How Can Financial Organizations Recover from A Ransomware Attack?
The recent proliferation of ransomware attacks is staggering; the virtual working environment, driven in part by the way COVID-19, exacerbated the situation. One security vendor, Skybox Security, found that, thus far, ransomware incidents grew by 72% throughout the pandemic.
It’s likely that your financial institution is already taking the threat of a ransomware attack seriously. But does your firm have a concrete plan to respond to a ransomware attack? Your CISO may be doing everything in their power to ward off attacks — but is your institution equipped to respond should the worst happen? After all, when it comes to cyber breaches, the speed, and effectiveness of the response can dramatically mitigate the fallout — whereas a flawed response can lead to significant costs.
In this article, we outline why ransomware is such a massive concern. We also point to some of the key things financial services firms should think about when defending against a ransomware attack. Crucially, we outline what your institution should be doing to ensure that it mounts an effective response to a ransomware attack that limits damage to the minimum.
Why Ransomware Is A Major Threat
Although ransomware attacks do make the headlines, the volume of reporting does not accurately reflect the severity or losses associated with said attack. It is common for companies to withhold relevant information about the impact of a ransomware attack — especially in cases where a ransom payment can be easily facilitated to ascertain some semblance of normalcy. As such, many ransomware attacks are often not reported to the police .
In critical infrastructures, such as financial services, the projected reputational damages of reporting a ransomware attack tends to outweigh the benefits of doing so . Therefore, such culture leads to a situation whereby the absence of an actual attack and a low level of reporting often leads to tech leaders underestimating the upward risks associated with a ransomware attack — this level of recklessness prevents an organization from exercising the proper incident readiness plan required to combat an attack. And when ransomware security incident planning fails, the remediation costs can be extremely high.
For instance, in what could be the most expensive cyberattack in 2020 , Danish company, ISS World may need to spend over $100 million in remediation procedures due to a ransomware attack. Similarly, U.S. multinational company, Cognizant, , due to a ransomware attack. estimated to spend up to $70 million in incident recovery expenses
As organizations begin to embrace the benefits of digital transformation , ransomware threat has rapidly graduated into a business risk. According to Arctic Wolf’s 2020 Security Operations Annual Report , financial institutions saw a 520% increase in ransomware and phishing attempts between March and June 2020 alone. Such staggering statistics are cause for concern by all organizational leaders — not just technology leaders.
5 Critical Steps to Take After a Ransomware Attack
The ransomware attack across critical sectors, including financial services, is no longer a matter of “if, rather “when.” In today’s Information Age, every organization with a digital footprint is at risk of being compromised. Below are a few steps that organizations must take into consideration:
1. Think twice before paying the ransom
Meeting ransomware demands may, in some instances, be the fastest route to recovering your data and operations, but it is not the only route. When Finastra’s North American operations were attacked, the company opted to take servers offline , instead of meeting ransom demands. The company survived the ransomware attack without paying any ransom, and the response is a testament to preparedness and mitigating measures.
Though the pros and cons of making a ransomware payment are beyond the scope of this article, it is worth considering. First, it should be obvious that making a payment does not guarantee the release of your data. In many cases, whenever money exchanges hands in a ransom payment scheme, you may simply become a more attractive target to threat actors.
Additionally, a bigger concern is the legal and compliance implications of paying a cyberattack-related ransom because nations are now beginning to place hefty restrictions on organization as it relates to paying ransoms. For instance, in October 2020, the Department of Treasury introduced a directive that aims to impose sanctions against companies that pay ransoms associated with certain threat actors listed on the U.S. government’s ‘black list.’ Of course, if your institution is sufficiently prepared for an attack, there would be no need to pay a ransom.
2. Zero-down on the ‘Patient Zero.’
Yes, you read that correctly. Determining the ‘patient zero’ — discovering the entity who first reported or noticed a suspicious activity — could be a critical step in curbing the effects of a ransomware attack. As such, organizations must identify the application or host that was first infected and investigate associated data sources, configurations, and compromised endpoints.
These comprehensive actions will help IT teams to trace the origin of said attack as well as contain the damages while allowing sufficient time for risk assessment procedures. Discovering patient zero earlier on determines how fast an organization is able to stop the bleeding before it spreads throughout the enterprise network. System quarantining and isolation is extremely crucial in subduing patient zero.
3. Restore your operations and limit damage after a ransomware attack
Considering how to recover from a ransomware attack, you must assume that the stolen data won’t be released in its original form — even after paying the ransom. Here, Finastra’s approach to taking systems offline is an excellent example of the first step — offline systems cannot be manipulated remotely.
Once your systems are offline, you need to take steps to assess the damage. What data has been encrypted? Do you have recent backups of this data? Is there a risk that the attack could spread if your systems go online again?
In many cases, you will need to rapidly start restoring your technology assets — starting with backups. You may also need to restore entire machines — including desktops. Your company is likely reliant on virtual desktops to provision a variety of solutions.
An automated bare-metal deployment solution can help by enabling you to easily restore virtual desktop infrastructure (VDI) at the click of a button; a much faster and simpler alternative to manually rebuilding machines from scratch.
It is also critical that your institution immediately puts into place countermeasures to ensure that a similar attack cannot occur again. In other words, find out why the attack happened — and immediately close the door to a repeat attack.
4. Notify regulatory authorities
In the FinCEN advisory covering ransomware , one of the key points was the need to alert regulatory authorities of a ransomware attack. In some cases, a financial institution may need to file a Suspicious Activity Reports (SARs) — this requirement extends to financial institutions that do not deal with the public. Even a private equity firm, for example, may have to notify authorities if an attack occurred.
