the Travelex attack, a disruption at a single company can have widespread effects across the industry. Financial firms sometimes rely on each other’s systems, so if one service goes down, others do as well. Additionally, bank disruptions can have reverberating effects on global financial markets, especially if investors see reason to panic.
Small community banks must also focus on their own survival. An extended outage can create insurmountable financial challenges, not to mention a long-term negative impact on the company’s credibility.
Federal regulations add more layers of complexity, requiring banks to comply with rules for handling sensitive data.
For these reasons and others, financial organizations face enormous pressure to keep operations running at all costs. And doing so is nearly impossible without the right continuity planning and infrastructure.
How banks can prevent a ransomware infection
Having a robust data backup system is the most important layer of defense against ransomware attacks, and we’ll dig more into those solutions in a minute. But first, there are many things a financial institution can do to prevent an infection from occurring in the first place.
Since ransomware typically preys on unsuspecting users and unsecured computers, businesses can vastly reduce risk by removing those vulnerabilities.
To prevent employees being duped by malicious emails, all staff should undergo cybersecurity training at least once a year.
Users should be trained on how to identify suspicious messages and how to handle them if they can’t confirm the sender. Also, emphasize the risk of phishing scams: what they look like, how to tell if messages are legitimate, and how to know when it’s okay to open any attachments or URLs.
Be sure that employees know what’s at stake. Explain how ransomware works and the impact it can have on the company.
In the event that a user’s computer is compromised, you want to prevent the infection from spreading across the network. By implementing file-access controls, you can greatly limit the amount of data that is encrypted.
Applying the concept of “least privilege,” prevent user accounts from accessing file directories they don’t need. Each user should only have access to the files they require for their day-to-day job responsibilities. Additionally, if they don’t need write-access, they shouldn’t have it.
Thus, when an infection originates in a user account that has limited file access, the infection may not be able to go very far.
Firewalls, filters and anti-malware
Firewalls and email filtering can go a long way toward keeping malware at bay. These systems should do the heavy lifting of preventing ransomware and other threats from entering your network.
In the event that malicious files get through, antimalware systems are essential for stopping those threats in their tracks. Whether a user visits an infected website, opens a bad email attachment or inadvertently installs malicious software, a good anti-malware solution will block them before the malware is executed.
Robust disaster recovery solutions
Last October, the FBI warned businesses about the growing threat of ransomware, saying that a “robust system of backups” is “the most important defense for any organization against ransomware.”
Financial institutions must have the ability to rapidly restore backups, including applications, file data, folder structure and operating systems. Features like backup virtualization and Rapid Rollback, available on the Datto SIRIS, enable businesses to capture their entire infrastructure every few minutes and quickly restore unwanted file changes from a ransomware attack (without a full backup restore).
Datto’s systems also have built-in ransomware detection, helping IT managers take swifter action when an infection occurs.
Keep systems patched and updated
Outdated, unpatched systems are a recipe for disaster.
All operating systems, software and devices should be updated on a regular basis – ideally as soon as updates are released. Set updates to apply automatically or use a patch management system to streamline the updates across the organization.
Be proactive: update your data backup systems ASAP
For more information on business continuity and disaster recovery solutions designed to safeguard financial institutions from ransomware, request a free demo or contact our specialists at Invenio IT. Call (646) 395-1170 or email success@invenioIT.com.