After taking a bit of a vacation in 2022, ransomware attacks are back with a vengeance and hitting financial institutions hard.
Last year, as organizations implemented more security controls and better rigor around how they dealt with hackers seeking payouts, successful attacks plunged 61% compared to 2021, according to a report from Delinea, an access management software company. While no security professional in their right mind would have declared victory in combating these threats, the numbers did lead to a general sense of optimism that the industry was finally getting a handle on the costly ransomware scourge.
Not so fast.
In March, for a variety of reasons, everything went haywire. Corvus Insurance, which tracks hacker posts on the dark web, reported a 60% spike in successful ransomware attacks in the early part of 2023 compared to the same period the previous year. More concerning, the company noted a 300% surge in strikes against financial services companies.
Ryan Bell, a threat intelligence manager for Corvus, believes the hacking menace has resurfaced and could wreak all sorts of havoc for banks and other financial institutions.
“With last year’s decline in attacks, I think a lot of people maybe got a little too complacent,” he says. “But spoiler alert: Five months into this year, we are seeing increases again. So, at this point, we’re calling it a trend, not an anomaly.”
What’s driving the trend? Bell and other security experts can only speculate. Some suggest hackers last year were not really defeated but merely distracted by other bright, shiny vulnerabilities tied to Russia’s war with Ukraine. Others theorize improvements in ransomware-as-a-service, sold on the dark web, made it easier for hacking groups to carry out attacks. Still others point to hacking gangs like Russia’s CL0P taking advantage of flaws in common software programs.
Spoiler alert: Five months into this year, we are seeing [ransomware] increases again. So, at this point, we’re calling it a trend, not an anomaly.
While these theories might explain ransomware’s resurgence, the latter point about gangs exploiting known vulnerabilities could be the most significant.
In June, just one week after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that CL0P had found a serious vulnerability in widely deployed MOVEit file transfer software, the gang launched a massive global attack against U.S. government agencies, schools and universities, media outlets like the BBC, millions of citizens in Louisiana, Oregon, and Illinois, and thousands of companies. [Since this article went to press, the number of victims has continued to grow. As of early July, more than 200 organizations (including the U.S. Department of Health and Human Services, UCLA, and multinational law firm Kirkland & Ellis) are reportedly fighting this breach, which has affected the data of an estimated 17.5 million people.]
In financial services, initial victims reportedly included major U.S. financial institutions, among them 1st Source, First National Bankers Bank, Putnam Investments, and Umpqua Bank. In February, CL0P also claimed to have exploited a zero-day vulnerability in the GoAnywhere MFT secure file transfer tool, affecting more than 130 organizations. The fintech banking platform Hatch Bank acknowledged it fell prey to that attack.
Bell notes the average time between the disclosure of a security vulnerability and hackers exploiting it is now down to two weeks, which doesn’t leave much time for a bank’s chief information security officer (CISO) to respond. In fact, sometimes, hackers are already exploiting a vulnerability before CISOs have had a chance to patch it, he says.
[Several] theories might explain ransomware’s resurgence, but gangs exploiting known vulnerabilities could be the most significant.
Regardless of the speed or causes of such attacks, security experts say financial institutions can absolutely minimize the potential damage from ransomware by taking these five commonsense precautions:
1. Know your vulnerabilities
It’s vital to be aware of the systems and software you have deployed and to stay current on known vulnerabilities and exploits, especially given the increasing speed of these attacks. Cyber insurers can help with this, says Bell. Indeed, Corvus will frequently scan customer systems (where allowed) to see if policyholders might be affected by known exploits and alert them if that is the case.
2. Use configuration management tools
Jeff Farinich, CISO for the mortgage lender New American Funding, recommends maintaining secure configurations using a variety of configuration management tools on servers and, especially, endpoints. While there’s always the risk of tool sprawl, using two or three can provide a more complete picture of your security posture.
3. Watch for patches and guidance
There won’t always be a security patch available when you need to remediate a zero-day vulnerability in those few weeks after a flaw becomes publicly known. But experts like Farinich say adhering to a strong patching cadence can head off many problems.
And with critical vulnerabilities, vendors have been known to issue updates. Even when they are not able to do that, they often issue advisories on what to do about a threat. For example, with the MOVEit exploit, its maker, Progress Software Corp., initially recommended disabling all HTTP and HTTPS traffic to MOVEit environments until organizations could apply a patch it had developed.
4. Pay attention to email
Hackers commonly succeed in launching ransomware attacks by getting unsuspecting employees to click on bogus email links, which clear the way for their illicit digital activities. In fact, corporate losses related to business email compromise (BEC) last year are estimated at more than $10 billion, so it’s vital to have anti-phishing systems in place.
5. Don’t rely solely on MFA
Bell also cautions against believing your multifactor authentication (MFA) will protect you from ransomware attacks. While light-years better than passwords for identity-and-access management, phishing-as-service tools like EvilProxy and Greatness now have powerful MFA bypass capabilities. In short, hackers have adapted.
“If you’re a banking CISO, you have to up your game because the bar to entry for hackers is getting lower for bypassing even basic countermeasures like MFA,” Bell says.