It is imperative that organizations ignore the temptation to hide the occurrence of security incidents, such as a ransomware attack, because doing so could prove to be costly in terms of hefty fines and prison time (in certain jurisdictions). Although a public disclosure of a ransomware attack may not be required in your state or nation, institutions must ensure that they are in compliance with other jurisdictions where they conduct business in — this often includes alerting clients whose data may have been compromised. Working with your organization’s legal team as well as the public relations team is critical at such juncture.
5. Communicate with clients
A ransomware attack may not immediately impact operations, but if it does impact clients, then it is better to start communicating with clients in an honest manner sooner rather than later. This includes a frank discussion about the ways in which clients may be affected. After all, your institution’s reputation is on the line.
The majority of time, having a candid conversation with clients whose data may have been compromised in a cyberattack garners sympathy and understanding. Most people understand that state-sponsored threat actors or cybercriminals are bent on causing disruption even for organizations with top-tier defenses. However, clients will not be understanding of the lack of transparency or recklessness — particularly if it leads to financial expenses levied upon your clients.
5 Key Control Measures To Take To Prevent Future Ransomware Attacks
1. Perform thorough testing
Double-check that the door that opened the opportunity for an attack (in other words, the vulnerability that was exploited by the attacker) is now closed. You don’t want to get hit in the same spot twice. It is also critical that your institution undergoes a thorough round of basic cybersecurity testing. A vulnerability scanner, for example, will quickly highlight the most obvious cybersecurity risks — and even rank it according to severity.
As a next step, penetration testing will help identify weak areas in your cybersecurity defenses. Yes, penetration testing takes longer to complete, can involve a team of experts — and may be costly. That said, performing a comprehensive penetration testing exercise after an attack will ensure that you minimize the opportunities for a further attack.
2. Review and update the cybersecurity measures
It’s a well-known fact that vulnerabilities that are not repaired (or patched, in tech-speak) are one of the most common ways in which malevolent actors can find an entry point into your technology assets. Indeed, an automated tool that scans for vulnerabilities will quickly highlight many vulnerabilities that exist purely because your patching efforts are incomplete. In terms of patching, automation is your institution’s best bet — including on endpoints. Endpoints are devices used at the edge of your network — including personal computers, mobile phones, and even sensors.
Indeed, for financial services providers, working from home has meant that endpoints are becoming a much more critical part of the cybersecurity picture. Consider using a tool such as aiden to ensure continuous, automated patching to minimize the risk of unrepaired vulnerabilities leading to attack success.
In the broad, everyday cybersecurity best practices will help your financial institution steer clear of the worst cybersecurity risks — including ransomware. Multi-factor authentication, where users are required to use two types of authentication to access services, is a start. Tight control of access permissions and user credentials also matter. Similarly, educating employees about the risks of phishing attacks and a safe password policy will limit the window for a cybersecurity breach.
3. Perform Constant Risk Assessment
The ransomware attack will have exposed how and why your financial institution is at risk of cybercrime. As a final step, do a comprehensive risk assessment. Here, your technology teams must collaborate with your institution’s risk committee.
Tech assets kept at ransom may or may not have a significant implication on your financial institution’s ability to operate. But the chances are that the impact will be significant. Alongside your risk committee, you can determine which assets are most at risk — and which assets carry the biggest threat of loss. In doing so, you can focus your cybersecurity efforts where it matters the most.
Importantly, your risk assessment will also give your institution the opportunity to put in place contingency plans if the worst happens and critical infrastructure is taken offline due to a ransomware attack.
4. Revisit your organizational cybersecurity policies, procedures, and guidelines
You must revisit, reevaluate, and refine the cybersecurity policies for any potential gaps, non-compliance, or ambiguity to safeguard your information assets from any potential repeated ransomware attack. Review and revise your information security documentation to ensure that guidelines are not ambiguous, and employees can understand and follow.
Financial institutions must ensure that accountability and responsibilities are clearly defined and assigned to personnel. Validate your organizational KPIs (Key Performance Indicators), KCIs (Key Control Indicators), KRIs (Key Risk Indicators), and other relevant metrics. Involving the business heads, application owners in discussions on cybersecurity matters and in decision making will ensure that security becomes part of organizational culture and everyone in the enterprise knows that cybersecurity is everyone’s responsibility.
5. Cybersecurity awareness, education, and training
Employees are the first line of defense in the cybersecurity chain. Adequately trained employees will not only help protect an organization’s information assets against potential cyber-attacks; they will also know what steps to take to thwart an attack-attempt. A phishing email is the first entry point for a potential ransomware attack. An educated and trained employee will know how to deal with it and report it to the security team for further investigation.
Financial institutions should not limit the cyber-awareness training to just their employees, but it should also be extended to third-party vendors working with them, clients, and customers, etc. Initiatives such as information sharing groups, cyber-ambassadors, etc., could go a long way in developing a security-aware culture within an organization and help protect it from potential ransomware attacks.
Final Thoughts
An organization can recover from a ransomware attack -without paying the ransom, but the extent of the recovery and the speed at which you recover depends on its preparedness level. It starts with post-attack planning and ensuring that the organization is safe from similar attacks and prepared to deal with it if it happens. Transparency about the attack matters too. However, don’t ignore the power of tools: from network defenses right through to consistent, automated patching. And indeed, the tools to rapidly restore compromised assets.
As a C-level executive, it is up to you to ensure that your organization, including other key stakeholders leading the business, legal, communications, and technology teams are all trained and aware of the intricacies of a ransomware attack. This includes understanding the detective, preventive, and corrective countermeasures (technical and/or administratively) that are necessary to combat said attack.
Download this PDF for a list of questions that you can ask your CISO to understand whether your response to an attack is on point.
Learn more about how aiden’s automated endpoint management capabilities can help you prevent a ransomware attack — and help your institution get back on its feet should the worst happen.
Originally published at https://www.meetaiden.com on December 17, 2020.
