How Can Financial Organizations Recover from A Ransomware Attack?

The recent proliferation of ransomware attacks is staggering; the virtual working environment, driven in part by the way COVID-19, exacerbated the situation. One security vendor, Skybox Security, found that, thus far, ransomware incidents grew by 72% throughout the pandemic.

It’s likely that your financial institution is already taking the threat of a ransomware attack seriously. But does your firm have a concrete plan to respond to a ransomware attack? Your CISO may be doing everything in their power to ward off attacks — but is your institution equipped to respond should the worst happen? After all, when it comes to cyber breaches, the speed, and effectiveness of the response can dramatically mitigate the fallout — whereas a flawed response can lead to significant costs.

In this article, we outline why ransomware is such a massive concern. We also point to some of the key things financial services firms should think about when defending against a ransomware attack. Crucially, we outline what your institution should be doing to ensure that it mounts an effective response to a ransomware attack that limits damage to the minimum.

Why Ransomware Is A Major Threat

In critical infrastructures, such as financial services, the projected reputational damages of reporting a ransomware attack tends to outweigh the benefits of doing so . Therefore, such culture leads to a situation whereby the absence of an actual attack and a low level of reporting often leads to tech leaders underestimating the upward risks associated with a ransomware attack — this level of recklessness prevents an organization from exercising the proper incident readiness plan required to combat an attack. And when ransomware security incident planning fails, the remediation costs can be extremely high.

For instance, in what could be the most expensive cyberattack in 2020 , Danish company, ISS World may need to spend over $100 million in remediation procedures due to a ransomware attack. Similarly, U.S. multinational company, Cognizant, , due to a ransomware attack. estimated to spend up to $70 million in incident recovery expenses

As organizations begin to embrace the benefits of digital transformation , ransomware threat has rapidly graduated into a business risk. According to Arctic Wolf’s 2020 Security Operations Annual Report , financial institutions saw a 520% increase in ransomware and phishing attempts between March and June 2020 alone. Such staggering statistics are cause for concern by all organizational leaders — not just technology leaders.

5 Critical Steps to Take After a Ransomware Attack

1. Think twice before paying the ransom

Though the pros and cons of making a ransomware payment are beyond the scope of this article, it is worth considering. First, it should be obvious that making a payment does not guarantee the release of your data. In many cases, whenever money exchanges hands in a ransom payment scheme, you may simply become a more attractive target to threat actors.

Additionally, a bigger concern is the legal and compliance implications of paying a cyberattack-related ransom because nations are now beginning to place hefty restrictions on organization as it relates to paying ransoms. For instance, in October 2020, the Department of Treasury introduced a directive that aims to impose sanctions against companies that pay ransoms associated with certain threat actors listed on the U.S. government’s ‘black list.’ Of course, if your institution is sufficiently prepared for an attack, there would be no need to pay a ransom.

2. Zero-down on the ‘Patient Zero.’

These comprehensive actions will help IT teams to trace the origin of said attack as well as contain the damages while allowing sufficient time for risk assessment procedures. Discovering patient zero earlier on determines how fast an organization is able to stop the bleeding before it spreads throughout the enterprise network. System quarantining and isolation is extremely crucial in subduing patient zero.

3. Restore your operations and limit damage after a ransomware attack

Once your systems are offline, you need to take steps to assess the damage. What data has been encrypted? Do you have recent backups of this data? Is there a risk that the attack could spread if your systems go online again?

In many cases, you will need to rapidly start restoring your technology assets — starting with backups. You may also need to restore entire machines — including desktops. Your company is likely reliant on virtual desktops to provision a variety of solutions.

An automated bare-metal deployment solution can help by enabling you to easily restore virtual desktop infrastructure (VDI) at the click of a button; a much faster and simpler alternative to manually rebuilding machines from scratch.

It is also critical that your institution immediately puts into place countermeasures to ensure that a similar attack cannot occur again. In other words, find out why the attack happened — and immediately close the door to a repeat attack.

4. Notify regulatory authorities

It is imperative that organizations ignore the temptation to hide the occurrence of security incidents, such as a ransomware attack, because doing so could prove to be costly in terms of hefty fines and prison time (in certain jurisdictions). Although a public disclosure of a ransomware attack may not be required in your state or nation, institutions must ensure that they are in compliance with other jurisdictions where they conduct business in — this often includes alerting clients whose data may have been compromised. Working with your organization’s legal team as well as the public relations team is critical at such juncture.

5. Communicate with clients

The majority of time, having a candid conversation with clients whose data may have been compromised in a cyberattack garners sympathy and understanding. Most people understand that state-sponsored threat actors or cybercriminals are bent on causing disruption even for organizations with top-tier defenses. However, clients will not be understanding of the lack of transparency or recklessness — particularly if it leads to financial expenses levied upon your clients.

5 Key Control Measures To Take To Prevent Future Ransomware Attacks

1. Perform thorough testing

As a next step, penetration testing will help identify weak areas in your cybersecurity defenses. Yes, penetration testing takes longer to complete, can involve a team of experts — and may be costly. That said, performing a comprehensive penetration testing exercise after an attack will ensure that you minimize the opportunities for a further attack.

2. Review and update the cybersecurity measures

Indeed, for financial services providers, working from home has meant that endpoints are becoming a much more critical part of the cybersecurity picture. Consider using a tool such as aiden to ensure continuous, automated patching to minimize the risk of unrepaired vulnerabilities leading to attack success.

In the broad, everyday cybersecurity best practices will help your financial institution steer clear of the worst cybersecurity risks — including ransomware. Multi-factor authentication, where users are required to use two types of authentication to access services, is a start. Tight control of access permissions and user credentials also matter. Similarly, educating employees about the risks of phishing attacks and a safe password policy will limit the window for a cybersecurity breach.

3. Perform Constant Risk Assessment

Tech assets kept at ransom may or may not have a significant implication on your financial institution’s ability to operate. But the chances are that the impact will be significant. Alongside your risk committee, you can determine which assets are most at risk — and which assets carry the biggest threat of loss. In doing so, you can focus your cybersecurity efforts where it matters the most.

Importantly, your risk assessment will also give your institution the opportunity to put in place contingency plans if the worst happens and critical infrastructure is taken offline due to a ransomware attack.

4. Revisit your organizational cybersecurity policies, procedures, and guidelines

Financial institutions must ensure that accountability and responsibilities are clearly defined and assigned to personnel. Validate your organizational KPIs (Key Performance Indicators), KCIs (Key Control Indicators), KRIs (Key Risk Indicators), and other relevant metrics. Involving the business heads, application owners in discussions on cybersecurity matters and in decision making will ensure that security becomes part of organizational culture and everyone in the enterprise knows that cybersecurity is everyone’s responsibility.

5. Cybersecurity awareness, education, and training

Financial institutions should not limit the cyber-awareness training to just their employees, but it should also be extended to third-party vendors working with them, clients, and customers, etc. Initiatives such as information sharing groups, cyber-ambassadors, etc., could go a long way in developing a security-aware culture within an organization and help protect it from potential ransomware attacks.

Final Thoughts

As a C-level executive, it is up to you to ensure that your organization, including other key stakeholders leading the business, legal, communications, and technology teams are all trained and aware of the intricacies of a ransomware attack. This includes understanding the detective, preventive, and corrective countermeasures (technical and/or administratively) that are necessary to combat said attack.

Download this PDF for a list of questions that you can ask your CISO to understand whether your response to an attack is on point.

Learn more about how aiden’s automated endpoint management capabilities can help you prevent a ransomware attack — and help your institution get back on its feet should the worst happen.

Originally published at on December 17, 2020.

Creator, Techy, Entrepreneur, Animal Lover, Ocean Enthusiast, Environmentalist